Science

Popular anti-virus company revealed to be selling web history, porn searches, and location of users


Popular anti-virus company Avast has been selling user data that includes specific web browsing history to major companies around the world. 

According to a joint investigation by Motherboard and PCMag, Avast, which claims to have more than 435 million users, has been using a subsidiary called Jumpshot to sell user data to companies including Google, Microsoft, Home Depot, Pepsi and more.

Documents and leaked user data obtained in the investigation reveal that information collected by Avast include details that most consider to be sensitive, such as web browsing history, and that some of that data is granular enough to track individual clicks on a web page.  

In addition to search histories, location histories, and which videos a user watched on YouTube, documents show that Avast tracked visits to porn sites like PornHub or YouPorn and in some cases logged the time a user visited the site and which specific video they watched and queries they entered.

Though the data is reportedly not personally-identifiable, meaning it’s not accompanied by a name or other identifier, experts interviewed by Motherboard say the level of detail tracked by Avast may undermine its anonymitiy. 

Antivirus company Avast and its subsidiary Jumpshot funnel data to companies around the world including Microsoft, Google and more

Antivirus company Avast and its subsidiary Jumpshot funnel data to companies around the world including Microsoft, Google and more

WHICH COMPANIES BOUGHT AVAST’S DATA? 

Companies that bought Avast’s user data include:

Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Condé Nast, Intuit, Trip Advisor, and  many more. 

Many of those companies chose not to respond to inquiries about what they did with Avast data. 

‘De-identification has shown to be a very failure-prone process. There are so many ways it can go wrong,’ Günes Acar, who studies large-scale internet tracking at the Computer Security and Industrial Cryptography research group at the Department of Electrical Engineering of the Katholieke Universiteit Leuven told Motherboard.

‘Most of the threats posed by de-anonymization—where you are identifying people—comes from the ability to merge the information with other data. 

Acar tells Motherboard that with the specificity of timestamp data and other points, identities can feasibly be reconstructed. 

Depending on the specificity of that data, Avast would adjust its pricing and packages, selling more granular information for millions of dollars.  

Comprehensive packages purchased by a New York-based media company called Ominicom total upwards of $4.5 million and in Jumpshot’s own words, give access to ‘Every search. Every click. Every buy. On every site.’

That package gave Omincom access to data of users from 14 different countries and some personal data like gender which is inferred based on browsing data.

While Jumpshot says it ‘hashes’ – encrypts – device IDs of its users, it also said that those IDs never change, meaning they’re permanently linked to a user’s information, making it more likely to identify a subject.

Just what each company used the data for varied, according to Motherboard.

Home Depot, one of a handful of companies to respond to inquiries about Avast’s services told Motherboard:

‘We sometimes use information from third-party providers to help improve our business, products and services. We require these providers to have the appropriate rights to share this information with us. In this case, we receive anonymized audience data, which cannot be used to identify individual customers.’

Microsoft didn’t elaborate on what it used data for but reportedly has no ongoing relation with Avast while Yelp says it used Avast data to help it in an antitrust suit with Google.

‘In 2018, as part of a request for information by antitrust authorities, Yelp’s policy team was asked to estimate the impact of Google’s anticompetitive behavior on the local search marketplace. Jumpshot was engaged on a one-time basis to generate a report of anonymized, high-level trend data which validated other estimates of Google’s siphoning of traffic from the web. No PII was requested or accessed,’ a Yelp spokesperson told Motherboard.

Avast and its subsidiary Jumpshot have been selling user data from its antivirus software and web browser plugins to companies around the world (Stock photo)

Avast and its subsidiary Jumpshot have been selling user data from its antivirus software and web browser plugins to companies around the world (Stock photo)

Until recently, data was reportedly being collected by anyone who downloaded a plugin in their web browser before the extensions were removed from the stores of Google and Mozilla. 

Now, Motherboard reports that Avast has turned to its actual antivirus software to achieve the same end where it asks customers to opt-in to their data collection program through what the outlet describes as a ‘pop-up.’ 

‘We ensure that Jumpshot does not acquire personal identification information, including name, email address or contact details. Users have always had the ability to opt out of sharing data with Jumpshot,’ a spokesperson told MailOnline. 

‘As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an opt-in or opt-out choice, a process which will be completed in February 2020.’

Despite a tweak in its policies that asks for permission to track web data, some users say they were unaware that Avast had ever engaged in the practice (Stock photo)

Despite a tweak in its policies that asks for permission to track web data, some users say they were unaware that Avast had ever engaged in the practice (Stock photo)

Despite their new policy on informing users, customers interviewed by Motherboard say they were unaware that Avast was intent on tracking their data.

This is not the first time that Avast has faced scrutiny for its practices. In December, Senator Ron Wyden called upon the company for greater transparency after it stopped collecting data via its web browsing plugin.

‘It is encouraging that Avast has ended some of its most troubling practices after engaging constructively with my office. However I’m concerned that Avast has not yet committed to deleting user data that was collected and shared without the opt-in consent of its users, or to end the sale of sensitive internet browsing data,’ Wyden said at the time.

‘The only responsible course of action is to be fully transparent with customers going forward, and to purge data that was collected under suspect conditions in the past.’



READ SOURCE

Leave a Reply

This website uses cookies. By continuing to use this site, you accept our use of cookies.