Should Your Antivirus Software Be Spying On You?

from the there-is-no-privacy dept

Back in August, Wladimir Palant, the creator behind Adblock Plus, wrote a blog post detailing how Avast Online Security and Avast Secure Browser were collecting and selling the browsing data of the Czech company's 400 million users. In response, both Opera and Mozilla pulled Avast extensions from their respective add on markets, forcing Avast CEO Ondrej Vlcek to go on a PR tour last month to downplay the issue.

Vicek's going to have another busy week. A joint investigation by both Motherboard and PC Magazine (you should read both) obtained documents highlighting how the company collects the browsing data of its 450 million active antivirus customers, then, with the help of a third party outfit named Jumpshot, sells access to that data to a laundry list of companies:

"The data obtained by Motherboard and PCMag includes Google searches, lookups of locations and GPS coordinates on Google Maps, people visiting companies' LinkedIn pages, particular YouTube videos, and people visiting porn websites."

Throughout the scandal, Avast, like so many other companies trafficking in your daily habits, insisted that this collection wasn't that big a deal because this collected data was "anonymized." But there's an endless list of studies showcasing how anonymized data isn't really anonymous, and user data of this type can easily be identifiable with just a small number of additional data points. "Anonymization" is treated as some silver bullet magical get out of jail free card in countless privacy policy conversations, and it really shouldn't be.

PC Mag, for example. highlights how it would take Amazon seconds to identify you from the data they buy from Avast based on the timing of purchases at Amazon. For example a single chunk of anonymized data like this on your clicking habits:

"Device ID: abc123x Date: 2019/12/01 Hour Minute Second: 12:03:05 Domain: Amazon.com Product: Apple iPad Pro 10.5 - 2017 Model - 256GB, Rose Gold Behavior: Add to Cart"

...can pretty easily be used to identify you and build a not-so anonymous profile:

"At first glance, the click looks harmless. You can't pin it to an exact user. That is, unless you're Amazon.com, which could easily figure out which Amazon user bought an iPad Pro at 12:03:05 on Dec. 1, 2019. Suddenly, device ID: 123abcx is a known user. And whatever else Jumpshot has on 123abcx's activity—from other e-commerce purchases to Google searches—is no longer anonymous."

Given we long ago prioritized profits over user security, this certainly isn't new behavior. The telecom sector has been engaged in the same behavior for years, often either outright lying or denying that detailed data collection was happening. It was also reflected by the wireless industry's cellular location data scandals, which highlighted how your wireless carrier collects your every waking movement and then sells access to that data to pretty much any nitwit with a nickel. Nobody cared how that data could or would be abused, ensuring that it repeatedly was -- by everyone from stalkers to law enforcement.

While telecom, app makers, and a laundry list of other companies have been doing this sort of thing for years, you'd think we'd hold security software to a higher standard. Apparently not.

Update: After this article was written, Avast's CEO came out with a statement stating that the company would be shutting down its data collection and sale efforts, and terminating its relationship with Jumpstart. Again, something that would have never happened if a journalist hadn't discovered it:

"As CEO of Avast, I feel personally responsible and I would like to apologize to all concerned. Protecting people is Avast’s top priority and must be embedded in everything we do in our business and in our products. Anything to the contrary is unacceptable. For these reasons, I – together with our board of directors – have decided to terminate the Jumpshot data collection and wind down Jumpshot’s operations, with immediate effect.

That's of course the right way to respond to such a scandal. That said, since there's no real privacy rules for the internet era and no real penalties for companies that routinely lie about this sort of thing, there's really not much (aside from journalists and bad PR) stopping Avast from reconstituting this program in a more modest form at a later date under a different name. And for every CEO like Palant, there's probably 10 executives who couldn't give any less of a shit about user privacy, and see it as their god-given right to hoover up your data and sell it to every nitwit with a nickel.

Filed Under: antivirus, browser data, data, ondrej vlceck, security, spyware
Companies: avast


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 30 Jan 2020 @ 12:48pm

    People have thoughts on Palant as well, although his decisions might not be as egregious.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Jan 2020 @ 1:33pm

    "and terminating its relationship with Jumpstart. "

    You mean Jumpshot, right?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Jan 2020 @ 1:37pm

    That said, since there's no real privacy rules for the internet era and no real penalties for companies that routinely lie about this sort of thing, there's really not much (sort of journalists and bad PR) stopping Avast from reconstituting this program in a more modest form at a later date under a different name.

    Uh, what about the GDPR? We're not talking about a Silicon Valley company here; Avast is headquarted in Prague, which is in the EU.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 30 Jan 2020 @ 2:25pm

    So much of privacy enforcement comes through unconventional laws and measures now that it's hard to get the balance right.

    reply to this | link to this | view in chronology ]

  • This comment has been flagged by the community. Click here to show it
    icon
    Zof (profile), 30 Jan 2020 @ 3:20pm

    Should my search engine be spying on me?

    How about my iPhone? Because they do. But they call it a business model. It's hard to give Avast crap for something Amazon, Google, and Apple do.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 30 Jan 2020 @ 3:59pm

      Re: Should my search engine be spying on me?

      It's hard to give Avast crap for something Amazon, Google, and Apple do.

      No it's not. If there's one thing Internet users are good at, it's giving other people crap. It's even been known to happen in relation to the exact companies you listed.

      reply to this | link to this | view in chronology ]

      • This comment has been flagged by the community. Click here to show it
        icon
        Zof (profile), 30 Jan 2020 @ 4:54pm

        Re: Re: Should my search engine be spying on me?

        Oh, so like it's like when some outlet (today) says Sanders isn't popular despite him leading Biden by 9 percent now in the Emerson poll.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 30 Jan 2020 @ 5:55pm

          Re: Re: Re: Should my search engine be spying on me?

          Or is it more like someone responding to a legitimate critique with a shit ass talking point they picked up off a third rate right wing nut job website?

          Hint: it’s the second one.

          reply to this | link to this | view in chronology ]

    • icon
      Stephen T. Stone (profile), 30 Jan 2020 @ 4:12pm

      You don’t need to participate in a business model if you don’t like that model or the company using it. Toss your iPhone if you don’t like the idea of Apple spying on you; Apple can’t stop you from doing that.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 30 Jan 2020 @ 4:31pm

        Re:

        Data point: User telemetry stopped after notice of involuntary participation in interaction data collection.

        Response: Conceal and deny further data collection practices to assure customer retention.

        What could go wrong?

        reply to this | link to this | view in chronology ]

        • This comment has been flagged by the community. Click here to show it
          icon
          Zof (profile), 30 Jan 2020 @ 4:58pm

          Re: Re:

          After they get caught like the tenth time (they've literally been caught over ten times), and the media talks about it for a day and downplays it, I'm sure it just emboldens them to do it again.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 30 Jan 2020 @ 5:56pm

            Re: Re: Re:

            Is that like every time someone ask why are you still here you just run away for a day or two. You’ve literally been asked that more than ten times and yet here you are bro. And I’m sure you’ll be back tomorrow.

            reply to this | link to this | view in chronology ]

      • This comment has been flagged by the community. Click here to show it
        icon
        Zof (profile), 30 Jan 2020 @ 4:57pm

        Re:

        Oh, I know. That's why I ditched Google when they abandoned their ethics. Unfortunately, Apple is the least invasive option. It's kinda like how we also need a third political party really bad, but the market won't allow it.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Jan 2020 @ 1:43am

    AVAST is a virus

    Its spying on you.

    reply to this | link to this | view in chronology ]

  • identicon
    jilocasin, 31 Jan 2020 @ 5:29am

    Jumpshot *was* Avast

    Hate to nitpick but Jumpshot was owned by Avast. It wasn't a third party. Avast isn't terminating its relationship with Jumpshot, its winding down that subsidiary.

    Just thought I should clear that up.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 31 Jan 2020 @ 7:13am

    Should your ... software be spying on you?

    No. Next question please!

    reply to this | link to this | view in chronology ]

  • icon
    Ninja (profile), 31 Jan 2020 @ 10:40am

    Well, they lost one potential paying customer. Honestly, M$ already has too much data and they provide Windows Defender which is pretty good itself.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 3 Feb 2020 @ 1:18pm

    Bets on Avast restarting selling user browsing history once the heat dies down?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.