Should Your Antivirus Software Be Spying On You?
from the there-is-no-privacy dept
Back in August, Wladimir Palant, the creator behind Adblock Plus, wrote a blog post detailing how Avast Online Security and Avast Secure Browser were collecting and selling the browsing data of the Czech company's 400 million users. In response, both Opera and Mozilla pulled Avast extensions from their respective add on markets, forcing Avast CEO Ondrej Vlcek to go on a PR tour last month to downplay the issue.
Vicek's going to have another busy week. A joint investigation by both Motherboard and PC Magazine (you should read both) obtained documents highlighting how the company collects the browsing data of its 450 million active antivirus customers, then, with the help of a third party outfit named Jumpshot, sells access to that data to a laundry list of companies:
"The data obtained by Motherboard and PCMag includes Google searches, lookups of locations and GPS coordinates on Google Maps, people visiting companies' LinkedIn pages, particular YouTube videos, and people visiting porn websites."
Throughout the scandal, Avast, like so many other companies trafficking in your daily habits, insisted that this collection wasn't that big a deal because this collected data was "anonymized." But there's an endless list of studies showcasing how anonymized data isn't really anonymous, and user data of this type can easily be identifiable with just a small number of additional data points. "Anonymization" is treated as some silver bullet magical get out of jail free card in countless privacy policy conversations, and it really shouldn't be.
PC Mag, for example. highlights how it would take Amazon seconds to identify you from the data they buy from Avast based on the timing of purchases at Amazon. For example a single chunk of anonymized data like this on your clicking habits:
"Device ID: abc123x Date: 2019/12/01 Hour Minute Second: 12:03:05 Domain: Amazon.com Product: Apple iPad Pro 10.5 - 2017 Model - 256GB, Rose Gold Behavior: Add to Cart"
...can pretty easily be used to identify you and build a not-so anonymous profile:
"At first glance, the click looks harmless. You can't pin it to an exact user. That is, unless you're Amazon.com, which could easily figure out which Amazon user bought an iPad Pro at 12:03:05 on Dec. 1, 2019. Suddenly, device ID: 123abcx is a known user. And whatever else Jumpshot has on 123abcx's activity—from other e-commerce purchases to Google searches—is no longer anonymous."
Given we long ago prioritized profits over user security, this certainly isn't new behavior. The telecom sector has been engaged in the same behavior for years, often either outright lying or denying that detailed data collection was happening. It was also reflected by the wireless industry's cellular location data scandals, which highlighted how your wireless carrier collects your every waking movement and then sells access to that data to pretty much any nitwit with a nickel. Nobody cared how that data could or would be abused, ensuring that it repeatedly was -- by everyone from stalkers to law enforcement.
While telecom, app makers, and a laundry list of other companies have been doing this sort of thing for years, you'd think we'd hold security software to a higher standard. Apparently not.
Update: After this article was written, Avast's CEO came out with a statement stating that the company would be shutting down its data collection and sale efforts, and terminating its relationship with Jumpstart. Again, something that would have never happened if a journalist hadn't discovered it:
"As CEO of Avast, I feel personally responsible and I would like to apologize to all concerned. Protecting people is Avast’s top priority and must be embedded in everything we do in our business and in our products. Anything to the contrary is unacceptable. For these reasons, I – together with our board of directors – have decided to terminate the Jumpshot data collection and wind down Jumpshot’s operations, with immediate effect.
That's of course the right way to respond to such a scandal. That said, since there's no real privacy rules for the internet era and no real penalties for companies that routinely lie about this sort of thing, there's really not much (aside from journalists and bad PR) stopping Avast from reconstituting this program in a more modest form at a later date under a different name. And for every CEO like Palant, there's probably 10 executives who couldn't give any less of a shit about user privacy, and see it as their god-given right to hoover up your data and sell it to every nitwit with a nickel.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: antivirus, browser data, data, ondrej vlceck, security, spyware
Companies: avast
Reader Comments
Subscribe: RSS
View by: Time | Thread
People have thoughts on Palant as well, although his decisions might not be as egregious.
[ link to this | view in chronology ]
"and terminating its relationship with Jumpstart. "
You mean Jumpshot, right?
[ link to this | view in chronology ]
Uh, what about the GDPR? We're not talking about a Silicon Valley company here; Avast is headquarted in Prague, which is in the EU.
[ link to this | view in chronology ]
So much of privacy enforcement comes through unconventional laws and measures now that it's hard to get the balance right.
[ link to this | view in chronology ]
Should my search engine be spying on me?
How about my iPhone? Because they do. But they call it a business model. It's hard to give Avast crap for something Amazon, Google, and Apple do.
[ link to this | view in chronology ]
Re: Should my search engine be spying on me?
No it's not. If there's one thing Internet users are good at, it's giving other people crap. It's even been known to happen in relation to the exact companies you listed.
[ link to this | view in chronology ]
Re: Re: Should my search engine be spying on me?
Oh, so like it's like when some outlet (today) says Sanders isn't popular despite him leading Biden by 9 percent now in the Emerson poll.
[ link to this | view in chronology ]
Re: Re: Re: Should my search engine be spying on me?
Or is it more like someone responding to a legitimate critique with a shit ass talking point they picked up off a third rate right wing nut job website?
Hint: it’s the second one.
[ link to this | view in chronology ]
You don’t need to participate in a business model if you don’t like that model or the company using it. Toss your iPhone if you don’t like the idea of Apple spying on you; Apple can’t stop you from doing that.
[ link to this | view in chronology ]
Re:
Data point: User telemetry stopped after notice of involuntary participation in interaction data collection.
Response: Conceal and deny further data collection practices to assure customer retention.
What could go wrong?
[ link to this | view in chronology ]
Re: Re:
After they get caught like the tenth time (they've literally been caught over ten times), and the media talks about it for a day and downplays it, I'm sure it just emboldens them to do it again.
[ link to this | view in chronology ]
Re: Re: Re:
Is that like every time someone ask why are you still here you just run away for a day or two. You’ve literally been asked that more than ten times and yet here you are bro. And I’m sure you’ll be back tomorrow.
[ link to this | view in chronology ]
Re:
Oh, I know. That's why I ditched Google when they abandoned their ethics. Unfortunately, Apple is the least invasive option. It's kinda like how we also need a third political party really bad, but the market won't allow it.
[ link to this | view in chronology ]
AVAST is a virus
Its spying on you.
[ link to this | view in chronology ]
Jumpshot *was* Avast
Hate to nitpick but Jumpshot was owned by Avast. It wasn't a third party. Avast isn't terminating its relationship with Jumpshot, its winding down that subsidiary.
Just thought I should clear that up.
[ link to this | view in chronology ]
Should your ... software be spying on you?
No. Next question please!
[ link to this | view in chronology ]
Well, they lost one potential paying customer. Honestly, M$ already has too much data and they provide Windows Defender which is pretty good itself.
[ link to this | view in chronology ]
Bets on Avast restarting selling user browsing history once the heat dies down?
[ link to this | view in chronology ]