The data privacy hits just keep coming.
PCMag and Vice’s Motherboard reported today on a joint investigation which found that Avast’s free antivirus software – installed on “hundreds of millions” of computers worldwide – has in fact been harvesting user data, compiling it, and selling it to large-scale marketers.
From Motherboard:
The documents, from a subsidiary of the antivirus giant Avast called Jumpshot, shine new light on the secretive sale and supply chain of peoples’ internet browsing histories. They show that the Avast antivirus program installed on a person’s computer collects data, and that Jumpshot repackages it into various different products that are then sold to many of the largest companies in the world. Some past, present, and potential clients include Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Condé Nast, Intuit, and many others. Some clients paid millions of dollars for products that include a so-called “All Clicks Feed,” which can track user behavior, clicks, and movement across websites in highly precise detail.
Avast claims to have more than 435 million active users per month, and Jumpshot says it has data from 100 million devices. Avast collects data from users that opt-in and then provides that to Jumpshot, but multiple Avast users told Motherboard they were not aware Avast sold browsing data, raising questions about how informed that consent is.
A wise approach dictates that the company should be innocent until proven guilty but that’s difficult when the company selling the data proudly proclaims claims to be “the only company that unlocks walled garden data” and seeks to “provide marketers with deeper visibility into the entire online customer journey.”
This one feels a little different from most of the other data harvesting stories we’ve seen because the harvesting itself was done by a company selling online security. To wit, this tweet from last month, Jumpshot noted that it collects “Every search. Every click. Every buy. On every site“.
Btw – the bold emphasis is Jumpshot’s.
Doesn’t sound much like online security.
For its part, Avast says it is only selling anonymized data and not any personally identifying information (PII). But that’s a little disingenuous considering how easy it is to triangulate with other available data and de-anonymize identities.
Photo by Daan Mooij on Unsplash.
