Avast's antivirus app sells "every search," "every click," "every purchase on every site you visit." Buyers include Home Depot, Google, Microsoft, Pepsi, and McKinsey.
(published with abbreviations)
Used by hundreds of millions of people around the world, an antivirus program sells personal web browsing data to many of the largest companies in the world. This is evidenced by a joint investigation by the portals Motherboard and PCMag. The material is based on "leaked" company documents that prove that the company that owns the antivirus is selling highly confidential data.
The documents, owned by Jumpshot, a subsidiary of antivirus giant Avast, shed new light on the hidden history of selling personal Internet data. Avast antivirus installed on a person's computer collects data, and Jumpshot “repackages” it into various products, which are then sold to many of the largest companies in the world. The shopping list includes giants such as Google, Yelp, Microsoft, McKinsey, Pepsi, Home Depot, Condé Nast, Intuit and many more. Some customers have paid millions of dollars for products that include a so-called “all-click channel,” which can track user behavior, clicks, and website navigation with high accuracy.
Avast claims to have over 435 million monthly active users and Jumpshot collects data from 100 million devices. Avast collects user data and then submits it to Jumpshot, but several Avast users told Motherboard that they were unaware of their data being shared with third parties.
According to Motherboard and PCMag, this personal data included Google searches, Google Maps location and GPS coordinates, LinkedIn pages, private YouTube videos, and information about visited porn sites. Using the collected data pool, it is possible to determine when an anonymous user has visited YouPorn and PornHub, and in some cases even searches and specific videos watched.
Although the datasets do not include personal information such as usernames, they still contain a lot of specific data, and experts say that it is not that difficult to deanonymize a particular person using them.
In a press release issued in July, Jumpshot claims to be "the only company to reveal a number of secrets," and is committed to "providing marketers with a deeper understanding of customer online activity." "They are very detailed and of great interest to buyers because they are at the level of the device with a time stamp," commented Motherboard's source, citing the specifics and sensitivity of the data being sold.
Promotional video:
Until recently, Avast collected traffic data from customers who installed a browser plug-in developed by the company to alert users to suspicious websites. Security researcher and creator of AdBlock Plus, Vladimir Palant, posted a blog post in October claiming that Avast collects user data using the plugin. Shortly thereafter, the browser makers Mozilla, Opera and Google removed the Avast extensions from their respective stores. Avast previously explained this data collection and sharing in a blog and forum post in 2015. Since then, Avast has allegedly stopped sending browsing data collected by these extensions.
However, data collection continues, the source and documents indicate. Instead of collecting information using software connected to the browser, Avast does it using the antivirus itself. Last week, months after it was discovered using its browser extensions to send data to Jumpshot, Avast began asking its antivirus customers to allow data collection. “If the users agree, the device starts recording all of the customer's online activity,” says the internal product manual.
Motherboard and PCMag contacted more than two dozen companies mentioned in internal filings. Few answered questions about what they do with data based on the browsing history of Avast users.
“We sometimes use information from third-party providers to help improve our business, products and services. We require that these suppliers have the appropriate rights to provide this information to us. In this case, we receive anonymous audience data that cannot be used to identify individual customers,”said a spokesman for Home Depot via email.
Microsoft declined to comment on the specifics of acquiring products from Jumpshot, but said it did not have an ongoing relationship with the company. A Yelp spokesperson wrote in an email: “In 2018, as part of an antitrust request for information, the Yelp team was asked to assess Google's impact on the local search engine market. Jumpshot was used at a time."
Southwest Airlines said it has discussed a partnership with Jumpshot but has not reached an agreement with the company. IBM said it did not work with Jumpshot, and Altria said it didn’t work with Jumpshot now, although it did not indicate if it did so before. Sephora stated that this does not work with Jumpshot. Google did not respond to a request for comment.
On its website and in press releases, Jumpshot names Pepsi as well as consulting giants Bain & Company and McKinsey as clients.
In addition to Expedia, Intuit and Loreal, other companies not yet featured in Jumpshot's public announcements include the coffee company Keurig, YouTube vidIQ, and Hitwise, a consumer research firm. None of these companies responded to a request for comment.
On its website, Jumpshot lists some of the previous use cases for its data. For example, Condé Nast used Jumpshot products to see if a media company's ad led to purchases on Amazon and elsewhere. Condé Nast did not respond to a request for comment.
Jumpshot sells various products based on data collected by Avast antivirus software installed on users' computers. Customers in the institutional finance sector often buy channels from 10,000 domains that Avast users visit to try to spot trends, the product guide says.
Another Jumpshot product is the so called "All Click Feed". This allows the customer to buy information on all the clicks Jumpshot has seen on a specific domain such as Amazon.com, Walmart.com, Target.com, BestBuy.com, or Ebay.com.
In a tweet posted last month with the goal of attracting new customers, Jumpshot noted that he collects “Every search. Every click. Information about each purchase on each site."
Jumpshot data may show someone with Avast installed on their computer googling for a product, clicking on a link that led to Amazon, and then possibly adding the item to their cart on another website before finally, buy a product.
One of the companies that acquired All Clicks is New York-based marketing firm Omnicom Media Group. Under the contract, Omnicom paid Jumpshot $ 2,075,000 for data access in 2019. The deal also included another product called Insight Feed for 20 different domains. Data charges in 2020 and then in 2021 are indicated at $ 2,225,000 and $ 2,275,000, respectively, the document says.
Jumpshot gave Omnicom access to all click channels from 14 different countries around the world, including the United States, England, Canada, Australia and New Zealand. The product also includes the intended gender of users "based on browsing behavior", their estimated age and "entire URL string", but with personally identifiable information (PII) removed.
Omnicom did not respond to several requests for comment.
By contract, each user's “device ID” is hashed, which means that the company buying the data doesn't have to be able to determine who exactly is behind each view. Instead, Jumpshot products are supposed to help companies understand which products are particularly popular or how effective an advertising campaign is.
But Jumpshot data cannot be completely anonymous. The internal product manual states that device IDs do not change for each user "unless the user completely uninstalls and reinstalls the security software." Numerous articles and scientific studies have shown that it is quite possible to expose people using so-called anonymous data. In 2006, New York Times reporters were able to identify a specific person from a cache of supposedly anonymous search data that AOL publicly released. While the verified data was more focused on social media links that Jumpshot edited, a 2017 study at Stanford University found that it was possible to identify people from anonymous data online.
Motherboard and PCMag asked Avast a number of detailed questions about how it protects users' anonymity, and also requested details on some of the company's contracts. Avast did not answer most of the questions, but issued a statement: "Through our approach, we ensure that Jumpshot does not receive personally identifiable information, including the name, email address or contact details of people using our popular free antivirus software."
“Users have always had the option to opt out of communicating with Jumpshot. As of July 2019, we have already started implementing explicit choices for all new downloads of our antivirus, and we are now also requesting consent from our existing free users - a process that will be completed in February 2020,”an Avast spokesman said, adding that the company complies with California Consumer Protection Act (CCPA) and General European Data Protection Regulation (GDPR) for its entire global user base.
“We have a long history of protecting user devices and data from malware, and we understand and take seriously the responsibility to balance user privacy with the necessary use of data,” the statement said.
When a PCMag journalist first installed Avast's antivirus product this month, the program asked if he wanted to participate in the data collection.
“If you please, we will provide our subsidiary Jumpshot Inc. a dedicated and de-identified dataset derived from your browsing history so that Jumpshot can analyze markets and business trends and collect other valuable insights,”the message says. However, the pop-up did not detail exactly how Jumpshot uses this data.
“The information is completely de-identified and aggregated, it cannot be used for personal identification. Jumpshot can share aggregated information with its customers,”added a popup.
Update: Following the release of this investigation, Avast announced that it is suspending data collection using Jumpshot.
By Joseph Cox