Two browsers have yanked Avast and AVG online security extensions from their web stores after a report revealed that they were unnecessarily sucking up a ton of data about users’ browsing history.
Wladimir Palant, the creator behind yanked the extensions from their stores. However, as of Wednesday, the extensions curiously remained in Google’s extensions store.
Using dev tools to examine network traffic, Palant was able to determine that the extensions were collecting an alarming amount of data about users’ browsing history and activity, including URLs, where you navigated from, whether the page was visited in the past, the version of browser you’re using, country code, and, if the Avast Antivirus is installed, the OS version of your device, among other data. Palant argued the data collection far exceeded what was necessary for the extensions to perform their basic jobs.
At the time of Palant’s original post, the company’s privacy policy appeared to include language around this data collection that has now seemingly disappeared from the text. However, according to a version of the page archived in the Wayback Machine on November 4, that language read:
We may collect information about the computer or device you are using, our products and services running on it, and, depending on the type of device it is, what operating systems you are using, device settings, application identifiers (AI), hardware identifiers or universally unique identifiers (UUID), software identifiers, IP Address, location data, cookie IDs, and crash data (through the use of either our own analytical tools or tolls provided by third parties, such as Crashlytics or Firebase). Device and network data is connected to the installation GUID.
We collect device and network data from all users. We collect and retain only the data we need to provide functionality, monitor product and service performance, conduct research, diagnose and repair crashes, detect bugs, and fix vulnerabilities in security or operations (in other words, fulfil [sic] our contract with you to provision the service).
While the company admitted to collecting this data in this iteration of its privacy policy, it did not specify for how long it was stored in either version. A spokesperson for Avast did not respond to a request for comment about how long the company hangs on to user data that it collected, or why the language in its privacy policy has been changed. Either way, as Palant noted, “Spying on your users is clearly a violation of the terms that both Google and Mozilla make extension developers sign.” Mozilla said as much when reached for comment.
“When Mozilla becomes aware of issues that make extensions non-compliant with its add-on policies, it may remove them from addons.mozilla.org,” a spokesperson told Gizmodo by email.
Opera didn’t immediately return our request for comment but told Palant the extensions had been removed from its own store. It’s unclear why they remained up in Google’s Chrome extension store as of Wednesday evening, and a spokesperson for Google didn’t immediately respond to a request for comment.
For its part, a spokesperson for Avast told Gizmodo that the company is “working with Mozilla to resolve this issue.”
“We have offered our Avast Online Security and SafePrice browser extensions for many years through the Mozilla store,” the spokesperson said. “Mozilla has recently updated its store policy and we are liaising with them in order to make the necessary adjustments to our extensions to align with new requirements. We have already implemented some of Mozilla’s new requirements and will release further updated versions that are fully compliant in the next few days.”
The spokesperson told Gizmodo by email that it’s “necessary for this service to collect the URL history to deliver its expected functionality,” but that doesn’t cut to the core of why the company at any point collected, for example, location data.
What is clear, however, is that even though there are agreements in place to prevent spyware or otherwise bad extensions from making their way to Chrome or Firefox stores, those safeguards occasionally fail. Ultimately, the responsibility often falls to individual users to keep their data safe.