Avast antivirus is spying on you. Here's how

Avast has been one Anti-virus that has stood the test of time and has been free for almost a decade. The anti-virus lacks advanced features but does provide enough to cover individuals who don’t want to break the bank for a premium anti-virus software. However, it looks like there’s a reason why Avast is free and it’s not because the company wants everyone to have access to anti-virus.

According to a joint investigation by PCMag and Motherboard, it looks like Avast is harvesting your data to pay for their expenses and the free anti-virus software. The report relies on leaked documents that include user data, contracts, and other company documents. These documents show the sale of the highly sensitive data collected by the company. The primary data comes from Jumpshot, a subsidiary of Avast.

The system works in an efficient way where Avast collects the data and Jumpshot repackages the data to sell it to the big names in the tech industry. Jumpshot’s client list includes Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Condé Nast, Intuit, and many others. The company provides a so-called “All Clicks Feed” package which can track behaviour, clicks and even movements across websites. This helps companies like Home Depot and Amazon learn the user behaviour with extreme precision including your shopping and browsing habits.

The data collected is so granular that clients can view the individual clicks users are making on their browsing sessions, including the time down to the millisecond. And while the collected data is never linked to a person’s name, email or IP address, each user history is nevertheless assigned to an identifier called the device ID, which will persist unless the user uninstalls the Avast antivirus product.

– PCMag

PCMag said the tracking includes everything from browsing and shopping. For instance, Avast could track a user browsing through Amazon and selecting a product which is then purchased by the said user. PCMag points out that while the data seems harmless to you and me, Amazon can use the precise time to find out the user who made the purchase. This will suddenly change the anonymized data to one that can be identified.

At first glance, the click looks harmless. You can’t pin it to an exact user. That is, unless you’re Amazon.com, which could easily figure out which Amazon user bought an iPad Pro at 12:03:05 on Dec. 1, 2019. Suddenly, device ID: 123abcx is a known user. And whatever else Jumpshot has on 123abcx’s activity—from other e-commerce purchases to Google searches—is no longer anonymous.

– PCMag

Privacy experts seem to agree on the fact that the data collected by companies like Amazon and the data collected by Jumpshot are pretty harmless when separate. However, things take a turn for the worst when you combine both the data as companies suddenly have all the information they need to pinpoint a single user and their browsing/shopping habits.

Most of the threats posed by de-anonymization—where you are identifying people—comes from the ability to merge the information with other data.

Maybe the (Jumpshot) data itself is not identifying people. Maybe it’s just a list of hashed user IDs and some URLs. But it can always be combined with other data from other marketers, other advertisers, who can basically arrive at the real identity.

– Gunes Acar, privacy researcher

Unfortunately, the worst is yet to come. According to the logs reviewed by PCMag and Motherboard, the data collection doesn’t end here. Avast seems to have collected data about mundane topics searches as well as highly sensitive topics like porn preferences, and even underage sex. This is one bit of information that no one wants to be tied to them. And yet this information exists and combined with other data, they can pinpoint the exact user who made the search.

This is just one of the many offerings from Jumpshot. There are products designed to track e-commerce websites, YouTube and Facebook browsing, Instagram tracking and more. In December of 2018, Omnicom Media Group signed a contract with Jumpshot to gain access to their all-clicks package. Normally, Jumpshot removes PII (Personally Identifiable Information) and replace it with Device ID to protect the user identify. However, when it came to Omnicom Media Group, Jumpshot provided the information with PII. Not only that, but Omnicom Media Group also requested Jumpshot to provide data related to the URL string and even the age and gender of the person who was browsing the web.

It’s unclear why Omnicom wants the data. The company did not respond to our questions. But the contract raises the disturbing prospect Omnicom can unravel Jumpshot’s data to identify individual users.

Although Omnicom itself doesn’t own a major internet platform, the Jumpshot data is being sent to a subsidiary called Annalect, which is offering technology solutions to help companies merge their own customer information with third-party data. The three-year contract went into effect in January 2019, and gives Omnicom access to the daily click-stream data on 14 markets, including the US, India, and the UK. In return, Jumpshot gets paid $6.5 million.

– PC Mag

There’s no information on the number of companies that have access to the data. The company website lists IBM, Microsoft and Google as partners. However, Microsoft confirmed that the company has no current relationship. IBM, on the other hand, said it has “no record” of ever being a client of Avast or Jumpshot. Google declined to comment on the matter.

Wladimir Palant is the original person who sparked the whole investigation when he noticed something odd with the antivirus company’s browser extensions: They were logging every website visited alongside a user ID and sending the information to Avast. When called out, Mozilla and Google removed the extension which was later added back when Avast added new privacy features to the extension.

Aggregation would normally mean that data of multiple users is combined. If Jumpshot clients can still see data of individual users, that’s really bad.

It is hard to imagine that any anonymization algorithm will be able to remove all the relevant data. There are simply too many websites out there, and each of them does something different.

– Wladimir Palant, security researcher

It’s almost impossible to de-identify data. That just sounds like a terrible business practice. They’re supposed to be protecting consumers from threats, rather than exposing them to threats.

– Eric Goldman, co-director of the High Tech Law Institute at Santa Clara University

Both PC Mag and Motherboard tried reaching out to Avast and Jumpshot for clarifications but they didn’t get a response. Avast did say that the company will no longer collect data for marketing purposes.

We completely discontinued the practice of using any data from the browser extensions for any other purpose than the core security engine, including sharing with Jumpshot…

Users have always had the ability to opt out of sharing data with Jumpshot. As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV (antivirus), and we are now also prompting our existing free users to make an explicit choice, a process which will be completed in February 2020

– Avast

When installing Avast, the company does ask users “Mind sharing some data with us?” The pop-up will then proceed to tell you the collected data will be de-identified and aggregated as a way to protect your privacy. However, the pop-up doesn’t disclose information about the de-identification process or how the data combined with other information can reveal your true identity. Moreover, Motherboard asked Avast users about it and most of them told that they have no idea about the data collection policies and how it’s being used.

The bottom line is that it’s better to pay for the software to ensure your privacy. Moreover, it’s always a good idea to give the privacy statement a read and ensure the data collected is being handled with care. After looking at the case, we recommend our users to uninstall Avast or AVG immediately. For Windows 10 users, Microsoft’s own Windows Defender provides almost all the security features needed by an individual. Apart from that, you can go with Malwarebytes for advanced protection or buy one of the premium anti-viruses available in the market. We never recommend installing freeware until you’re absolutely sure about their policies especially when it comes to handling critical parts of your computer like security and privacy.