Avast’s Free Antivirus Harvests All Your Clicks, Sells Them to Third-Parties

As we’ve learned time and time again, “free” things on the internet are almost never truly free. If you’re not paying with money, you’re probably paying with your data. That’s the case with the free antivirus products from Avast, which harvest browsing history for sale to major corporations. Despite claims that its data is fully anonymized, an investigation by our sister site PCMag and Motherboard shows how easy it is to unmask individual users.

Avast, which offers antivirus products under its own brand as well as AVG, has traditionally gotten high marks for its malware blocking prowess. When setting up the company’s free AV suite, users are asked to opt into data collection. Many do so after being assured all the data is anonymized and aggregated to protect their identities. However, Avast is collecting much more granular data than anyone expected, and that puts your privacy at risk.

Avast markets user data through its Jumpshot subsidiary, which has relationships with firms like Google, Pepsi, Microsoft, and Home Depot. PCMag and Motherboard managed to gain access to internal documents and a sample of data from Jumpshot, and they found Avast is tracking user clicks down to the second. Here’s an example of Jumpshot’s data format.

Device ID: abc123x Date: 2019/12/01 Hour Minute Second: 12:03:05 Domain: Amazon.com Product: Apple iPad Pro 10.5 – 2017 Model – 256GB, Rose Gold Behavior: Add to Cart

That doesn’t tell you anything about the person behind the clicks — unless you’re Amazon. With access to Amazon data, you could simply look for users who executed the same click or series of clicks, and now you have a name associated with the device ID. Suddenly, Avast’s data contains a full record of that user’s internet usage. Other companies can do the same by matching anonymized clicks in Avast data with their own records.

Jumpshot offers various products to customers, some of which only include a fraction of the data it collects. For example, one product focuses on searches and what the user ultimately clicked, but Jumpshot also has an “All clicks feed” that includes all its data. Jumpshot usually sells the full feed without device IDs, but it agreed to provide the data with IDs to marketing company Omnicom Media Group in late 2018. Regardless of how much data Jumpshot offers in each package, calling it anonymized is extremely misleading. Once that data is in the wild, you can’t know for sure where it will end up.

Avast recently removed the user tracking features from its Chrome extensions, but the standalone desktop programs continue to collect every click. For this reason, PCMag no longer recommends Avast Antivirus.

Continue reading

Scientists Confirm the Presence of Water on the Moon

Scientists have confirmed the discovery of molecular water on the moon. Is there any of it in a form we can use? That's less clear.

Review: The Oculus Quest 2 Could Be the Tipping Point for VR Mass Adoption

The Oculus Quest 2 is now available, and it's an improvement over the original in every way that matters. And yet, it's $100 less expensive than the last release. Having spent some time with the Quest 2, I believe we might look back on it as the headset that finally made VR accessible to mainstream consumers.

SpaceX Launches ‘Better Than Nothing’ Starlink Beta

Those lucky few who have gotten invitations to try the service will have to pay a hefty up-front cost, and the speeds aren't amazing. Still, it's a new generation of satellite internet.

Samsung, Stanford Built a 10,000 PPI Display That Could Revolutionize VR, AR

Ask anyone who has spent more than a few minutes inside a VR headset, and they'll mention the screen door effect. This could eliminate it for good.