One would assume their antivirus software is keeping them safe and private. This may not the case for Avast branded antivirus software. Within the software is a heavy-handed spyware capability that will watch and sell just about everything its users do. Major companies are purchasing information about what people do online, and if you’ve ever used Avast, chances are that someone who works at Pepsi or Keurig knows exactly what kind of porn you watch.
PCMag and Motherboard Conducted the Investigation
PCMag and Motherboard worked in conjunction to review leaked data released by Jumpshot, the subsidiary of Avast responsible for violating user trust. Their review of the leaked documents was able to determine what was being collected and where that information was going. The sale of this data seems to be a secretive and confidential matter, but not so secretive and confidential to the point where leaks weren’t possible. These leaks exposed information about companies splurging to the tune of price tags in the millions for so called “All Clicks” data that revealed every single move a user made online.
How Many People Are Affected?
As far as statistics go, numbers are conflicting. By Avast’s count, they have over 435 million users. Jumpshot claims to have the data of 100 million users. Since everyone who has used Avast is at risk for having their data collected by Jumpshot, it’s safe to assume the number is closer to Avast’s user count.
Users Were Not Aware
Users of Avast’s products seem not to remember opting into Jumpshot, raising questions about the way permissions were phrased and creating suspicion around the circumstances under which people gave consent to Jumpshot. Many users who have discovered they were a part of Jumpshot claim to have had absolutely no idea that their browsing data was collected and sold to third parties.
This is not the first time Avast has found themselves in hot water for collecting user data with ambiguous consent. Wladimir Palant, a cybersecurity researcher best known for his role as the creator of the AdBlock Plus plugin, discovered that Avast’s browser plugin disguised as a security tool was stealing user data while it worked. Following this discovery, most major browsers removed anything published by Avast or its subsidiaries from their browser extensions list.
They Know Everything – Even Your Porn Search Terms
Although the leaked data was anonymized, it was troubling in both specificity and quantity. It cataloged every move users made online. It didn’t only show visits to YouTube – it showed which videos were watched and for how long. It also tracked detailed timestamps of users’ visits to porn sites, including what they typed into the search bar and what videos they watched.
Because all of the information is so highly specific, it would be easy for some users to be de-anonymized. Even though the data is sold without a name, anyone purchasing the data to target a specific individual might be able to easily discern what belongs to whom. Jumpshot collects this data using something called a “device ID”, which is hashed before the data is sent to a company. Jumpshot can identify you, but allegedly, the company cannot.
Major Companies Are Purchasing the Data
Evidence shows that Home Depot, Expedia, Google, L’Oreal, Yelp, TripAdvisor, Pepsico, Microsoft, and Keurig are among the list of clients who seem to be paying Jumpshot for your private data. Several companies, including Sephora and IBM, have been in talks with Jumpshot, although they deny becoming clients.
In Jumpshot’s own words, they sell “Every search. Every click. Every buy. On every site” with packages totaling upwards of $2 million per purchase.
The scope of data collection is so broad and overreaching that it can be difficult to discern exactly how and why some consumer brands intended to use Jumpshot’s findings. It is largely unknown why Pepsico, makers of soda and corn chips, want to know what porn people watch.
More Dangerous Than Just Jumpshot
Despite the entirely unacceptable and problematic nature of the work Jumpshot does is the way they do it. Since data is collected via a “device ID” and the capability to track all movements is inherent within Jumpshot, they pose a huge security risk. If Jumpshot were to become hacked or in some way compromised, users could easily find themselves blackmailed or hacked.
Get Rid of it Right Now
All users should immediately perform a thorough uninstallation of any and every Avast product they use. Windows users can click the start button, select control panel, select programs, select Avast (or AVG), and then select uninstall. This is a necessary step even if you don’t believe you’ve accidentally opted into Jumpshot, as the majority of Avast users seem not to recall having done so.
Stay Safe Online with Windows Defender
Windows Defender is good enough. There’s no reason to download a third party antivirus if you’re regularly using Windows Defender and an anti-malware program in conjunction with good, commonsense security practices. Always browse the internet through a VPN, only send sensitive information via an encrypted email, and read every single word of an agreement before you install anything. TorGuard does not sell any user data to any third party.