This week, an investigation by Motherboard and PC Mag revealed that security brand Avast was using its antivirus software to collect personal user data. The news came just weeks after it had stopped collecting information from its browser plug-in.
Avast has told us that is hasn't been harvesting information from its Secureline VPN product, although privacy-conscious Avast users are bound to feel cautious after this latest news.
Avast isn't alone in selling user data, but its methods are under scrutiny after this latest investigation. We explain what you need to know.
Unsure about Avast Secureline? See our guide to the Best VPNs for 2020
Avast Selling User Data via Jumpshot
The investigation, a joint probe by Motherboard and PC Mag, focused on leaks that the publications have obtained. These show that Avast has been selling its users' data to high profile customers, such as Google, Yelp and Pepsi. The information – which Avast maintains is anonymous – has been harvested and repacked for a subsidiary, Jumpshot, which it obtained in 2013. In a 2015 post on its site, Avast explained how the collected data is used and personal data removed:
“We provide Jumpshot with anonymized and aggregated data that we collect from scanning the 150 billion URLs our users visit each month. Using Jumpshot’s patent-pending algorithm, all of the personally identifiable information is removed from the data before it leaves Avast servers. Nothing can be used to identify or target individuals.”
While Avast claims that it has always been open with its users about the data collected – and offered opt-outs for that that didn't want their data harvested – it certainly ran into problems with major browser operators. A number of browsers removed the Avast plug-in from their services after news of the data collection started to filter through last October. Google, Mozilla and Opera all took the decision to remove the problematic plug-in from their stores.
While Avast has stated that it has stopped data collection via its browser plug-ins, it is still gathering information from the free version of its antivirus software, via an opt-in option. According the leaked documents obtained by Motherboard and PC Mag, this data includes information such as the URLs visited by device, plus when and where the browsing happened. The data shows GPS locations, viewed YouTube videos, and even search terms entered on porn sites.
Is it Safe to Use Avast Secureline?
Avast Secureline is a VPN product from the same company. It promises – as all VPNs do – to keep your data private and hide your identity online. Many VPN users would be horrified of the thought of their data being collected in some way. It's a practice we've seen in free VPNs, but as Secureline is a paid-for product, users wouldn't expect to have their information recorded.
Secureline customers are no doubt concerned about the news of Avast collecting information, but we have seen no indication that the company is adopting the same practice with Secureline. All the information available has shown that while the browser plug-in and antivirus software have been used to collect information, nothing points to Secureline being included in this list. VPN products live and die by their ability to provide protection and privacy to paying customers, so it would be something of a misfire on Avast's part to risk this relationship through data collection.
Update: We reached out to Avast and asked for confirmation as to whether Secureline users were having their data collected. It told us that no data is ever taken from Secureline. An Avast spokesperson stated:
“In December 2019, we acted quickly to meet browser store standards and are now compliant with browser extension requirements for our online security extensions. At the same time, we completely discontinued the practice of using any data from the browser extensions for any other purpose than the core security engine, including sharing with our subsidiary Jumpshot.
We ensure that Jumpshot does not acquire personal identification information, including name, email address or contact details. Users have always had the ability to opt out of sharing data with Jumpshot. As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an opt-in or opt-out choice, a process which will be completed in February 2020.
We have a long track record of protecting users’ devices and data against malware, and we understand and take seriously the responsibility to balance user privacy with the necessary use of data for our core security products.”
How Can I Protect my Data?
In its coverage, Motherboard reached out to users of Avast antivirus software and found that many of them were unaware that their data was being collected. The story serves as a good reminder to be vigilant and check the permissions you have given to your software provider, to ensure you are happy with the information it is actively harvesting about you.
There's a lot of websites and software out there that are collecting your data, and there's a reason. Money. A profile of you as an individual, your likes, dislikes, spending habits and so on are invaluable to companies with deep pockets.
To protect your identity, especially in the week that Data Privacy Day happens to land, it's worth taking a few minutes out of your day to double check what you're giving away, even if you think your information is secure. So, check your profiles, remove the right to collect information or target you for advertising if you're not happy with it, and take back control of your online persona.