Among the various products and services out there, we often find social media companies in trouble for collecting our data beyond necessity. However, recently we’ve come to find that the products supposed to protect us – anti-virus software – are also doing the very same.
In this specific case, it was Avast & AVG Security whose two browser extensions each have been found spying on users, namely Avast Online Security, Avast Safeprice, AVG Online Security and AVG SafePrice.
This astonishing revelation came when cybersecurity researcher Wladimir Palant who is also the creator of the Adblock Plus extension published a blog post on 28 October detailing how Avast’s Online Security extension was collecting data about the websites one was visiting allowing them to build up records of your browsing history and behavior.
Since Avast acquired its arch-rival AVG not so long ago for $1.3 Billion, the latter also had identical extensions conveniently doing the same. In fact, we also saw a connection being drawn between one of Avast’s child company, Jumpstart and the data Avast collects from its extensions. Thomas Brewster from Forbes published an article on 9 December elaborating on this stating:
“Avast users have their Web activity harvested by the company’s browser extensions. But before it lands on Avast servers, the data is stripped of anything that might expose an individual’s identity, such as a name in the URL, as when a Facebook user is logged in. All that data is analyzed by Jumpshot, a company that’s 65%-owned by Avast, before being sold on as “insights” to customers.”
With this, on 2nd December, Wladimir reported this scenario to both Mozilla & Google. As a result, Mozilla immediately disabled all extension listings but did not blacklist them stating that they were talking to Avast about this.
Then on 4th December, Wladimir also made a report to Opera receiving a response 16 hours later stating that they had also unpublished the extensions.
Google, on the other hand, didn’t respond though but on 18th December – 16 days later – they finally removed three of these extensions leaving AVG’s online security extension which is still doing fine on their web store.
What this entire episode teaches us is to start believing in the classical old adage of “trusting no one,” not even your friendly neighborhood Avast. Perhaps, we could be kinder if their CEO Ondrej Vlcek didn’t downplay the threat here by terming it as harmless since all the data is anonymized.
We need companies to start accepting responsibility for their actions and conforming to the number of consent users have actually given consciously, not those shrouded under TOS agreements.