A new report by Vice/Motherboard has revealed how much data Avast will collect on you if you opt-in on their data collection services.
This is a perfect example of the privacy concerns we face in the modern era, and why freeware can be so bad.
Avast is used by hundreds of millions of people around the world often being classed as one of the best free Antivirus applications you can use. Avast claims to have over 435 million active monthly users. They don’t develop this software in their spare time out of the kindness of their heart. Avast is a for-profit business, and they need to pay the bills any way they can.
So, like most free software, and even most paid software, they have an opt-in policy with data collection. Something that is all too easy to accidentally agree to when installing something.
Their opt-in states that their Jumpshot subsidiary will strip and de-identify data from your browsing history for the purpose of enabling them to analyse markets and business trends as well as gather valuable insights.
That doesn’t sound too bad when you opt-in. However, the new report reveals that Jumpshot will have access to all browser-based internet activity which includes but is not limited to:
- URLs visited, in what order and when
- Google searches
- Lookups of locations and GPS coordinates on Google Maps
- People visiting companies' LinkedIn pages
- YouTube videos
- Videos users are watching on Facebook and Instagram
- People visiting porn websites
This data is thorough enough that it is possible to know what date and time the anonymised user visited YouPorn and PornHub, and in some cases what search term they entered into the porn site and which specific video they watched
But it is anonymous, isn’t it?
You may ask “But it is anonymised so why does it matter if an advertiser knows I am a Furry?”
Well, the data collected is so extensive that it could be possible to deanonymise some of the affected users. The data includes timestamps as well as exactly what you do online. Combine that with all those Google maps and restaurant searches you do and it will narrow down your location pretty quickly.
Furthermore, it takes a couple of minutes Google to reveal just how frequent and server data breaches are. The following all happened in 2019:
- Wikipedia states that Facebook had three data breaches affecting 267million, 1.5million and 540million people.
- Capital One, the credit card and loans company with $28billion in revenue exposed 106,000,000 credit card applications via an unsecured Amazon S3 bucket
- Truecaller the telephone directory to find out who called you exposed nearly 300m records which were then sold online via the Dark Web.
- The Bulgarian revenue agency exposed 500000 records containing financial data of its citizens
That’s just 4 out of the 25 reported data breaches in Wikipedia, all of these typically have well over a million users per breach. So it wouldn’t be unreasonable to assume that the data you are passing over to Avast has a chance of being exposed via a data breach at some point.
How much is the data worth?
Total profits from all this data have not been revealed but it looks like they rake it in. In one example a marketing firm called Omnicom Media Group paid Jumpshot $2,075,000 for data access in 2019 then another $2,225,000 and $2,275,000 for 2020 and 2021, respectively. This data included users from 14 different countries, including the US, UK, Australia, and Canada.
The official statement from Avast states:
Because of our approach, we ensure that Jumpshot does not acquire personal identification information, including name, email address or contact details, from people using our popular free antivirus software.
Users have always had the ability to opt out of sharing data with Jumpshot. As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an explicit choice, a process which will be completed in February 2020.
We have a long track record of protecting users’ devices and data against malware, and we understand and take seriously the responsibility to balance user privacy with the necessary use of data.
So it looks like even after GDPR came into force in 2018 that Avast may have been using the opt-out method of data collection rather than opt-in.
Recently many Avast users have been getting the opt-in notification and then claiming they never knew that there were enrolled for the data collection in the first place.