Jumpshot, a subsidiary of Avast, is responsible for selling data, accessing user data from Avast Antivirus’ free browser extension. It has access to data from over 100 million devices, including PCs and mobile devices. The study that relied on leaked user data and other company documents accessed from Jumpshot found that “the sale of this data is both highly sensitive and is, in many cases, supposed to remain confidential between the company selling the data and the clients purchasing it.” Although Avast claimed that the data had been ‘de-identified,’ it sold the data to advertisers in such a way that the companies could use the tools available with them to link it back to individual users. The Avast antivirus program installed on a person’s computer collected data, and then Jumpshot repackaged it into various different products and sold to many of the largest companies in the world. “Potential clients include Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Conde Nast, Intuit, and many others,” the report claimed. Some of the company’s clients even paid millions of dollars for a so-called “All Clicks Feed” package that tracks behavior, clicks and even movements across websites, and collects data on things like searches on Google and Google Maps, as well as visits to specific LinkedIn pages, and youtube videos. According to the investigation, Avast also recorded “porn site visits that are anonymized, offered the date and time the user visited the sites, as well as search terms and viewed videos in some instances”. However, Avast in a statement on Tuesday, said it has stopped the practice of using any data from the browser extensions for any other purpose than the core security engine, including sharing it with their subsidiary Jumpshot. “Jumpshot doesn’t acquire personal identification information, including name, email address or contact details. Users have always had the ability to opt-out of sharing data with Jumpshot,” an Avast spokesperson said. “As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an opt-in or opt-out choice, a process which will be completed in February 2020.” The spokesperson also added that the company understands and takes seriously “the responsibility to balance user privacy with the necessary use of data for our core security products.” Multiple Avast users told Motherboard that they weren’t aware that their browsing data was being sold. The investigation also claimed that Avast is still harvesting the data but through the anti-virus software itself instead of the software attached to the browser.
