Avast has been accused of harvesting data from those who use the company’s free antivirus and protection software, then using a subsidiary to sell the data on to third-parties, including some of the biggest names in tech, such as Google and Microsoft.
Avast had already been accused of using its various browser extensions to collect and sell data resulting in many of the browsers opting to remove support for the extensions. In response, Avast had stated it was taking on the concerns and updating its extensions, as well as pointing out that although opt-in data was being collected and used, it wasn't data that could be used to identify a user by name, email, or IP address. However, a new report is now not only detailing the granular levels of data that’s understood to have been collected, but also how it can be used by third-parties to identify real people.
The investigation was jointly conducted by Motherboard and PCMag and states the information being sold through Avast’s Jumpshot subsidiary included tracing all clicks of a user’s session, the device used to make those clicks, all of which is time-stamped. While the data doesn’t include personal identifiers, the suggestion is that when coupled with data already held on file by a third-party company, the identity of the person can be obtained. In one example given to highlight how easily a full user picture can be painted, if a retailer is provided with data of a purchase that marries with its own purchase record (product, timestamp, and so on) then suddenly the anonymous data has been linked to a person’s identity.
When Avast's "Free" Antivirus Is Not Actually Free
The reports entirely focus on the free software offered by Avast. If the information is correct, then it is the latest example of how free is almost never free. Many companies now offer a free tier to their products and services and as has been routinely found, the free aspect is typically only in terms of the monetary contribution. Data itself is highly valuable, and companies have found multiple ways in which they can make a sizable income just by utilizing that data.
One of the major concerns raised in this investigation is user consent. Avast argues that in addition to not collecting or sharing personally identifiable data, consumers have the option to opt-in or out. The problem here is whether consumers are informed to a high enough level to even be able to give consent in the first place. For example, the reports interviewed some Avast customers. And as to be expected, they were completely unaware Avast was collecting and sharing data in the way it is now being accused of. Consumers hardly have the ability to make an informed decision if they are so unaware of what the decision relates to.
As for Avast, regardless of the accuracy of the allegations, it is unlikely to be something its customers are going to feel comfortable with once they learn of what's happened. Even if those consumers are prompted enough to opt for a paid-for antivirus solution in a bid to further ensure their data is adequately protected, they are unlikely now to feel as comfortable going with Avast as they might have been before. In fact, the effects of the report are already being felt by the company considering Avast put out a press release today explaining its commitment to responsible data use, and how it is improving its systems further in the next couple of months.
Source: Motherboard, PCMag