This weekend marked the final chapter (perhaps!) in the Jumpshot, with the United States Federal Trade Commission fining antivirus vendor Avast a seemingly chunky US$16.5 million for harvesting customer data without proper consent.
Avast was not only harvesting customer data through its antivirus and web browser extensions, but on-selling it to big conglomerates like Microsoft, Intel and Pepsi, earning tens of millions of dollars in the process through the security vendor’s Jumpshot subsidiary.
It seems to have been a good business, with over 100 third-parties buying the data.
Harvesting customer data might be controversial, but it is also very common, so what’s the big deal with Avast here?
For starters, the FTC says in its recent complaint that customers were not informed properly of the data harvesting; again, that’s not unusual, but you have to think of where security software sits in a computer system, which is in a very privileged position.
Without that privileged position, antiviruses and security software may miss threats that could lead to a computer becoming compromised.
The flipside is that users have to trust the security vendor as the software will have pretty much full system access, and can read personally sensitive and identifiable information.
Texas-based Jumpshot was in the PC optimisation business, with the software said to clean out “junk files” from users’ computers to boost performance.
The Czech security vendor bought Jumpshot in 2013, rebranding the US company as a data analytics firm.
Avast itself is a big name in the information security business. Another well-known security software vendor, NortonLifelock, bought Avast in 2021 for US$8.6 billion and become a merged entity called Gen Digital.
It has over 435 million active users, so it’s not surprising perhaps that the amount of data gathered was massive:
“Through the entire period that Jumpshot received browsing information from Avast, Jumpshot never deleted any of the data. By January 2020, Jumpshot had more than eight petabytes of browsing information dating back to 2014,” the FTC says in its complaint.
One petabyte is the 1024 terabytes, or a million gigabytes, so that’s quite a bit of “browsing information” that Jumpshot captured and kept.
The captured data was said to be anonymised, with identifying information being removed before it was onsold. However, the FTC says this is not what happened. Instead, the data feeds included unique identifiers for each web browser that information was collected from.
This “... could include every website visited, precise timestamps, type of device and browser, and the city, state and country,” the FTC says.
The original 2020 investigative report on Avast and Jumpshot by security journalist Joseph Cox showed that the data collected was indeed sensitive, and included location lookups and Google Maps GPS coordinates.
When the privacy scandal broke in 2020, with a US Senator getting involved as well, Avast chief executive Ondrej Vlcek had to issue a public apology and promised to put an end to the data gathering as well. The company’s share price cratered as a result of the scandal.
That wasn’t the end of it. The FTC has now issued a proposed order that’ll prohibit Avast from selling or licensing any browsing data from its products, to third parties for advertising purposes.
Jumpshot collected data on web browsing must also be deleted. Furthemore, Avast will have to tell customers whose browsing data was sold to third parties without their consent that the FTC has taken action against the security vendor.
More pain to come for Avast in other words, and the case shows the risk of collecting and keeping customer data, as government privacy watchdogs in Europe and the United States really do have a mandate to go after companies not doing it properly.
On the other hand, did the FTC go far enough taking Avast to task for breaching its users’ privacy?
The US$16.5 million fine seems small compared to the reported data collection earnings of US$180 million for Avast. Also, this is a company that was valued at more than US$8 billion in 2021.
Although browser vendors acted quickly and removed Avast extensions because of the excessive data collection, it didn’t take long for them to be back in various web stores.
Time will tell if FTC’s action against Avast, and other similar cases, will serve as a deterrent for companies tempted to play fast and loose user privacy.
6 Comments
I think you may have demonstrated Betteridges law... https://en.m.wikipedia.org/wiki/Betteridge%27s_law_of_headlines
As a longtime Avast user who has just heard about this, I'll not be renewing my subscription. Trust is the most important asset a security company can have. With a breach of trust like that, who can say whether their VPN actually works, or whether the passwords in their password vault are secure? Did the "data shred" I do shred the data, or pass it on first?
Bye bye Avast. I thought it was good while it lasted.
Future tech story idea: trusted internet security firms? It would be nice to get one that isn't sponsored or from a random internet search. Fun fact: Interest.co.nz is my most trusted source of news.
We welcome your comments below. If you are not already registered, please register to comment.
Remember we welcome robust, respectful and insightful debate. We don't welcome abusive or defamatory comments and will de-register those repeatedly making such comments. Our current comment policy is here.