Avast was a brand that became synonymous with data privacy in recent years, but all of that collapsed in one fell swoop.
The company, which presents itself as a user advocate, offered a range of products, from antivirus software to Chrome extensions and various other tools aimed at increasing privacy, keeping online spy brands at bay, and protecting against a growing variety of cybersecurity threats.
It was a position (and product portfolio) that naturally resonated with both consumers and businesses amid an increasingly privacy-conscious era. But beneath the seemingly flawless veneer, the company was secretly selling user data to the highest bidder.
Between 2014 and 2020, Avast was amassing users' browser data and selling it to more than 100 companies through a subsidiary known as Jumpshot, which Avast acquired in 2014 and has since closed.
Details about the relationship between Avast and Jumpshot appear to have been relatively unknown to customers during this period. It was not until 2020 that reports of Motherboard discovered that customers had been purchasing data from the company.
These included major household brands including Google, Microsoft, Pepsi, McKinsey and US retail giant Home Depot.
Documents obtained by Vice, for example, found that third parties could buy data related to Google Maps queries and searches on social media pages on LinkedIn. Sources told the publication that the information sold to these parties was “very granular” and represented a trove of data.
This user data sales campaign has since put Avast in trouble with US regulators. A Federal Trade Commission (FTC) investigation recently ordered the company to pay $16.5 million to compensate consumers affected by data-sharing practices.
The FTC also ruled that Avast will be prohibited from selling browsing data in the future and must now obtain express consent for data collection.
A key talking point in this investigation, and one that alarmed regulators, is that both Avast and the now-closed Jumpshot claimed that identifying information had been removed from all data. The regulator ruled that this was “not sufficient.”
Jumpshot framed its products as capable of offering “unique insights” into users' browsing behaviors, providing customers with device identifiers for specific browsers based on “feeds.”
This included a 'Feed of all clicks','Find more click feed', and a'Transaction Feed'.
The FTC found that customers were flocking to these, purchasing specific feeds, and using them to cross-reference their own internal data sets to gain a detailed understanding of customer behavior and purchasing preferences.
Avast Tried to Quell Jumpshot Data Sale Fears
The FTC's investigation into the matter uncovered a troubling lack of transparency about the extent of the relationship between Avast and Jumpshot. Investigators found that Avast actively minimized its involvement in Jumpshot through its own official web forums, for example.
The company repeatedly insisted that Jumpshot only used non-aggregated data and that it told users during product installation and service purchases that it was collecting data to “better understand new and interesting trends.”
Lesley Fair, lead attorney for the FTC, described Avast's practices as “alarming,” noting that the company's claims for its software and browser extensions were essentially nothing more than “attention-grabbing.”
“All companies must keep their privacy promises, but that's especially true for companies that present their products as a way for consumers to protect their privacy,” Fair wrote in a blog post.
“There aren't enough R's in”Arrrrrrrgghh” to convey the FTC's concern about a company that advertises its products as a means for people to maintain their privacy online and then betrays them by selling their highly personal browsing information.
“The irony – and harm – in this case is alarming, and the FTC will show no quarter when companies lie to consumers about how their personal information will be protected.”