Home
Artists
Search Recent Random
Posts
Search DMs Popular Hash Lookup Tags Random
Importer
Import FAQ
Register
Partychan Telegram Live Sex ThePornDude
Home Artists Posts Import Register

The Avast Data Collection Debacle - ThreatWire CrossPost (Patreon)

Published:
2020-02-04 18:25:44
Imported:
2023-11
Tags:

Downloads

Content

By Shannon Morse, ThreatWire 

Support me on alternative platforms! https://snubsie.com/support

Shop ThreatWire Merch! - https://snubsie.com/shop

https://www.youtube.com/shannonmorse --  subscribe to my new channel!

ThreatWire is only possible because of our Patreon patrons! https://www.patreon.com/threatwire 

Back in December, Avast and AVG’s Firefox Extensions were removed from the Mozilla web store 12 hours after Mozilla announced new store policies that put these extensions in a breach of compliance. This was due to Avast and AVG’s collection of user data, such as a country code, browser type and version and more. Each of these extensions do ask if you want to opt into them gathering information of “non identifying data” that they claimed to be anonymized. This data would be aggregated if opted in, or discarded if not.

But more details emerged last week about how Avast is actually using this opt in data. In a joint investigation by Motherboard and PC Mag, details were publicized showing how Avast, the company who owns anti-virus software AVG, has been tracking info on what users do online including what sites are clicked on, what they buy on certain online stores, and what users were searching for. All of the data was shared with an Avast subsidiary called Jumpshot, who then would sell that data to clients. Avast claimed that this data was anonymized.

According to the investigation, this anonymized data, like most anonymized data could be traced back to the individual user. Avast states they have more than 435 million active users per month, and Jumpshot collected this data on 100 million individual devices, and sold this data to big brands and e commerce providers such as Home Depot, Google, Microsoft, Pepsi, and McKinsey. 

None of the data is connected to an IP address, email or name, but they are reassigned a unique identifier with the device ID - and that continues to stay the same as long as they have an Avast product installed. So, for example, if a user is clicking around an e-commerce website on a device with a unique device ID, that e-commerce website could be a client of Jumpshot and they could track down who that Device ID matched up to because they’d know what they were clicking on, if they bought anything, and what time it happened at.  The information from Jumpshot could be matched up with information the ecommerce website already had on hand, to deanonymize the data. The Device ID could be used to find out what that user was doing outside of just their own ecommerce website by looking at all the other datapoints that Jumpshot collected. Now, that ecommerce client of Jumpshot knows exactly who you are along with what you do on the web when not shopping on their page. Creepy.

Some have argued that Avast is offering a free antivirus product, and the data collection is an optional checkmark upon install that does require opting in. The company told PC Mag, quote: "Users have always had the ability to opt out of sharing data with Jumpshot. As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our antivirus, and we are now also prompting our existing free users to make an explicit choice, a process which will be completed in February 2020," the company said. 

The opt in includes a green I AGREE button or a blue NO THANKS button, against a blue background. They don’t inform users that the data could be retained for three years but they do say it’s de-identified and aggregated, and that Jumpshot could sell the data to customers. I would like to comment that any data collection could be cross compiled with other collections from Jumpshot competitors, creating a much wider net of data points that could eventually be linked back to a user. The Opt in is vague and the green button uses human psychology to make a person think that’s the right button to click.

The public scrutiny of Avast alerted Senator Ron Wyden to tweet that he’s looking into this, and eventually Avast publicly stated that they are shutting down Jumpshot effective immediately. A message from the CEO of Avast states that they have decided to terminate the Jumpshot data collection and wind down Jumpshot’s operations with immediate effect. He also mentions that the brand is committed to 100% compliance with GDPR. Avast will also be buying back a percentage of stake from other stakeholders in the company. 

Links:

https://www.pcmag.com/news/mozilla-removes-avast-and-avg-firefox-extensions

https://www.pcmag.com/news/the-cost-of-avasts-free-antivirus-companies-can-spy-on-your-clicks

https://www.vice.com/en_us/article/qjdkq7/avast-antivirus-sells-user-browsing-data-investigation

https://www.theverge.com/2020/1/27/21083809/avast-avg-jumpshot-antivirus-data-tracking-all-clicks

https://twitter.com/RonWyden/status/1204494997560680450

https://blog.avast.com/a-message-from-ceo-ondrej-vlcek 

https://www.pcmag.com/news/avast-to-end-browser-data-harvesting-terminates-jumpshot

Comments

No comments found for this post.