Avast, the free antivirus collects user data and resells it. Avast spies on the sites you visit and your browsing habits, then resells everything at a high price
Avast spies on users
The famous Avast antivirus and antimalware software ended up in the eye of the hurricane: the free version rakes up user data and sells it at a high price. And users apparently don’t know.
But let’s proceed calmly and try to analyze the situation.
Avast antivirus free spies users’ browsing habits
So far nothing new: we know very well that all free software and services, precisely in exchange for their gratuity, analyze and commercially exploit our data.
It does Google, Facebook, they do thousands of other services and online tools. And of course the free antivirus Avast is no different.
The problem arises when these data, which should be analyzed, collected and resold anonymously (to protect user privacy), in reality are not (at least not completely).
How it all started
A survey conducted jointly by Motherboard and PCMag has shown how Avast operates a meticulous and detailed collection of the activities that the user performs online and then resells them, through a subsidiary, to third parties. Third parties that would then be large-scale commercial realities: Microsoft, Google, Pepsi, Intuit, Condé Nast, McKinsey just to name a few.
The investigation began after the two newspapers came into contact with a confidential document sent by Avast’s subsidiary, Jumpshot, to one of its customers.
The Avast extension for web browsers
Analyzing the problem in detail, it seems that up to a few years ago Avast collected the browsing data of users who had installed its free browser plugin designed to report any suspicious or unsafe websites.
The fact came to light when a security researcher had shown how Avast actually collected user data through that plugin.
Following those revelations Mozilla, Opera and Google have removed Avast browser extensions from their respective repositories.
Avast has told Motherboard and PCMag that it has since finished sending the data collected by these extensions to its Jumpshot subsidiary, which is precisely responsible for selling the information to its customers.
In reality, however, the problem persists.
In fact, when installing an Avast antivirus for the first time on the computer, the user is shown an authorization request on the collection of information.
Here is the message that appears when installing the free version of Avast on Windows and Mac PCs:
“If you allow us to do this, we will provide our Jumpshot subsidiary with a set of de-identified data derived from your browser history in order to allow Jumpshot to analyze market trends and other value insights. The data is fully de-identified and aggregated and cannot be used to personally identify you. Jumpshot may share this aggregate data with its customers.”
The problem, again, is that it doesn’t explain in any way how Jumpshot uses this information.
Of course, the user still has the freedom not to give his consent, but in 99% of cases the users accept the clause without even reading it (stupid them, of course) and so they find themselves being spied on by Avast without even knowing it. And without even knowing what exactly Avast collects and resells on their browsing sessions.
Avast claims to have over 435 million active users per month, while Jumpshot claims to have data from 100 million devices.
We are talking about a crazy amount of data.
What are the data collected?
As anticipated, the data collected by Avast through its antivirus are really a lot: we talk about information on GPS coordinates of Google Maps, Linkedin pages visited by users, YouYube videos, sites and pornographic content, all with very precise details on searches carried out and on the exact moment of the day with a time stamp.
These details contribute to generate strong, very strong doubts about whether the data can actually be anonymized.
The information, although lacking in details to facilitate personal identification, such as user names, according to experts can lose this veil of confidentiality if combined with other sets of information (dataset).
Here is what the data collected anonymously by Avast looks like:
To a normal user these data say nothing, but Amazon, for example, takes half a second to exactly identify the user who bought an iPad Pro 10.5 at 12:03 on January 1, 2019.
So in the end, this data is not so anonymous. Clear?
An Avast spokesperson promptly stated that Jumpshot does not collect “personally identifiable information, including name, email address or contact details.”
“Users have always had the opportunity to give up sharing data with Jumpshot. As of July 2019, we had already started implementing an explicit opt-in choice for all new downloads of our antivirus and we are now also urging our existing users to make an opt-in or opt-out choice, in a process to be completed in February 2020,” added the spokesman.
“We have long experience in protecting devices and user data from malware and we understand and take seriously the responsibility of balancing user privacy with the necessary use of data for our security products.”
What to do?
The problem is not so much that Avast does things in an unclear way, but the fact that it is not exactly clear what information is collected and how it is used.
Waiting for clarification, however, Avast users would do well to recheck the antivirus settings NOW and possibly block the possibility of collecting personal and private information.