A subsidiary of antivirus developer Avast sold every search term. Every click. every purchase. from every site. Among his clients were Google, Microsoft, Pepsi and others.
This episode took place a year ago. Following an investigation, Avast stated that it would stop collecting data for Jumpshot and stop all transactions with it as a matter of urgency. We have translated this exciting story in its entirety and invite you to read and draw your own conclusions.
Used by millions of people around the world, Avast antivirus sells sensitive data of its users to large companies, a joint investigation by Motherboard and PCMag found . Leaked internal documents prove trading in highly sensitive data, including users’ browser history.
Documents from an Avast subsidiary called Jumpshot shed light on the secret trade and supply chains of users’ browser histories. They show that after installing Avast on his computer, he starts collecting data and transfers it to Jumpshot, after which they are sold to many global companies such as Google, Yelp, Microsoft, McKinsey, Pepsi, Home Depot, Condé Nast, Intuit and others.. Some of these companies pay millions of dollars to receive data about every click you make, which allows them to analyze your online behavior.
Avast has a user base of approximately 435 million users and 100 million devices. They all signed a user agreement to collect data, but some of the users told Motherboard and PCMag that they didn’t know what data was being collected, or that it was being collected at all. The question arises, how well informed were the users?
What kind of data are we talking about? About Google searches, website navigation, GPS coordinates from Google Maps, visits to LinkedIn, YouTube and porn sites. Although this data does not contain any names, users can be easily identified based on them.
Jumpshot claimed in July that it was disclosing the data to give marketers a deeper understanding of the online marketplace. Jumpshot has previously publicly listed some of its clients as Expedia, IBM, Intuit, TurboTax, Loreal and Home Depot. Employees were advised not to speak publicly about Jumpshot’s relationship with these companies.
Until recently, Avast collected data using a browser extension that was created to restrict access to malicious websites. Cybersecurity researcher and creator of AdBlock Plus, Vladimir Palant, published a blog post about this. A little later, Mozilla, Opera and Google Chrome removed this extension from their browsers. Avast previously explained this data collection and sharing in a blog and forum in 2015. Since then, Avast has promised to stop sending browsing data collected by these extensions to Jumpshot, Avast said in a statement to Motherboard and PCMag.
However, data collection continued. If Avast used to do this through a browser extension, now it has begun to do it through its antivirus
Motherboard and PCMag contacted more than two dozen companies mentioned in internal documents. Few responded to questions about what they do with data based on the search history of Avast users.
“Sometimes we use information from third party vendors to improve our business, products and services. We require that these providers have the appropriate rights to share this information with us. In this case, we receive anonymous user data that cannot be used to identify individual customers," a Home Depot spokesperson wrote in an emailed statement.
Microsoft declined to comment on the specifics of why it purchased data from Jumpshot, but said it currently has no relationship with the company. Southwest Airlines said it had discussed the possibility of working with Jumpshot, but the companies did not reach an agreement. IBM said it wasn’t a customer, and Altria said it didn’t work with Jumpshot either, although it didn’t specify if it had previously. Sephora has stated that it does not work with Jumpshot. Google never responded to the request.
On its website and in press releases, Jumpshot names Pepsi and consulting giants Bain & Company and McKinsey as clients. It also lists some examples of the use of web browsing history data. Publisher and digital media giant Condé Nast, for example, used Jumpshot’s products to see if the company’s advertising resulted in more sales on Amazon and elsewhere.
All Click Feed
That’s not all, there was another Jumpshot product called All Click Feed. It allows you to buy information about all the clicks that Jumpshot registered on a specific domain, such as Amazon.com, Walmart.com, Target.com, BestBuy.com or Ebay.com.
Jumpshot data could show how someone with Avast installed on their computer searched Google for a product, clicked on a link to Amazon, then possibly added the item to their shopping cart on some other website before making a purchase.
According to a copy of the Jumpshot contract, one of the companies that bought All Clicks Feed is New York-based marketing firm Omnicom Media Group . Jumpshot gave Omnicom access to all clicks from users in 14 different countries, including the US, England, Canada, Australia and New Zealand. The data also included the users’ estimated gender, their estimated age, and a "full URL string," but with personal information removed, the contract says.
According to the contract with Omnicom, each user’s "device ID" is hashed, meaning the company buying the data doesn’t have to be able to identify who exactly is behind each view. Instead, Jumpshot products should help companies find out which products are particularly popular or how effective their advertising campaign is.
But Jumpshot data may not be completely anonymous. The internal product guide states that device IDs do not change per user unless the user completely uninstalls and reinstalls the security software. Numerous articles and academic studies have shown how a person’s identity can be known using supposedly anonymous data. This was confirmed by New York Times reporters in 2006, and by researchers from Stanford University in 2017.
Deanonymization becomes a much bigger problem when you consider that the end users of Jumpshot data can combine it with their own data.
“Most of the threats posed by deanonymization come from the ability to combine information with other data.”
A millisecond -accurate timestamp could allow a company with its own customer database to see one user visit their own site and then follow them through other sites using Jumpshot.
“It’s almost impossible to depersonalize the data,” said Eric Goldman, a professor at Santa Clara University School of Law.
Journalists from Motherboard and PCMag asked Avast a series of detailed questions about how it protects user anonymity, as well as details of some of the company’s contracts. Avast did not respond to most questions, but wrote in a statement: “Through our approach, we ensure that Jumpshot does not receive any identifying information, including name, email addresses or contact details, from people using our popular free antivirus software.”
“We have extensive experience in protecting users’ devices and data from malware, and we understand and take seriously the responsibility of balancing user privacy with the necessary use of data,” the statement said.
The company also said it complies with the California Consumer Privacy Act (CCPA) and the European Data Protection Regulation (GDPR) for its entire user base.
When the PCMag editor first installed the Avast antivirus product, the program actually asked if they wanted to take part in the data collection.
“If you give permission, we will grant our subsidiary Jumpshot Inc. collection of de-identified data obtained from your browsing history in order to allow Jumpshot to analyze markets and business trends and collect other valuable information”, however, the pop-up window did not say anything about how Jumpshot then uses this data.
UPD: Official response from Avast