Avast to End Browser Data Harvesting, Terminates Jumpshot

‘As CEO of Avast, I feel personally responsible and I would like to apologize to all concerned,’ wrote Ondrej Vlcek following a PCMag-Motherboard investigation into the privacy risks around the data harvesting.

By Michael Kan

Avast will no longer sell users ‘ browser histories to third-party companies, the antivirus vendor said, following a PCMag-Motherboard investigation into the privacy risks around the data collection.

Late on Wednesday, Avast CEO Ondrej Vlcek announced his company plans to shut down operations at Jumpshot, the subsidiary in charge of selling the browser history data. “As CEO of Avast, I feel personally responsible and I would like to apologize to all concerned,” he said in a statement.

The popular antivirus vendor previously claimed it could “de-identify” people’s personal data from the browser history collection, thus preserving the user’s privacy. However, the investigation from PCMag and Motherboard found the contrary: the data that Jumpshot was selling to big brands and market research companies could be analyzed to easily link the website clicks to a specific Avast user, exposing a person’s internet activities.

The news has shaken consumer trust in the antivirus vendor, which serves 435 million users across the globe. Vlcek said he concluded the data harvesting “was not in line” with the company’s privacy priorities.

“Protecting people is Avast’s top priority and must be embedded in everything we do in our business and in our products. Anything to the contrary is unacceptable,” he said. “For these reasons, I-together with our board of directors-have decided to terminate the Jumpshot data collection and wind down Jumpshot’s operations, with immediate effect.”

In an investors’ call, Avast executives said the Jumpshot data collection will cease immediately. They also claimed the antivirus vendor had been considering shutting down the operation for months now.

Back in October, the security researcher Wladimir Palant initially raised the privacy alarms about the data harvesting when he noticed Avast’s browser extensions for Chrome, Firefox and Opera were collecting the browser histories from people’s computers. The findings prompted the major browsers to temporarily remove the extensions until Avast implemented new privacy protections.

Despite the change, Avast was still managing to collect the browser histories through the company’s free antivirus software for desktop and mobile. As many as 100 million devices were pulled into the data collection, which was also harvesting people’s internet searches.

In an email on Thursday, Palant told PCMag the whole practice smacked of “gross negligence.” He was able to obtain an apparent sample of the data Jumpshot was selling to clients. The sold data includes URLs Avast users were visiting, but in many cases Avast’s “de-identification” process failed to strip away people’s personal information from the links, such as email addresses.

“From the look of it, nobody ever bothered verifying that their approach is even remotely working -or somebody did but they simply didn’t care,” Palant said.

Avast has declined to answer questions on how the antivirus vendor “de-identifies” the collected browser histories. But the company maintains the data collection was legal, and compliant with Europe’s GDPR regulations.

Although Jumpshot’s shutdown will affect more than 200 employees at the company subsidiary, Vlcek said the termination of the data harvesting is “absolutely the right thing to do.”

“I firmly believe it will help Avast focus on and unlock its full potential to deliver on its promise of security and privacy,” Vlcek added. “And I especially thank our users, whose recent feedback accelerated our decision to take quick action.”

The company last year sold a 35 percent stake in Jumpshot to a marketing company called Ascential. However, Avast has bought back the stake, and plans on winding down the operations later this year once it resolves all the employment and partnership issues. According to Jumpshot’s marketing, the company’s clients have included Google, Pepsi, Unilever, marketing firm Omnicom Media Group, and consulting firm McKinsey & Company, among others.

Avast executives added the company doesn’t expect to face any legal action from the data harvesting.

In response to the news, US Senator Ron Wyden (D-Oregon) told Motherboard: “Avast’s past practice of marrying antivirus software with the secret mining of consumers’ data was a terrible move. But the decision today to shutter its data broker subsidiary is a model for how companies should respond to criticism of privacy abuses. To stop future abuses, Congress needs to pass my bill to hold companies and their CEOs accountable for abusing Americans’ personal information.”

Editor’s Note: This story has been updated with more details from Avast’s call with investors, and comment from Senator Wyden.

Originally published at https://www.pcmag.com.