Google removes Avast and AVG extensions from Chrome web store over 'unnecessary' data collection

Google follows Opera and Firefox in removing Avast and AVG security extensions used by up to 400 million users

Google has followed Firefox and Opera and removed AVG and Avast extensions from its Chrome browser web store over claims that the security products' extensions exfiltrate an excessive level of user information.

AVG is a subsidiary of Avast and their respective browser extensions are essentially the same. Avast also owns a company called Jumpshot, which offers what it describes as a 'clickstream data' service. This enables its subscribers to "track what users searched for, how they interacted with a particular brand or product, and what they bought".

The action against Avast follows on from warnings by Adblock Plus creator Wladimir Palant that the extensions are "essentially spyware". He added that the data collected by Avast and its possible use by Jumpshot represented a violation of the terms that both Google and Mozilla require extension developers to sign.

Avast also owns a company called Jumpshot, which offers what it describes as a 'clickstream data' service

Opera was first off the mark, responding within a day to Palant's report, followed by Mozilla. Google, though, took the best part of the month before it, too, finally removed the extensions.

The problem, according to Palant, is the sheer volume and detail of data that the extensions exfiltrate to Avast, which effectively enables highly detailed profiles of users and their browsing habits to be built.

In a security deep-dive published at the end of October, he wrote that the extensions didn't just check whether a website might be malicious or not, but requested data from the browser when the user switched tabs and even sent information on every link displayed when users conduct searches on search engines.

"The data collected here goes far beyond merely exposing the sites that you visit and your search history.

"Tracking tab and window identifiers as well as your actions allows Avast to create a nearly precise reconstruction of your browsing behaviour: how many tabs do you have open, what websites do you visit and when, how much time do you spend reading/watching the contents, what do you click there and when do you switch to another tab. All that is connected to a number of attributes allowing Avast to recognize you reliably, even a unique user identifier.

Even if you didn't install Avast Online Security yourself, it doesn't mean that you aren't affected

"If you now think 'but they still don't know who I am' - think again. Even assuming that none of the website addresses you visited expose your identity directly, you likely have a social media account. There has been a number of publications showing that, given a browsing history, the corresponding social media account can be identified in most cases."

Furthermore, many users of Avast and AVG anti-virus software may be running the extensions without even knowing it.

"Even if you didn't install Avast Online Security yourself, it doesn't mean that you aren't affected. This isn't obvious but Avast Secure Browser has Avast Online Security installed by default. It is hidden from the extension listing and cannot be uninstalled by regular means, its functionality apparently considered an integral part of the browser," warned Palant.

Avast and AVG anti-virus products are run by some 400 million PC users, many of them taking advantage of the free versions. The products urge users to install the browser extensions for maximum security - but in many cases were installed automatically without users' knowledge or permission, Palant claimed.

Thinking of shifting from Google Chrome to something more exotic? Check out The Top-Ten Web Browsers You Probably Haven't Used