Avast, a maker of anti-virus software, has been selling users’ data to companies such as Google, Microsoft, IBM, Home Depot, sometimes for millions of dollars, a joint investigation by Vice and PCMag found. The harvesting of data is reportedly done by the Avast anti-virus software itself. Avast scraped  data from users’ computer, and it handed it over to its subsidiary Jumpshot, which then repackaged the data before selling it to other companies, the investigation revealed. It said that while Avast required users to opt-in to the data sharing exercise, several users were unaware that Jumpshot was selling it to other companies.

Information in the database: The data being sold by Jumpshot, includes Google searches, Google Maps location searches, activity on companies’ LinkedIn pages, YouTube video visits and data on people visiting porn websites, Vice reported. It is also possible to determine at what date and time a user might have visited a porn site, including the search terms they might have entered on those websites, it said. It should be noted that the data does not include personal information of users such as their names, but Vice pointed out due to the availability of such specific browser data, the anonymised data can potentially be traced back to a user. Avast claims to have more than 435 million users, while Jumpshot has previously said that it has access to data from a 100 million devices, Vice noted.

“Jumpshot’s data could show how someone with Avast antivirus installed on their computer searched for a product on Google, clicked on a link that went to Amazon, and then maybe added an item to their cart on a different website, before finally buying a product, the source who provided the documents explained.” — from the investigation

The companies that bought the data: The investigation revealed several major companies that have bought data from Jumpshot, or are currently buying from them. The list includes McKinsey, Pepsi, Expedia, Yelp, Intuit, Keurig, Condé Nast, Sephora, Loreal and more. We don’t know which of these companies are current or past clients.

  • Microsoft told Vice that it currently has no relationship with Jumpshot, while Yelp claimed it engaged with the company on a “one-time basis”.
  • IBM said it did not have a record of being Jumpshot’s client.
  • Home Depot told Vice they buy anonymised audience data which can not be used to identify an individual.
  • Google refused to offer a comment to Vice. We have reached out to them.

Data of ‘every click’ from ‘every site’: Among the products that were purchased by these companies, is a product by Jumpshot called “All Clicks Feed,” which which tracks users’ clicks across websites in precise detail, the investigation revealed. It’s advertised as “Every search. Every click. Every buy. On every site.”

  • The investigation found out that Omnicon Media Group, paid Jumpshot more than $2 million for accessing data in 2019. The price for accessing the data in 2020 is $2.225 million, and $2.275 million for 2021, the report said; that particular contract also mentioned a product called “Insight Feed” for 20 different domains.
  • As part of this contract, Jumpshot gave Omnicon access to all click feeds from 14 different countries including the US, England, Australia, New Zealand and Canada. Clients from the financial services industry often buy a database that contains 10,000 domains visited by an Avast user, it added.

Can Jumpshot’s ‘anonymised’ data be traced back to a person? Jumpshot hashes the “device ID” if each user before selling the data, which means that companies purchasing it will not be able to identify which person that data relates to, the report said. However, it pointed out that Jumpshot’s data might not be completely anonymous, since the device IDs don’t change “unless a user completely uninstalls and reinstalls the security software.” It said that there numerous academics have found out that it possible to identify individuals from anonymised data, referring to a New York Times report, which was able to identify a particular person from a cache of anonymous search data that AOL publicly released.

Data obtained as part of investigation showed that Jumpshot’s data includes URLs which with precise timestamps, down to the millisecond “which could allow a company with its own bank of customer data to see one user visiting their own site, and then follow them across other sites in the Jumpshot data”. As part of the investigation, PCMag installed Avast’s antivirus, and the software did ask if they wanted to opt-in to data collection, however, the pop up provided no information on how Jumpshot might be using the data collected as part of this exercise.

Avast has been here before: This isn’t the first time Avast has run into data collection trouble. In December 2019, Mozilla had pulled Avast’s Online Security and SafePrice extensions for Firefox, as well as Avast’s AVG-branded equivalents, after they were found to be collecting much more data than necessary.