The Mac and Windows version of Avast antivirus has been used to harvest user data, an investigation claims, with some sensitive info sold to third parties, including Google, Microsoft, and Intuit.
Avast offers a selection of free and paid-for antivirus and security tools, in both free and in paid-for formats. The tools are popular, with more than 435 million active users per month using it on Macs, PCs, and mobile devices, to keep their data safe from harm.
As part of its offerings, Avast’s software provides the option to opt-in to allowing the firm to collect some types of user data, which it then sells on via subsidiary Jumpshot. An investigation by Vice and PC Mag using leaked user data, contracts, and other documents has revealed both the extent of these sales, as well as the breadth of the data being sold by the firm.
Data acquired for the investigation revealed the information collected by Avast is wide-ranging, including Google searches, location look-ups and GPS coordinates from Google Maps, LinkedIn pages, and YouTube video listings. More disturbingly, records porn site visits that are anonymized offer the date and time the user visited the sites, as well as search terms and viewed videos in some instances.
Despite the efforts to anonymize the data, some experts claimed the highly specific browsing data could be used to find out identities.
The amount of data being collected may not be well advised to consumers of Avast, with the investigation advised by multiple users they were not aware of the sale of said browsing data.
The subsidiary claims it has data from 100 million devices, with the investigation claiming Jumpshot repackages data collected from Avast into a number of different packages. This also includes a so-called “All Clicks Feed” option, where clients paid millions of dollars to be able to track a user’s behavior and movement across websites.
The list of clients include many major firms, such as Google, Yelp, Microsoft, and Pepsi.
Collecting the data was, until recently, conducted via Avast’s browser plugin, one that provides warnings to the user about suspicious and malicious websites. A report by security researcher and AdBlock Plus creator Wladimir Palant in October revealed the plugin was used to harvest data, prompting Mozilla, Opera, and Google to remove access to Avast’s extensions.