That free antivirus program you got from Avast did in fact come with a price, and that price may have been your online privacy.
It’s International Data Security Day, and while that’s less inherently appealing than, say, International Talk Like A Pirate Day or Talk In An Elevator Day, it’s arguably more important in a world where so much of our data is stored and collected online.
Which is why it’s particularly notable – and worrying – that antivirus maker Avast is reportedly busy snaffling up user data to sell to the highest bidder. That’s pretty much the definition of your data not in fact being secure.
As per a joint investigation from Vice and PCMag, Avast subsidiary Jumpshot has been collecting data on a opt-in basis that it then makes available to third parties interested in data tracking.
We’re not talking some obscure companies you’ve never heard of either; Jumpshot’s customers have reportedly included the likes of Google, Yelp and Microsoft. Vice’s report suggests that Jumpshot’s sales models include paying millions for data that harvests down to “every click” a user makes.
The documents, from a subsidiary of the antivirus giant Avast called Jumpshot, shine new light on the secretive sale and supply chain of peoples’ internet browsing histories. They show that the Avast antivirus program installed on a person’s computer collects data, and that Jumpshot repackages it into various different products that are then sold to many of the largest companies in the world. Some past, present, and potential clients include Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Condé Nast, Intuit, and many others.
While the data on sale is technically anonymous, given it includes details like visits to company LinkedIn pages, YouTube pages, porn sites and Google Maps GPS coordinates, there’s a lot of scope there to pretty easily identify a user and indeed collect more information about them than they may be comfortable with.
Up until at least the middle of last year, Avast’s data collecting was largely via its browser plugin which was pitched to consumers as a way to flag dangerous sites, until Google, Mozilla and Opera explicitly removed those extensions from their online stores. Vice’s source suggests that Avast/Jumpshot has simply moved to other methods of data tracking instead.
Avast’s position is that all user data is collected on an opt-in basis, but many users will most likely have blithely clicked through those kinds of agreements. If nothing else on International Data Security Day, it’s a timely reminder that you should definitely pay much more attention to what you’re agreeing to with every pop-up, contract and EULA.