Should Your Antivirus Software Be Spying On You?

from the there-is-no-privacy dept

Back in August, Wladimir Palant, the creator behind Adblock Plus, wrote a blog post detailing how Avast Online Security and Avast Secure Browser were collecting and selling the browsing data of the Czech company's 400 million users. In response, both Opera and Mozilla pulled Avast extensions from their respective add on markets, forcing Avast CEO Ondrej Vlcek to go on a PR tour last month to downplay the issue.

Vicek's going to have another busy week. A joint investigation by both Motherboard and PC Magazine (you should read both) obtained documents highlighting how the company collects the browsing data of its 450 million active antivirus customers, then, with the help of a third party outfit named Jumpshot, sells access to that data to a laundry list of companies:

"The data obtained by Motherboard and PCMag includes Google searches, lookups of locations and GPS coordinates on Google Maps, people visiting companies' LinkedIn pages, particular YouTube videos, and people visiting porn websites."

Throughout the scandal, Avast, like so many other companies trafficking in your daily habits, insisted that this collection wasn't that big a deal because this collected data was "anonymized." But there's an endless list of studies showcasing how anonymized data isn't really anonymous, and user data of this type can easily be identifiable with just a small number of additional data points. "Anonymization" is treated as some silver bullet magical get out of jail free card in countless privacy policy conversations, and it really shouldn't be.

PC Mag, for example. highlights how it would take Amazon seconds to identify you from the data they buy from Avast based on the timing of purchases at Amazon. For example a single chunk of anonymized data like this on your clicking habits:

"Device ID: abc123x Date: 2019/12/01 Hour Minute Second: 12:03:05 Domain: Amazon.com Product: Apple iPad Pro 10.5 - 2017 Model - 256GB, Rose Gold Behavior: Add to Cart"

...can pretty easily be used to identify you and build a not-so anonymous profile:

"At first glance, the click looks harmless. You can't pin it to an exact user. That is, unless you're Amazon.com, which could easily figure out which Amazon user bought an iPad Pro at 12:03:05 on Dec. 1, 2019. Suddenly, device ID: 123abcx is a known user. And whatever else Jumpshot has on 123abcx's activity—from other e-commerce purchases to Google searches—is no longer anonymous."

Given we long ago prioritized profits over user security, this certainly isn't new behavior. The telecom sector has been engaged in the same behavior for years, often either outright lying or denying that detailed data collection was happening. It was also reflected by the wireless industry's cellular location data scandals, which highlighted how your wireless carrier collects your every waking movement and then sells access to that data to pretty much any nitwit with a nickel. Nobody cared how that data could or would be abused, ensuring that it repeatedly was -- by everyone from stalkers to law enforcement.

While telecom, app makers, and a laundry list of other companies have been doing this sort of thing for years, you'd think we'd hold security software to a higher standard. Apparently not.

Update: After this article was written, Avast's CEO came out with a statement stating that the company would be shutting down its data collection and sale efforts, and terminating its relationship with Jumpstart. Again, something that would have never happened if a journalist hadn't discovered it:

"As CEO of Avast, I feel personally responsible and I would like to apologize to all concerned. Protecting people is Avast’s top priority and must be embedded in everything we do in our business and in our products. Anything to the contrary is unacceptable. For these reasons, I – together with our board of directors – have decided to terminate the Jumpshot data collection and wind down Jumpshot’s operations, with immediate effect.

That's of course the right way to respond to such a scandal. That said, since there's no real privacy rules for the internet era and no real penalties for companies that routinely lie about this sort of thing, there's really not much (aside from journalists and bad PR) stopping Avast from reconstituting this program in a more modest form at a later date under a different name. And for every CEO like Palant, there's probably 10 executives who couldn't give any less of a shit about user privacy, and see it as their god-given right to hoover up your data and sell it to every nitwit with a nickel.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: antivirus, browser data, data, ondrej vlceck, security, spyware
Companies: avast


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 30 Jan 2020 @ 12:48pm

    People have thoughts on Palant as well, although his decisions might not be as egregious.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 30 Jan 2020 @ 1:33pm

    "and terminating its relationship with Jumpstart. "

    You mean Jumpshot, right?

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 30 Jan 2020 @ 1:37pm

    That said, since there's no real privacy rules for the internet era and no real penalties for companies that routinely lie about this sort of thing, there's really not much (sort of journalists and bad PR) stopping Avast from reconstituting this program in a more modest form at a later date under a different name.

    Uh, what about the GDPR? We're not talking about a Silicon Valley company here; Avast is headquarted in Prague, which is in the EU.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 30 Jan 2020 @ 2:25pm

    So much of privacy enforcement comes through unconventional laws and measures now that it's hard to get the balance right.

    link to this | view in thread ]

  5. This comment has been flagged by the community. Click here to show it
    icon
    Zof (profile), 30 Jan 2020 @ 3:20pm

    Should my search engine be spying on me?

    How about my iPhone? Because they do. But they call it a business model. It's hard to give Avast crap for something Amazon, Google, and Apple do.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 30 Jan 2020 @ 3:59pm

    Re: Should my search engine be spying on me?

    It's hard to give Avast crap for something Amazon, Google, and Apple do.

    No it's not. If there's one thing Internet users are good at, it's giving other people crap. It's even been known to happen in relation to the exact companies you listed.

    link to this | view in thread ]

  7. icon
    Stephen T. Stone (profile), 30 Jan 2020 @ 4:12pm

    You don’t need to participate in a business model if you don’t like that model or the company using it. Toss your iPhone if you don’t like the idea of Apple spying on you; Apple can’t stop you from doing that.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 30 Jan 2020 @ 4:31pm

    Re:

    Data point: User telemetry stopped after notice of involuntary participation in interaction data collection.

    Response: Conceal and deny further data collection practices to assure customer retention.

    What could go wrong?

    link to this | view in thread ]

  9. This comment has been flagged by the community. Click here to show it
    icon
    Zof (profile), 30 Jan 2020 @ 4:54pm

    Re: Re: Should my search engine be spying on me?

    Oh, so like it's like when some outlet (today) says Sanders isn't popular despite him leading Biden by 9 percent now in the Emerson poll.

    link to this | view in thread ]

  10. This comment has been flagged by the community. Click here to show it
    icon
    Zof (profile), 30 Jan 2020 @ 4:57pm

    Re:

    Oh, I know. That's why I ditched Google when they abandoned their ethics. Unfortunately, Apple is the least invasive option. It's kinda like how we also need a third political party really bad, but the market won't allow it.

    link to this | view in thread ]

  11. This comment has been flagged by the community. Click here to show it
    icon
    Zof (profile), 30 Jan 2020 @ 4:58pm

    Re: Re:

    After they get caught like the tenth time (they've literally been caught over ten times), and the media talks about it for a day and downplays it, I'm sure it just emboldens them to do it again.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 30 Jan 2020 @ 5:55pm

    Re: Re: Re: Should my search engine be spying on me?

    Or is it more like someone responding to a legitimate critique with a shit ass talking point they picked up off a third rate right wing nut job website?

    Hint: it’s the second one.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 30 Jan 2020 @ 5:56pm

    Re: Re: Re:

    Is that like every time someone ask why are you still here you just run away for a day or two. You’ve literally been asked that more than ten times and yet here you are bro. And I’m sure you’ll be back tomorrow.

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 31 Jan 2020 @ 1:43am

    AVAST is a virus

    Its spying on you.

    link to this | view in thread ]

  15. identicon
    jilocasin, 31 Jan 2020 @ 5:29am

    Jumpshot *was* Avast

    Hate to nitpick but Jumpshot was owned by Avast. It wasn't a third party. Avast isn't terminating its relationship with Jumpshot, its winding down that subsidiary.

    Just thought I should clear that up.

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 31 Jan 2020 @ 7:13am

    Should your ... software be spying on you?

    No. Next question please!

    link to this | view in thread ]

  17. icon
    Ninja (profile), 31 Jan 2020 @ 10:40am

    Well, they lost one potential paying customer. Honestly, M$ already has too much data and they provide Windows Defender which is pretty good itself.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 3 Feb 2020 @ 1:18pm

    Bets on Avast restarting selling user browsing history once the heat dies down?

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.