Share this article on:
Antivirus firm Avast promised to protect customers from online tracking – then tracked their data and sold it anyway.
The US Federal Trade Commission (FTC) has taken antivirus and privacy software maker Avast to task over broken promises to protect user privacy.
The FTC claimed in a complaint that despite promising that Avast products would protect its customers’ privacy, Avast did exactly the opposite, collecting and selling a vast amount of reidentifiable data through its Jumpshot subsidiary.
“Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection, in a statement. “Avast’s bait-and-switch surveillance tactics compromised consumers’ privacy and broke the law.”
Despite disagreeing with the FTC’s allegations, Avast has said it will not only pay US16.5 million in compensation but will also be banned from selling or licensing any customer browsing data in the future.
“While we disagree with the FTC’s allegations and characterisation of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world,” a spokesperson for Avast’s owner, Gen Digital, said in a widely reported statement.
What is Jumpshot?
Avast acquired Jumpshot in 2014 when it was still a rival antivirus company. Avast rebranded its new acquisition as an analytics company, and then – between 2014 and 2020 – Jumpshot sold data that was collected from Avast’s customers.
“The company claimed it used a special algorithm to remove identifying information before transferring the data to its clients,” the FTC alleged. “The FTC, however, says the company failed to sufficiently anonymise consumers’ browsing information that it sold in non-aggregate form through various products. For example, its data feeds included a unique identifier for each web browser it collected information from and could include every website visited, precise timestamps, type of device and browser, and the city, state, and country.”
Further, the FTC alleges Jumpshot failed to prevent some of its customers from reidentifying the Avast user data. Worse, several Jumpshot products were actually designed to allow the tracking of specific customers.
In a specific case, Jumpshot worked with marketing giant Omnicom to create an “All Clicks Feed” for half of its customers in a number of countries, including Australia, the US, and the UK.
“According to the contract,” the FTC said, “Omnicom was permitted to associate Avast’s data with data brokers’ sources of data, on an individual user basis”.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.