Antivirus software Avast harvested user data, then sold it to Google and others

Avast antivirus software is on a lot of computers out there in the wild, and a new investigation uncovers a less-than-great track record with user data.

The investigation was put together by Vice and PC Mag, and it shows that a lucrative market exists out there to sell off user data to large third-party companies that include not only Google, but also Microsoft and Intuit. There are over 435 million users taking advantage of the tools that Avast has on offer for Macs, Windows PCs, and even mobile devices.

The investigation shows that Avast has been harvesting user data and then using a subsidiary called Jumpshot to sell it off. This is all based on leaked documentation that shows contracts, user data, and more. As for the information collected, it includes GPS coordinates from Google Maps, YouTube video listings, data from LinkedIn pages, location searches, and even Google searches.

The data obtained by Motherboard and PCMag includes Google searches, lookups of locations and GPS coordinates on Google Maps, people visiting companies’ LinkedIn pages, particular YouTube videos, and people visiting porn websites. It is possible to determine from the collected data what date and time the anonymized user visited YouPorn and PornHub, and in some cases what search term they entered into the porn site and which specific video they watched.

It all breaks down into packages being sold off by Jumpshot. According to the company, Jumpshot says it has data from 100 million devices. The investigation revealed that Jumpshot repackages that user data it collected from Avast and puts it together with even more data in other packages, lumping it all together. Clients can apparently pay “millions of dollars” for an “All Clicks Feed” option, which will track a user’s behavior across the internet.

Up until very recently, the data was being harvested by Avast’s web browser plug-in. Back in October it was reported that this was happening, and, as a result, Google, Mozilla, and Opera all removed the plug-in option from their browsers.

Avast stopped using the plug-in to collect data. However, it hasn’t stopped harvesting data from users. It’s just using the antivirus software itself to collect that data now. Part of that comes from the free option, which Avast says it notifies users of the free tier to let them collect user data.

However, the data collection is ongoing, the source and documents indicate. Instead of harvesting information through software attached to the browser, Avast is doing it through the anti-virus software itself. Last week, months after it was spotted using its browser extensions to send data to Jumpshot, Avast began asking its existing free antivirus consumers to opt-in to data collection, according to an internal document.

“If they opt-in, that device becomes part of the Jumpshot Panel and all browser-based internet activity will be reported to Jumpshot,” an internal product handbook reads. “What URLs did these devices visit, in what order and when?” it adds, summarising what questions the product may be able to answer.

Buying user data is a lucrative business. Which makes sense, considering how many companies want it, and the lengths to which they are willing to go to get it. For example, the investigation revealed that one company paid more than $2 million for access to user data in 2019. That resulted in data from 14 continents around the world, which included up to 20 domains.

Here, check out a marketing video for Jumpshot:

Microsoft declined to comment on the specifics of why it purchased products from Jumpshot, but said that it doesn’t have a current relationship with the company. A Yelp spokesperson wrote in an email, “In 2018, as part of a request for information by antitrust authorities, Yelp’s policy team was asked to estimate the impact of Google’s anticompetitive behavior on the local search marketplace. Jumpshot was engaged on a one-time basis to generate a report of anonymized, high-level trend data which validated other estimates of Google’s siphoning of traffic from the web. No PII was requested or accessed.”

In potentially good news, not every company is ready to jump onto the Jumpshot bandwagon. Southwest Airlines, for instance, had a conversation with Jumpshot but it did not follow through with using its services.

For Avast, it says as part of the investigation that it does not include the name, or the email address, or even contact details in the data it does harvest. It also says that it allows the users of its free software to opt-out of the data collection if they want. As of July 2019 there is an explicit opt-in option.

The full investigation is absolutely worth the read, so go check it out.

What do you make of all this? Where do you stand with data collection/harvesting? Let us know in the comments.