UPDATED 20:44 EDT / JANUARY 27 2020

SECURITY

Cybersecurity firm Avast reportedly selling browsing data that can be linked to individuals

Czech cybersecurity firm Avast Software s.r.o., the owner of popular free products such as AVG and Avast Antivirus, is reported to be selling web browsing data that can be linked to individual users via a subsidiary called Jumpshot.

A joint investigation from PCMag and Motherboard uncovered the practice. Although Avast has previously claimed that the data sold has been “de-identified” and hence can’t be used to personally identify users, the investigation found that the anonymized data can be linked to individual users by matching user actions.

The data in question is never directly linked to a name, email or IP address but is assigned an identifier linked to the given Avast user. The data itself is granular down to the individual clicks users are making during their browsing sessions and even the time down to the millisecond, and that’s where the issue arises.

In one example, a single instance includes someone making a purchase on Amazon.com, including the exact time they hit add to cart including the specific product. Although that doesn’t directly expose the identity of the user, Amazon could use the details to identify the user based on their own records. Having done so, it would then have access to all the user’s browsing information because each user is given an identifier.

“Most of the threats posed by de-anonymization — where you are identifying people — comes from the ability to merge the information with other data,” privacy researcher Gunes Acar told PCMag. “Maybe the [Jumpshot] data itself is not identifying people, maybe it’s just a list of hashed user IDs and some URLs. But it can always be combined with other data from other marketers, other advertisers, who can basically arrive at the real identity.”

Who is buying the data is where the story becomes more interesting. “Past, present and potential clients” are said to include Google Inc., Yelp Inc., Microsoft Corp., McKinsey & Co., PepsiCo Inc., Home Depot Inc., Condé Nast Inc., Intuit Inc. and many others.

In response to the report, Avast said that Jumpshot does not acquire “personal identification information, including name, email address or contact details” and that users have the option to opt out of sharing data.

“As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an opt-in or opt-out choice, a process which will be completed in February 2020,” the company added.

Image: Avast

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU