Is your Antivirus Selling Your Personal Data?

Antivirus programs are an essential part of staying safe while browsing. But these programs may be responsible for harvesting every click and purchase you make for profit. An Avast subsidiary recently revealed how it brokered and sold user data to clients like Microsoft, Pepsi, and more.

Is your antivirus software spying on you?

Users of Avast antivirus were spied on for years, with their data harvested and sold to the highest bidder. Leaked documents reveal a subsidiary of Avast – called Jumpshot – is responsible for the leak of user browser histories.

Once Avast was installed on a computer, it collected data to be repackaged and sold. Bidders on that data include some of the biggest tech corporations across the globe. Microsoft, Yelp, Pepsi, and many other clients paid millions to access this data.

The data was assembled into an “All Clicks Feed,” which tracks user behavior, clicks, and movement across websites in accurate detail. That feed allowed clients to buy information on all clicks Jumpshot saw from a user on domains like Amazon.com.

Before it shut down, Jumpshot estimated it had data from 100 million devices. Those devices include PC and smartphones.

Avast collected the browsing data of customers who installed the company’s browser plugin. Avast told users the browser plugin’s purpose was to warn users of suspicious sites and phishing attacks. But soon after its browser extension drew criticism, Avast began an opt-in data collection scheme from its antivirus software.

What Information Are They Collecting?

The data collected by Avast is supposed to be anonymized. However, that isn’t enough to protect user privacy in most cases. Initial reports on the leak say Google searches, GPS coordinates on Google Maps, LinkedIn pages, and YouTube videos were all collected.

Researchers looking into the massive data collection scheme could determine what data and time anonymized users were visiting porn sites. In some cases, they could see the names of specific videos users watched.

The data doesn’t include personal information like names, but that doesn’t matter. Researchers say it could be possible to de-anonymize the data from specific users with additional information.

Any device that opted-in to Avast’s data collection scheme reported all browser-based internet activity to Jumpshot. URLs visited, in what order, and what date are all questions that can be answered with the data. That information can be used to de-anonymize data and spot patterns among internet users.

Why Data Privacy Is Important

Even if huge amounts of data like browsing history are anonymized and sold, it is easy to de-anonymize. One of the biggest threats to anonymized data on the internet is merging information with other data collected from leaks and hacks.

Jumpshot data could be combined with ISP information to identify customers directly. That information could be used to connect search terms, purchases, and more to a specific person. Experts say even de-anonymizing data isn’t enough – it shouldn’t be gathered and sold in the first place.

Antivirus Alternatives

Sick of having to worry about whether or not your data is safe? There’s good news if you’re a Windows user. Windows Defender is built-in Windows 10 and offers antivirus protection that doesn’t sell your data.

Malwarebytes Premium is a third-party antivirus solution for both Windows and Mac users. It can be used in conjunction with Windows Defender to catch additional threats. It does not attempt to install unwanted add-ons like browser extensions, either.