Avast Unit Stops Collecting User Data After Privacy Complaints

Company to close data-selling subsidiary, but experts say users of antivirus software could still be at risk

January 30, 2020

Avast's data analytics unit has stopped collecting information about people using the company's free antivirus software following revelations that the data was sold to companies such as Google, Home Depot, Microsoft, and Pepsi.

In a Thursday blog post, Avast CEO Ondrej Vlcek said the unit, known as Jumpshot, will immediately stop collecting data and begin to wind down operations.

Privacy and security experts said the move is a step in the right direction, but noted that Avast is still allowing third parties to collect user data for use in targeted advertisements.

They're also concerned that the data sent to Jumpshot wasn’t properly stripped of personal identifiers, which could put the digital privacy of users at risk, even allowing hackers to target them.

In the blog post, Vlcek apologized, saying he realized the Jumpshot revelations, which stemmed from stories originally published by Motherboard and PCMag, has “hurt the feelings” of many users.

“Protecting people is Avast’s top priority and must be embedded in everything we do in our business and in our products,” Vlcek said. “Anything to the contrary is unacceptable.”

Avast's antivirus software is used by more than 400 million people around the world, the company says. And, according to Consumer Reports testers, it ranks among the best free security software options available to PC and Mac owners. The same goes for Avast’s AVG-branded software.

But according to the original Motherboard and PCMag reporting, Avast’s antivirus software appears to track users' clicks and movements across the web, collecting data on things like Google searches and visits to LinkedIn pages, YouTube videos, and pornography websites.

After being “de-identified,” meaning information like name and email address is removed, the data reportedly was repackaged and sold by Jumpshot.

CR privacy researcher Bill Fitzgerald said that while the shutdown of Jumpshot is “generally positive,” it’s not clear what measures, if any, were put in place to prevent the data from being re-identified—by Jumpshot or clients that acquired data from Jumpshot. Avast’s own consent policy says data was shared with a common internal identifier, which could make it easier for Jumpshot and others to re-identify it.

Richard Henderson, head of global threat intelligence for the cybersecurity firm Lastine, said de-anonymization is a real concern.

“With enough data from differing sources, eventually no data can be truly anonymous,” he said. “I don’t think anyone thinks Avast’s intentions were nefarious or malicious, but they really shouldn’t have chosen this path.”

Fitzgerald said Avast’s consent policy spells out a range of additional third parties—including companies such as Amazon, Facebook, and Twitter—that use personal data for targeted ads.

In a statement, Avast acknowledged that its free mobile antivirus software serves ads that are powered by partners like Google and others. But it said Avast’s data has never been used in the targeting of those ads.

In Fitzgerald's view, it's hard to accept a statement like that, given the many ways the data could be de-anonymized.

Members of the digital security community said there also needs to be an accounting of where the data shared with Jumpshot went.

Doug Britton, chief technology officer for the malware protection company RunSafe, said it’s not uncommon for hackers working for foreign governments or criminal enterprises to buy data from such companies, de-identify it, then use it to target individuals.

“The lay person doesn’t have to worry that the Chinese government is going to steal secrets from them, but they may have $10,000 or $20,000 in a bank account,” Britton said, pointing out that money can be a tempting target for hackers like those, too.

If other antivirus companies are collecting user data for sale, Henderson said, we need to know.

“They need to fess up, delete all the data they collected,” he explained. “And come clean about who has been purchasing that data.”