It is revealed that a popular antivirus company is selling web history, pornography searches and user location
The popular antivirus company Avast has been selling user data that includes specific web browsing history to major companies around the world.
According to a joint investigation of Motherboard and PCMag, Avast, which claims to have more than 435 million users, has been using a subsidiary called Jumpshot to sell user data to companies such as Google, Microsoft, Home Depot, Pepsi and more.
The documents and leaked user data obtained in the investigation reveal that the information collected by Avast includes details that most consider confidential, such as web browsing history, and that some of that data is granular enough to track individual clicks. On a website.
In addition to the search histories, location histories and videos that a user saw on YouTube, the documents show that Avast tracked visits to porn sites such as PornHub or YouPorn and, in some cases, recorded the time when A user visited the site and what specific video he saw and queries they entered.
Although, according to reports, the data is not personally identifiable, which means they are not accompanied by a name or other identifier, experts interviewed by Motherboard say that the level of detail tracked by Avast can undermine their anonymity.
The antivirus company Avast and its subsidiary Jumpshot channel data to companies around the world, including Microsoft, Google and more.
WHAT COMPANIES PURCHASED AVAST DATA?
Companies that bought Avast user data include:
Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Condé Nast, Intuit, Trip Advisor and many more.
Many of these companies chose not to answer questions about what they did with Avast data.
‘Disidentification has proven to be a process very prone to failures. There are many ways in which it can go wrong, ” Günes Acar, who studies large-scale Internet monitoring in the Computer Security and Industrial Cryptography research group in the Department of Electrical Engineering at Katholieke Universiteit Leuven, told Motherboard.
‘Most of the threats posed by anonymization, in which people are identified, come from the ability to merge information with other data.
Acar tells Motherboard that with the specificity of time stamp data and other points, identities can be reconstructed in a feasible way.
Depending on the specificity of that data, Avast would adjust its prices and packages, selling more granular information for millions of dollars.
Comprehensive packages purchased by a New York-based media company called Ominicom total more than $ 4.5 million and in Jumpshot’s own words, give access to ‘Every search. Every click Every purchase On every site.
That package gave Omincom access to user data from 14 different countries and some personal data such as gender, which is inferred based on browsing data.
While Jumpshot says that it ‘encodes’ (encrypts) the identifications of its users’ devices, it also said that those identifications never change, which means that they are permanently linked to a user’s information, which makes it more likely to identify a subject.
Just what each company used the data for varied, according to Motherboard.
Home Depot, one of the few companies that answered questions about Avast services, told Motherboard:
‘Sometimes we use information from external suppliers to help improve our business, products and services. We require that these providers have the appropriate rights to share this information with us. In this case, we receive anonymous data from the audience, which cannot be used to identify individual clients. “
Microsoft did not give more details on what it used the data for, but reportedly does not have a continuous relationship with Avast, while Yelp says it used Avast data to help it in an antitrust lawsuit with Google.
‘In 2018, as part of a request for information from the antitrust authorities, the Yelp policy team was asked to estimate the impact of Google’s anti-competitive behavior on the local search market. Jumpshot participated once only to generate a high-level anonymous trend data report that validated other estimates of Google’s traffic diversion from the web. PII was not requested or accessed, ” a Yelp spokesperson told Motherboard.
Avast and its subsidiary Jumpshot have been selling user data of their antivirus software and web browser add-ons to companies around the world (File photo)
Until recently, someone who was downloading a plug-in in their web browser had reportedly collected data before the extensions were removed from the Google and Mozilla stores.
Now, Motherboard reports that Avast has turned to its real antivirus software to achieve the same purpose in which it asks customers to opt for its data collection program through what the store describes as a “pop-up window.”
‘We ensure that Jumpshot does not acquire personally identifiable information, such as name, email address or contact information. Users have always had the possibility of not sharing data with Jumpshot, ” a spokesman told MailOnline.
‘As of July 2019, we had already begun to implement an explicit acceptance option for all new downloads of our AV, and now we are also asking our existing free users to make an acceptance or exclusion choice, a process that is will complete in February 2020. ‘
Despite an adjustment in their policies that ask permission to track web data, some users say they did not know that Avast had participated in the practice (File photo)
Despite its new policy of informing users, customers interviewed by Motherboard say they did not know that Avast intended to track their data.
This is not the first time Avast faces scrutiny of his practices. In December, Senator Ron Wyden asked the company for greater transparency after it stopped collecting data through its web browsing add-on.
‘It is encouraging that Avast has finished some of its most problematic practices after constructively engaging with my office. However, I am concerned that Avast has not yet committed to deleting the data of users that were collected and shared without the consent of its users, or to end the sale of confidential Internet browsing data, “Wyden said at the time. .
“The only course of responsible action is to be fully transparent with customers in the future and to purge data that was collected under suspicious conditions in the past.”