Avast’s Free Antivirus Harvests All Your Clicks, Sells Them to Third-Parties

Avast’s Free Antivirus Harvests All Your Clicks, Sells Them to Third-Parties

As we’ve learned time and time again, “free” things on the internet are almost never truly free. If you’re not paying with money, you’re probably paying with your data. That’s the case with the free antivirus products from Avast, which harvest browsing history for sale to major corporations. Despite claims that its data is fully anonymized, an investigation by our sister site PCMag and Motherboard shows how easy it is to unmask individual users.

Avast, which offers antivirus products under its own brand as well as AVG, has traditionally gotten high marks for its malware blocking prowess. When setting up the company’s free AV suite, users are asked to opt into data collection. Many do so after being assured all the data is anonymized and aggregated to protect their identities. However, Avast is collecting much more granular data than anyone expected, and that puts your privacy at risk.

Avast markets user data through its Jumpshot subsidiary, which has relationships with firms like Google, Pepsi, Microsoft, and Home Depot. PCMag and Motherboard managed to gain access to internal documents and a sample of data from Jumpshot, and they found Avast is tracking user clicks down to the second. Here’s an example of Jumpshot’s data format.

Device ID: abc123x Date: 2019/12/01 Hour Minute Second: 12:03:05 Domain: Amazon.com Product: Apple iPad Pro 10.5 – 2017 Model – 256GB, Rose Gold Behavior: Add to Cart

That doesn’t tell you anything about the person behind the clicks — unless you’re Amazon. With access to Amazon data, you could simply look for users who executed the same click or series of clicks, and now you have a name associated with the device ID. Suddenly, Avast’s data contains a full record of that user’s internet usage. Other companies can do the same by matching anonymized clicks in Avast data with their own records.

Jumpshot offers various products to customers, some of which only include a fraction of the data it collects. For example, one product focuses on searches and what the user ultimately clicked, but Jumpshot also has an “All clicks feed” that includes all its data. Jumpshot usually sells the full feed without device IDs, but it agreed to provide the data with IDs to marketing company Omnicom Media Group in late 2018. Regardless of how much data Jumpshot offers in each package, calling it anonymized is extremely misleading. Once that data is in the wild, you can’t know for sure where it will end up.

Avast recently removed the user tracking features from its Chrome extensions, but the standalone desktop programs continue to collect every click. For this reason, PCMag no longer recommends Avast Antivirus.

Continue reading

Microsoft Adds One-Click Default Browser Change to Windows 11
Microsoft Adds One-Click Default Browser Change to Windows 11

Microsoft has seen the light and delivered a simple change everyone has been asking for since Windows 11's launch.

Google Promises to Tackle Clickbait With Search Algorithm Update
Google Promises to Tackle Clickbait With Search Algorithm Update

In the next big search algorithm update, which will roll out in the coming days, Google says it's going after clickbait.

Click-Fraud Chrome Extensions Removed from Store After 500,000 Downloads
Click-Fraud Chrome Extensions Removed from Store After 500,000 Downloads

Researchers from security firm ICEBRG report finding a cluster of scam extensions in the Google Web Store with a combined download figure of more than 500,000.

Hands on With AirMagic, a One-Click Fix for Your Drone Photos
Hands on With AirMagic, a One-Click Fix for Your Drone Photos

Drone photography is really fun, but shooting images usually requires post-processing for best results. Skylum is aiming to change that with AirMagic. We go hands on to see how well it works.