Avast framed itself as a data privacy champion - it failed customers, and now it's paid the price
Avast offered users a host of tools to protect their privacy rights while selling data to more than 100 third-party clients
Avast was a brand name that became synonymous with data privacy in recent years, but that’s all come crashing down in one fell swoop.
Billing itself as a champion for users, the company offered a range of products, from antivirus software to Chrome extensions and various other tools aimed at boosting privacy, keeping snooping brands at bay online, and protecting from a growing array of cyber security threats.
It was a position - and product portfolio - that naturally resonated with consumers and businesses alike amidst an increasingly privacy-conscious age. But beneath the seemingly impeccable veneer, the company was secretly selling off user data to the highest bidder.
Between 2014 to 2020, Avast was hoovering up user browser information and selling it to upwards of 100 companies through a subsidiary firm known as Jumpshot, which Avast acquired in 2014 and has since shuttered.
Details on the relationship between Avast and Jumpshot appear to have been relatively unknown to customers throughout this period. It wasn’t until 2020 that reports from Motherboard found clients had been purchasing data from the firm.
These included major household brands including Google, Microsoft, Pepsi, McKinsey, and US retail giant Home Depot.
Documents obtained by Motherboard, for example, found that third parties could buy data pertaining to Google Maps queries and social media page searches on LinkedIn. Sources told the publication that the information sold to these parties was “very granular” and represented a treasure trove of data.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
This campaign of selling user data has since landed Avast in hot water with US regulators. An investigation by the Federal Trade Commission (FTC) recently ordered the firm to pay $16.5 million to redress consumers impacted by the data sharing practices.
The FTC also ruled that Avast will be prohibited from selling future browsing data, and from here onward will be required to obtain express consent on data gathering.
A key talking point in this investigation, and one that alarmed regulators, is that both Avast and the now-shuttered Jumpshot claimed all data had identifying information removed. The regulator ruled this was “not sufficient”.
Jumpshot framed its products as being able to offer “unique insights” into user browsing behaviors, providing clients with device identifiers for specific browsers based on ‘feeds’.
This included an ‘All Clicks Feed’, 'Search Plus Click Feed’, and a ‘Transaction Feed’.
Clients, the FTC found, flocked to these, purchasing specific feeds and using this to collate with their own internal datasets to gain a detailed understanding of customer purchasing behavior and preferences.
Avast tried to quell Jumpshot data selling fears
The FTC’s investigation into the matter uncovered a concerning lack of transparency on the extent of the relationship between Avast and Jumpshot. Investigators found that Avast actively downplayed its involvement with Jumpshot through its own official web forums, for example.
The firm repeatedly insisted that Jumpshot only used non-aggregated data and that it told users during the installation of products and purchase of services that it conducted data collection to “better understand new and interesting trends”.
Lesley Fair, senior attorney for the FTC, described Avast’s practices as “alarming”, noting that the company’s claims for its software and browser extensions essentially amounted to nothing more than “attention-getters”.
“All companies must honor their privacy promises, but that holds especially true for businesses that pitch their products as a way for consumers to protect their privacy,” Fair wrote in a blog post.
“There aren’t enough r’s in “Arrrrrrrgghh” to convey the FTC’s concern about a company that advertises its products as a means for people to maintain their privacy online, and then double-crosses them by selling their highly personal browsing information.
“The irony – and injury – in this case is alarming and the FTC will give no quarter when businesses lie to consumers about how their personal information will be protected.”
Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.