Avast — whose free antivirus software has been used by hundreds of millions around the world — has been harvesting and selling users’ “highly sensitive” web-browsing histories, according to an explosive report.
An Avast subsidiary called Jumpshot has been giving big companies like Google, Pepsi, Home Depot and McKinsey & Co. access to Avast user’s internet activity — from their shopping habits on Amazon to their sessions on Pornhub, according to a joint investigation by Motherboard and PCMag.
Avast tracked users’ Internet behavior to a granular degree, even in their most intimate moments. The collected data could tell a company what time a user visited a porn site, what they searched for on the site and even what video they watched.
“Every search. Every click. Every buy. On every site,” Jumpshot claimed in a slide on a webinar it hosted in December, according to the Tuesday report.
The company asked users to opt-in to the tracking, and the data was anonymized, meaning that their individual identities were scrubbed from the browsing data.
Experts told Motherboard, however, that in certain instances it “could be possible to deanonymize certain users” provided there was enough specific data about their browsing habits.
Either way, the investigation found that users were oftentimes unaware they were being monitored online.
Avast had previously been caught funneling data to Jumpshot that was collected through a browser extension, but ended the practice after it was reported in October.
Avast said that it always gets user permission, and noted that over the summer it began “implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an opt-in or opt-out choice, a process which will be completed in February 2020.”
The company added that it takes “seriously the responsibility to balance user privacy with the necessary use of data for our core security products.”