In a shocking revelation by a report from Motherboard in collaboration with PCMag, it is known that Avast is collecting users’ browsing history and selling it to third-party companies for millions of dollars.
Avast claims that the data has been ‘de-identified,’ meaning that the personal information of users has been obliterated before handing over the data to advertisers and other companies. However, the research says that this ‘de-identified’ data can be linked to individual users with the tools available with the companies to whom the data is being sold.
Jumpshot, an Avast division responsible for selling data, accesses user data from Avast Antivirus’ free browser extension. According to the report, Jumpshot has access to data from over 100 million devices, including PCs and mobile devices.
Avast Knows What You Click Upon At What Time
The severity of data collection from Avast is problematic as the trove of information provided to advertisers contains individual clicks of users and browsing session timestamps down to milliseconds. Additionally, the data also has a unique identifier called device ID.
The data of a single click by a user looks something like this:
For a normal user, it is almost impossible to pin this data to an individual, but if this data is sold to Amazon, you can guess that they can easily figure that a user purchased an Apple iPad Pro 10.5 2017 model on 2019/12/01 at 12:03:05 and find out the exact user who bought it by combining it with their database.
Once Amazon identifies the Device ID, they can use it to find out the shopping history of the user from other e-platforms.
Avast’s “All Clicks Feed” Data
Researchers from Motherboard and PCMag found out that Jumpshot offers a variety of products for data collection purposes, but one product specifically caught their eye. Jumpshot’s one product dubbed “All Clicks Feed” collects every click from users who have installed Avast browser extension and sells it to a marketing company called Omnicom Media Group.
Usually, Jumpshot sells the data obtained from All Clicks Feed without a device ID to ensure that data cannot be tagged to individual users. Still, Jumpshot’s contract with Omnicom reveals that the data also contains device IDs linked to each click.
The joint research also found out that Jumpshot also signed a contract with an Omnicom subsidiary called Annalect for All Clicks Feed data from 14 markets, including the US, the UK, and India. The contract spans over 3 years, and Jumpshot earns $6.5 million from it.
What makes this interesting is the fact that Annalect offers technology solutions to companies that allows them to collate data from their customers and third-party sources.
Google, Microsoft & IBM Buy Avast’s Data
The list of clients mentioned on Jumpshot’s website includes high-profile names like Google, Microsoft, and IBM. We all know that if such granular data falls in the hands of these giants, it can be used to track our digital footprints effortlessly.
When questioned by PCMag and Motherboard, Avast responded by saying that it has, now, stopped collecting data from its browser extensions for selling purposes. However, Avast’s AVG Antivirus has a Web Shield component that scans the URLs you visit for potential malware, and this data could be used for ill-intended purposes.
After this report, we’re not sure whether users should trust Avast for ‘protection’ as Avast Antivirus protection sounds like an oxymoron now.