A prominent antivirus software provider is selling the highly personal data of hundreds of millions of its users to some of the largest companies in the world, according to a new report.
The joint investigation by Motherboard and PCMag draws on leaked user data, contracts and other internal company documents to reveal that Avast, a Czech Republic-based antivirus software company with more than 435 million monthly active users, is selling the web browsing data of its users to companies including Google, Home Depot, Microsoft and McKinsey.
This is being done through Jumpshot, a subsidiary of Avast that repackages that data provided to it by the antivirus software and sells it in the form of various products to its clients.
The subsidiary has boasted of being able to provide “Every search. Every click. Every buy. On every site” and is believed to sell some of its products for millions of dollars.
Avast offers a free antivirus product used by millions around the world.
The data being harvested by Avast includes Google searches, location and GPS searches on Google Maps, pages visited on LinkedIn, YouTube searches and searches on porn websites, according to the report.
The data being sold doesn’t include personal information like names, but experts have said that the highly personal browsing data could be de-anonymised to identify individuals.
Jumpshot claims to be the “only company that unlocks walled garden data” and that it can “provider marketers with deeper visibility into the entire online customer journey”.
Until recently, the data was being collected through the Avast browser plugin, which warns users when they visit a suspicious website.
After this was revealed by security researchers last year, the practice was ceased, according to Avast.
Now the company is hoovering up the personal data through its actual antivirus software, the report found.
Users are now confronted with a pop-up when using the software asking them to opt-in to having their data collected.
“If they opt-in, that device becomes part of the Jumpshot Panel and all browser-based internet activity will be reported to Jumpshot,” a Jumpshot internal handbook reads.
“What URLs did these devices visit, in what order and when.”
But several users interviewed as part of the report said they had no idea what sort of data was being collected and for what means, or that it was being sold to other companies.
“It’s very granular, and it’s great data for these companies, because it’s down to the device level with a timestamp,” one source told the reporters.
Through Jumpshot, Avast is selling a number of different products made up of the personal data of its users.
These include one specifically for the finance sector which offers a list of the top 10,000 domains that users are visiting, with the purpose of identifying trends.
Another, dubbed the All Click Feed, allows clients to buy all the click information Avast has for a specific web domain.
According to the report, a New York-based marketing firm purchased this service for $US2 million.
“The advantage of purchasing an All Clicks Feed is that if you are curious about the frequency of events that Jumpshot does not discover patterns for within our standard products, or you simply need a deeper understanding of activity on a domain without any filtering,” the Jumpshot documents said.
In a statement, Avast said it only collected the data with the consent of users, and that it is thoroughly de-identified.
“Because of our approach, we ensure that Jumpshot does not acquire personal identification information, including name, email address or contact details, from people using our popular free antivirus software,” the company said.
“Users have always had the ability to opt out of sharing data with Jumpshot. We have a long track record of protecting users’ device and data against malware, and we understand and take seriously the responsibility to balance user privacy with the necessary use of data.
“As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an opt-in or opt-out choice, a process which will be completed in February 2020.”
The new pop-up message has begun appearing for users around the world.
“If you allow it, we’ll provide our subsidiary Jumpshot Inc with a stripped and de-identified data set derived from your browsing history for the purpose of enabling Jumpshot to analyse markets and business trends and gather other valuable insights,” it reads.
“This data is fully de-identified and aggregated and cannot be used to personally identify or target you.
“Jumpshot may share aggregated insights with its customers.”