Just over 1 month ago, Avast received considerable backlash over its Chrome extensions collecting browsing data of its users on the pretext of all of it being deidentified. While common wisdom would suggest learning from this experience and ceasing all such similar activities, the anti-virus maker couldn’t care less. Instead of using only browser extensions, the company ramped up data harvesting through the anti-virus application itself.
Recently, fresh revelations have come to light due to a joint investigation conducted by Motherboard and PCMag in which they have obtained internal documents from one of Avast’s subsidiary – Jumpshot – that gives us an insight into the entire scheme.
Firstly, the software collects all of your browsing data which is then accessed by Jumpshot. The latter in return takes it and uses it as a part of what makes up its product offerings. An example is of its “All Clicks Feed” which lets companies access your behavior on the internet and any clicks you make on any particular range of domains.
What’s not surprising is that these companies comprise of household names including but not limited to IBM, Yelp, Microsoft, Google, Unilever & TripAdvisor. Some of these companies have responded to the recent updates while some have remained silent.
An example of a record obtained:
Device ID: abc123x Date: 2019/12/01 Hour Minute Second: 12:03:05 Domain: Amazon.com Product: Apple iPad Pro 10.5 – 2017 Model – 256GB, Rose Gold Behavior: Add to Cart.
One company that we have a deeper insight into is Omnicom Media Group, a marketing group based in New York who purchased data last year under the aforementioned product and another one named “Insight Feed” for a hefty sum of $2,075,000. For 2020 and 2021, the amount is $2,225,000 and $2,275,000, known to us by leaked copies of their contract.
Secondly, for clients in the financial sector, Avast has a product where it offers them the top 10,000 domains for access in terms of activity helping them identify trends and other information that can be useful in predicting markets.
Why is Avast doing all of this despite the huge risks?
The firm claims that it anonymizes all the data by stripping any publicly identifiable information (PII) such as your name & email address before handing it over to any third party. This is supposed to protect user privacy in ideal circumstances.
However, multiple investigations over the years have shown that even so-called anonymized data can be reverse engineered to de-anonymise it. For example, in 2006, the New York Times identified a person who had been given a random search number amongst the 20 million search queries that AOL released for the public to see.
A practical example specific to Avast’s case is well summed up by Joseph Cox from Vice who states how
“A set of Jumpshot data obtained by Motherboard and PCMag shows how each visited URL comes with a precise timestamp down to the millisecond, which could allow a company with its own bank of customer data to see one user visiting their own site, and then follow them across other sites in the Jumpshot data.”
Secondly, with Avast having over 435 million users and Jumpshot claiming to get data from 100 million devices, the former has been pushing forward the idea of it sharing all user data with their consent. This was seen recently in a statement obtained by Motherboard in which Avast said that,
“Users have always had the ability to opt-out of sharing data with Jumpshot. As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an explicit choice, a process that will be completed in February 2020.”
Yet, this only applies to a certain extent. True! There is an opt-in that asks for your permission but according to Motherboard, when they asked certain Avast users of their browsing data being sold, they claimed that they did not know so raising eyebrows on “how informed that consent is.”
To conclude, we do hope though with Avast’s newly released statements on improving user consent processes, things change and it becomes much more informed. Furthermore, eyes will be set on how they deal with the de-anonymizing problem because this will directly measure how serious the company is about the people it claims to protect. Nonetheless, they can rest assured that their market share is going down for sure and that too – fast.