Avast promised to shield your privacy, protect your data, and block annoying trackers. Now, the company has been ordered to pay $16.5 million after being charged with the sale of private sensitive customer data to more than 100 third parties.
The US Federal Trade Commission (FTC) filed a complaint against Avast Limited, Avast Software, and Jumpshot. The FTC alleges that the popular security software vendor engaged in the unfair collection of consumers’ browsing information through browser extensions and antivirus software, storing it indefinitely and selling it without providing adequate notice and without consumer consent.
The complaint alleges that Avast also deceived users by claiming that the software would protect consumers’ privacy by blocking third-party tracking and did not adequately inform consumers that their detailed and re-identifiable browsing data would be sold.
https://twitter.com/FTC/status/1760699118941347875
The US regulator said that from 2014 to 2020, Avast sold user data through its subsidiary, Jumpshot, to more than 100 third parties, including data brokers and advertising, marketing, and data analytics companies.
Avast agreed to settle the case with the FTC. According to the proposed order, the company will pay $16.5 Million and will be prohibited from selling or licensing any web browsing data for advertising purposes.
Avast will also be required to delete web browsing information transferred to Jumpshot and any products or algorithms that Jumpshot derived from that data, notify the affected customers, and implement a comprehensive privacy program.
“Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Avast’s bait-and-switch surveillance tactics compromised consumers’ privacy and broke the law.”
What data did Avast collect and sell?
Since at least 2014, Avast has been collecting consumers’ browsing information through browser extensions, which can modify or extend the functionality of consumers’ web browsers, and through antivirus software installed on consumers’ computers and mobile devices. That includes the Avast Extensions, the Avast Secure Browser, Avast Mobile Software, and Avast Desktop Software.
This browsing data included information about users’ web searches and the web pages they visited – revealing consumers’ religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content, and other sensitive information.
In 2013, Avast bought Jumpshot, a competitor antivirus software provider, which then was rebranded as an analytics company. From 2014 to 2020, Jumpshot allegedly sold browsing information that Avast had collected from consumers.
“Many of the Jumpshot products (or “data feeds”) provided third-party data buyers with extraordinary detail regarding how consumers navigated the Internet, including each webpage visited, precise timestamp, the type of device and browser, and the city, state, and country. Most of the data feeds included a unique and persistent device identifier associated with each particular browser, allowing Jumpshot and the third-party buyer to trace individuals across multiple domains over time,” the complaint reads.
FTC discovered that Avast used a proprietary algorithm to remove identifying information before selling the data to its clients. However, the process was not sufficient to anonymize consumers’ browsing information.
“For example, its data feeds included a unique identifier for each web browser it collected information from and could include every website visited, precise timestamps, type of device and browser, and the city, state, and country,” the press release reads.
How did Avast allegedly deceive customers?
“Not only did Avast fail to inform consumers that it collected and sold their browsing data, the company claimed that its products would decrease tracking on the Internet,” the FTC said.
For example, when users searched for Avast’s browser extensions, they were told Avast would “block annoying tracking cookies that collect data on your browsing activities,” would “protect your privacy by preventing . . . web services from tracking your online activity” and promised that its desktop software would “shield your privacy. Stop anyone and everyone from getting to your computer.”
When Avast described its data-sharing practices, Avast falsely claimed it would only transfer consumers’ personal information in aggregate and anonymous form, according to the complaint.
“The company failed to prohibit some of its data buyers from re-identifying Avast users based on data that Jumpshot provided. And, even where Avast’s contracts included such prohibitions, the contracts were worded in a way that enabled data buyers to associate non-personally identifiable information with Avast users’ browsing information,” the FTC says.
FTC provided an example that some of Jumpshot's products were designed to enable user tracking or even associating browsing histories with other information from third parties.
The Jumpshot entered into a contract with Omnicom, an advertising conglomerate, which stated that Jumpshot would provide Omnicom with an “All Clicks Feed” for 50% of its customers in the United States, United Kingdom, Mexico, Australia, Canada, and Germany. Omnicom was permitted to associate Avast’s data with data brokers’ sources of data on an individual user basis.
“Jumpshot earned tens of millions in gross revenues by selling user data collected by the Avast Software, and insights derived from such data, to its customers,” FTC’s complaint reads.
Avast agrees to settle but disagrees with the allegations
The FTC plans on publishing a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication.
After that, the regulator will decide whether to make the proposed consent order final.
The Commission voted 3-0 to issue the administrative complaint and to accept the proposed consent agreement.
According to the proposed order, Avast “neither admits nor denies any of the allegations in the Complaint.”
“FTC’s action against Avast makes clear that browsing data is sensitive, and firms that sell this data could be violating the law. We also secured $16.5 million in relief – the highest monetary remedy in a de novo privacy violation case,” Lina Khan, Chairperson of the FTC, posted on X. “We’ll continue to use all our tools to protect Americans from invasive tracking.”
https://twitter.com/linakhanFTC/status/1760764654773748114
Avast told Cybernews it has reached a settlement with the FTC to resolve its investigation “of Avast’s past provision of customer data to its Jumpshot subsidiary that Avast voluntarily closed in January of 2020.”
“While we disagree with the FTC’s allegations and characterization of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world,” Avast said. “We are committed to our mission of protecting and empowering people’s digital lives.”
Your email address will not be published. Required fields are markedmarked