Avast is a name that inevitably comes up when discussing free antivirus software, and with good reason—the company claims it has over 435 million users, making it one of the most popular AV options around. Avast's reputation is under fire, however, following a joint investigation by Motherboard (opens in new tab) and PCMag (opens in new tab) into the extent it sells opt-in user data to third parties.
According to the reports, leaked documents highlight the "secretive sale" of internet browsing histories and activities to a subsidiary called Jumpshot. That information is then packaged and sold, with Google, Yelp, Microsoft, Pepsi, Home Depot, and others among some of the bigger past, present, and potential clients. In some cases, clients paid millions of dollars for an "all clicks feed," which includes website tracking data, clicks, and detailed accounts of movement across sites, according to the report.
This only happens when users who install the free antivirus software opt into having their data collected. The data is also anonymized, so it does not include names, email addresses, or IP addresses (though each history is assigned a device ID). So, what's the big deal?
The reports take umbrage with the level of data collection, how private it really is, and to what extent users are aware that their browsing habits are being sold, if they opt in.
Motherboard says it viewed data that included Google searches, GPS coordinates, people visiting LinkedIn pages, YouTube histories, and porn site visits. The site also said it is possible to know the dates and times of particular visits to websites, and what specific videos they watched on, say, PornHub. Moreover, "experts" told Motherboard it would be possible to de-anonymize the data in some cases.
According to Motherboard, several people it spoke with did not know Avast was selling data.
"I was not aware of this," a user of the free Avast antivirus software told Motherboard. "That sounds scary. I usually say no to data tracking."
Incidentally, several browser makers (Google, Opera, and Mozilla) recently removed extensions from Avast and its AVG subsidiary after a report surfaced saying it was using the plugin to harvest user data. Apparently that is when Avast shifted to asking users of its free antivirus program to opt into data collection, according to the report.
"Because of our approach, we ensure that Jumpshot does not acquire personal identification information, including name, email address or contact details, from people using our popular free antivirus software," Avast said in a statement.
"Users have always had the ability to opt out of sharing data with Jumpshot. As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an explicit choice, a process which will be completed in February 2020," Avast added.
The lesson for us is an old one: If you don't have to pay for commercial software, then it's likely that the customer is someone other than you—possibly someone who wants your data. Always read the fine print before opting in to anything. It may not go into the type of detail that these reports do, but err on the side of caution.