Antivirus vendor Avast has been accused of selling users personal data. The claim comes from an investigation carried out by news website VICE. The investigation follows the leak of data from Avast and details commercial relationships that show the sale of data. This is not the first time that Avast has been accused of selling user web browsing data. In 2019 several browser vendors banned plugins from the vendor. This led to one US Senator, Ron Wyden, asking Avast what it was playing at.
Avast subsidiary Jumpshot responsible for selling data
The problem lies with a company called Jumpshot that Avast purchased in 2013. Originally a Kickstarter campaign, the company offered users a USB stick that it claimed “cleans and optimizes your PC in one simple step.” Avast saw the acquisition as a quick route into the PC tune-up market.
Jumpshot used what it called Minions to examine different parts of the PC environment and tune it up. One of those minions, Nikita, optimized browser settings for speed and security. Another, Holmes, “protects your identity and keeps your habits private from snooping.”
What VICE has uncovered is that the combination of Nikita and Holmes had access to so much information that the marketing team at Jumpstart saw an opportunity to make millions of dollars.
The VICE investigation discloses just how the Jumpshot team sold user data. Having gathered all the data it could, it then created different packages for different vendors. It then offered that out in deals worth several million dollars at a time. Customers of the data identified by VICE include Microsoft, Google, Pepsi, Conde Nast and Home Depot. It claims to have contracts and data implicating many more.
Put simply, they didn’t protect the user, they sold them lock, stock and web click.
100 million users had their data accessed
One of the worrying things about this story is that Jumpshot claims to have access to the data of over 100 million users. Given that Avast claims to have an active user base of over 435 million users per month, Jumpstart has a sizeable proportion of those users. However, without properly audited data, it’s hard to know just how many users Jumpshot has access to.
So far, Avast has not provided any audited details on the users affected. It has also avoided any mention of where those users are located. The VICE investigation, similarly, has not identified the countries where affected users are based. The latter is important.
Opt-in and privacy laws could cost Avast dearly
One of the reasons why the country where users are located is important is the increasing amount of privacy laws enacted by countries. When the original investigation last year showed the data was being sold, Avast admitted it was not using an Opt-In process. In its response to Sen Wyden, it said that it would begin to do that.
However, Avast has a large European user base and an office in the Czech Republic. This means that it is subject to a number of European laws including GDPR that cover user privacy. Surprisingly, NYOB and other European privacy advocates have yet to bring a case against Avast for misuse of user data. We have emailed NYOB to ask if this is something they are planning but have had no response yet.
Avast will also need to show how it plans to delete data it gathered without consent. This is likely to be a problem for it. While it can delete data it holds, getting the buyers of the data to delete it is going to be extremely difficult.
The news has already had an impact on the Avast share price. Having risen spectacularly over the last six months, it has dropped 6% in the last 24 hours. Is this investors expecting a hit from regulators or just a little bit of profit taking?
What is Avast saying about this?
Enterprise Times contacted Avast to ask it what it was doing about this situation. It sent us the following statement.
“In December 2019, we acted quickly to meet browser store standards and are now compliant with browser extension requirements for our online security extensions. At the same time, we completely discontinued the practice of using any data from the browser extensions for any other purpose than the core security engine, including sharing with our subsidiary Jumpshot.
“We ensure that Jumpshot does not acquire personal identification information, including name, email address or contact details. Users have always had the ability to opt out of sharing data with Jumpshot. As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an opt-in or opt-out choice, a process which will be completed in February 2020.
“Our Privacy Policy details the protections we put in place for all our users. Users can also choose to adjust their privacy levels using the broad range of settings available in our products, including control over any data sharing at any time. We voluntarily comply with the GDPR and California Consumer Privacy Act (CCPA) privacy requirements across our entire global user base.
“We have a long track record of protecting users’ devices and data against malware, and we understand and take seriously the responsibility to balance user privacy with the necessary use of data for our core security products.”
Enterprise Times: What does this mean
Companies harvesting and selling user data is, in many ways, old news. Data has value and people willingly hand it over to access services and use software. Read the End User Licence Agreement for most pieces of software and see just how much data is gathered to help vendor “make our products better.”
However, this case is different from the norm. Jumpshot positioned itself to protect user data and Avast has never openly changed that position. It does not detail in its opt-in statement exactly how it will use data or exactly what it is gathering. While it claims it is not gathering personal data, that is a very difficult thing to do. It is not hard to de-anonymise data these data given the amount that is out there.
Avast believes that its actions do not imply a breach of GDPR or other privacy laws around the world. However, as the German Government discovered two years ago, the scope of what is Personally Identifiable Information (PII) is very wide. It lost a court case over the use of dynamic IP addresses, something that surprised a lot of people. Avast will need to go through all the data it has and prove it has captured nothing that could remotely be seen as PII.
The next few months will be interesting for Avast. What has happened cannot be changed. It has an opportunity to not only change what it does with user data, albeit at the loss of some significant revenue, but do so in a way that sets a much higher bar for others to follow.
