Avast-owned firm shut down after data-harvesting controversy

31 Jan 2020

Image: © sharafmaksumov/Stock.adobe.com

Avast is shutting down its subsidiary Jumpshot after an investigation by Motherboard and PCMag claimed it sold detailed user information to companies including Google and Amazon.

Earlier this week, a joint investigation by Vice Motherboard and PCMag revealed how antivirus software company Avast, which also runs AVG antivirus, was tracking its users online activity and keeping detailed information on their actions, across websites including PornHub and Amazon.

This information was sent to Avast subsidiary Jumpshot, which reportedly offered to sell that data to clients. While Avast said that the data could not be traced back to individuals, Motherboard and PCMag reported that it still included a wealth of specific browsing information.

The Czech antivirus software company claims to have more than 435m active users per month, while Jumpshot said it had data from 100m devices. Jumpshot advertised itself as a company selling data to “provide marketers with deeper visibility into the entire online customer journey”.

According to the reports, Avast only collects information from users who opt in, but many customers were unaware that Avast sells browsing data through Jumpshot, leaving Motherboard questioning just “how informed that consent is”.

Sensitive data sold for millions

According to Motherboard, some of the clients that have purchased information from Jumpshot included Google, Microsoft, Yelp, Condé Nast and Pepsi. Some clients are reported to have paid millions for products, including precise details on how a user behaves on the internet.

The report from Motherboard and PCMag relied on leaked user data, contracts and other company documents, claiming that the sale of this data was “both highly sensitive” and often “supposed to remain confidential between the company selling the data and the clients purchasing it”.

PCMag added that the ‘de-identification’ of this information, which was supposed to keep users anonymous, can fail. The publication reported that each individual user’s web history data can be picked apart and linked back to individual Avast users, particularly when purchases are made.

PCMag said that at first glance the data looks “harmless”. Author Michael Kan wrote: “You can’t pin it to an exact user, unless [you are the company that owns the website], which could easily figure out which [user] bought an iPad Pro at 12:03:05 on 1 December 2019. Suddenly, device ID 123abcx is a known user.”

Winding down Jumpshot

On 30 January, Avast announced plans to terminate its provision of data to Jumpshot, adding that it is going to “commence a wind down of Jumpshot”. The core functions of the company’s antivirus programmes will remain the same and users will see no change.

Avast CEO Ondrej Vlcek said: “Avast’s core mission is to keep its users safe online and to give users control over their privacy. The bottom line is that any practices that jeopardise user trust are unacceptable to Avast.

“We are vigilant about our users’ privacy, and we took quick action to begin winding down Jumpshot’s operations after it became evident that some users questioned the alignment of data provision to Jumpshot with our mission and principles that define us as a company.”

‘Fully within legal bounds’

In a separate letter posted on Avast.com, Vlcek addressed the company’s “valued” stakeholders, customers, partners, employees and investors.

He wrote: “Avast’s core mission is to keep people around the world safe and secure, and I realise the recent news about Jumpshot has hurt the feelings of many of you, and rightfully raised a number of questions – including the fundamental question of trust.

“As CEO of Avast, I feel personally responsible and I would like to apologise to all concerned. Protecting people is Avast’s top priority and must be embedded in everything we do in our business and in our products. Anything to the contrary is unacceptable.”

Vlcek added that “both Avast and Jumpshot acted fully within legal bounds” and “committed themselves to 100pc GDPR compliance”.

“While the decision we have made will regrettably impact hundreds of loyal Jumpshot employees and dozens of its customers, it is absolutely the right thing to do. I firmly believe it will help Avast focus on and unlock its full potential to deliver on its promise of security and privacy.”

Kelly Earley was a journalist with Silicon Republic