Avast subsidiary Jumpshot sells every click on antivirus users' PCs

Avast is embroiled in new claims that it spies on users and sells their web browsing data

Avast is selling users' web-browsing clicks, with the data acquired directly via the company's Avast and AVG antivirus software brands.

The claims come just a month after Google, Firefox and Opera removed Avast and AVG browser extensions from their respective stores amid claims that the extensions were exfiltrating an alarming level of user information. This followed an October 2019 blog posting by security specialist Wladimir Palant revealing the extent of the activities.

The organisations relented, however, after the company reduced the amount of data transmitted by the browser security extensions.

At the time, Avast acknowledged that it needed to "be more transparent about what data is necessary for our security products to work".

However, an investigation by Vice and PCMag indicates that the company has simply shifted its data exfiltration from browser extensions to its anti-virus software.

They claim that leaked documents and other information they have obtained show that the company is transmitting detailed information about users' web browsing habits, including Google searches, LinkedIn activity and even details of visits to porn sites, such as PornHub, via Avast and AVG antivirus software instead.

While the data is anonymised, with the removal of information that might directly link data to individuals, security specialists suggest it would not be difficult to re-link browsing habits with individual users' given the volume of information taken, especially if it is cross-referenced with other databases of information.

After the browser extension controversy, claimed Vice, the company pushed out new opt-in consents for data collection to users of its free anti-virus software packages. It claims around 400 million users worldwide, many of them using the free versions of the anti-virus software.

If they opt-in, that device becomes part of the Jumpshot Panel and all browser-based internet activity will be reported to Jumpshot

Internal documents seen by Vice make it clear exactly what users will be consenting to: "If they opt-in, that device becomes part of the Jumpshot Panel and all browser-based internet activity will be reported to Jumpshot… What URLs did these devices visit, in what order and when?"

But many users say that they have not seen such a consent pop-up yet, adding that they were unaware that Avast was effectively selling their personal data to all-comers.

Indeed, as Vice pointed out, Jumpshot advertises to clients that it "delivers digital intelligence from within the internet's most valuable walled gardens" - "every search. Every click. Every buy. On every site".

According to Vice's sources, "Jumpshot's data could show how someone with Avast antivirus installed on their computer searched for a product on Google, clicked on a link that went to Amazon, and then maybe added an item to their cart on a different website, before finally buying a product."

Jumpshot clients have included Google, Expedia, Microsoft, Pepsi and McKinsey, and last July Avast sold a 35 per cent stake in Jumpshot to Ascential, the self-styled ‘global information company'. Jumpshot describes itself as "the only company that unlocks walled garden data".

Avast acquired AVG for $1.3 billion in July 2016.

Before that acquisition, AVG had also scooped up a VPN company called Privax, while Avast acquired Piriform, the company behind the popular CCleaner app, in July 2017.

Piriform has also been at the centre of a security scare when a developer's workstation was hacked and a compromised build of CCleaner was pushed out to users. The company was also forced, in August 2018, to deny that CCleaner's Active Monitoring feature, which can't be turned off, was spying on users.