Should Your Antivirus Software Be Spying On You?

from the there-is-no-privacy dept

Back in August, Wladimir Palant, the creator behind Adblock Plus, wrote a blog post detailing how Avast Online Security and Avast Secure Browser were collecting and selling the browsing data of the Czech company's 400 million users. In response, both Opera and Mozilla pulled Avast extensions from their respective add on markets, forcing Avast CEO Ondrej Vlcek to go on a PR tour last month to downplay the issue.

Vicek's going to have another busy week. A joint investigation by both Motherboard and PC Magazine (you should read both) obtained documents highlighting how the company collects the browsing data of its 450 million active antivirus customers, then, with the help of a third party outfit named Jumpshot, sells access to that data to a laundry list of companies:

"The data obtained by Motherboard and PCMag includes Google searches, lookups of locations and GPS coordinates on Google Maps, people visiting companies' LinkedIn pages, particular YouTube videos, and people visiting porn websites."

Throughout the scandal, Avast, like so many other companies trafficking in your daily habits, insisted that this collection wasn't that big a deal because this collected data was "anonymized." But there's an endless list of studies showcasing how anonymized data isn't really anonymous, and user data of this type can easily be identifiable with just a small number of additional data points. "Anonymization" is treated as some silver bullet magical get out of jail free card in countless privacy policy conversations, and it really shouldn't be.

PC Mag, for example. highlights how it would take Amazon seconds to identify you from the data they buy from Avast based on the timing of purchases at Amazon. For example a single chunk of anonymized data like this on your clicking habits:

"Device ID: abc123x Date: 2019/12/01 Hour Minute Second: 12:03:05 Domain: Amazon.com Product: Apple iPad Pro 10.5 - 2017 Model - 256GB, Rose Gold Behavior: Add to Cart"

...can pretty easily be used to identify you and build a not-so anonymous profile:

"At first glance, the click looks harmless. You can't pin it to an exact user. That is, unless you're Amazon.com, which could easily figure out which Amazon user bought an iPad Pro at 12:03:05 on Dec. 1, 2019. Suddenly, device ID: 123abcx is a known user. And whatever else Jumpshot has on 123abcx's activity—from other e-commerce purchases to Google searches—is no longer anonymous."

Given we long ago prioritized profits over user security, this certainly isn't new behavior. The telecom sector has been engaged in the same behavior for years, often either outright lying or denying that detailed data collection was happening. It was also reflected by the wireless industry's cellular location data scandals, which highlighted how your wireless carrier collects your every waking movement and then sells access to that data to pretty much any nitwit with a nickel. Nobody cared how that data could or would be abused, ensuring that it repeatedly was -- by everyone from stalkers to law enforcement.

While telecom, app makers, and a laundry list of other companies have been doing this sort of thing for years, you'd think we'd hold security software to a higher standard. Apparently not.

Update: After this article was written, Avast's CEO came out with a statement stating that the company would be shutting down its data collection and sale efforts, and terminating its relationship with Jumpstart. Again, something that would have never happened if a journalist hadn't discovered it:

"As CEO of Avast, I feel personally responsible and I would like to apologize to all concerned. Protecting people is Avast’s top priority and must be embedded in everything we do in our business and in our products. Anything to the contrary is unacceptable. For these reasons, I – together with our board of directors – have decided to terminate the Jumpshot data collection and wind down Jumpshot’s operations, with immediate effect.

That's of course the right way to respond to such a scandal. That said, since there's no real privacy rules for the internet era and no real penalties for companies that routinely lie about this sort of thing, there's really not much (aside from journalists and bad PR) stopping Avast from reconstituting this program in a more modest form at a later date under a different name. And for every CEO like Palant, there's probably 10 executives who couldn't give any less of a shit about user privacy, and see it as their god-given right to hoover up your data and sell it to every nitwit with a nickel.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: antivirus, browser data, data, ondrej vlceck, security, spyware
Companies: avast