Avast’s Free Antivirus Harvests All Your Clicks, Sells Them to Third-Parties

Avast’s Free Antivirus Harvests All Your Clicks, Sells Them to Third-Parties

As we’ve learned time and time again, “free” things on the internet are almost never truly free. If you’re not paying with money, you’re probably paying with your data. That’s the case with the free antivirus products from Avast, which harvest browsing history for sale to major corporations. Despite claims that its data is fully anonymized, an investigation by our sister site PCMag and Motherboard shows how easy it is to unmask individual users.

Avast, which offers antivirus products under its own brand as well as AVG, has traditionally gotten high marks for its malware blocking prowess. When setting up the company’s free AV suite, users are asked to opt into data collection. Many do so after being assured all the data is anonymized and aggregated to protect their identities. However, Avast is collecting much more granular data than anyone expected, and that puts your privacy at risk.

Avast markets user data through its Jumpshot subsidiary, which has relationships with firms like Google, Pepsi, Microsoft, and Home Depot. PCMag and Motherboard managed to gain access to internal documents and a sample of data from Jumpshot, and they found Avast is tracking user clicks down to the second. Here’s an example of Jumpshot’s data format.

Device ID: abc123x Date: 2019/12/01 Hour Minute Second: 12:03:05 Domain: Amazon.com Product: Apple iPad Pro 10.5 – 2017 Model – 256GB, Rose Gold Behavior: Add to Cart

That doesn’t tell you anything about the person behind the clicks — unless you’re Amazon. With access to Amazon data, you could simply look for users who executed the same click or series of clicks, and now you have a name associated with the device ID. Suddenly, Avast’s data contains a full record of that user’s internet usage. Other companies can do the same by matching anonymized clicks in Avast data with their own records.

Jumpshot offers various products to customers, some of which only include a fraction of the data it collects. For example, one product focuses on searches and what the user ultimately clicked, but Jumpshot also has an “All clicks feed” that includes all its data. Jumpshot usually sells the full feed without device IDs, but it agreed to provide the data with IDs to marketing company Omnicom Media Group in late 2018. Regardless of how much data Jumpshot offers in each package, calling it anonymized is extremely misleading. Once that data is in the wild, you can’t know for sure where it will end up.

Avast recently removed the user tracking features from its Chrome extensions, but the standalone desktop programs continue to collect every click. For this reason, PCMag no longer recommends Avast Antivirus.

Continue reading

Protect Your Online Privacy With the 5 Best VPNs
Protect Your Online Privacy With the 5 Best VPNs

Investing in a VPN is a smart choice right now, but the options are vast. To help narrow things down a bit, we've rounded up five of our very favorite consumer services.

EKWB Launches Peltier Cooler Powered by Intel Cryo Cooling Technology
EKWB Launches Peltier Cooler Powered by Intel Cryo Cooling Technology

Intel and EKWB have jointly announced a new waterblock that integrates a Peltier cooler.

Look Up: You Can See All the Planets in Our Solar System Tonight
Look Up: You Can See All the Planets in Our Solar System Tonight

You've probably seen diagrams of the solar system that place the planets in nice, orderly lines, but the truth is they're often on the other side of the sun from Earth. We happen to be going through a period during which all the planets are visible. You just have to know where and when to look.

How Apple Is Collecting Your Data in macOS Big Sur
How Apple Is Collecting Your Data in macOS Big Sur

Apple's new Big Sur has been accused of some serious privacy violations and unfriendly user-access controls. The situation is a bit more nuanced.