Antivirus Software Selling Detailed User Activity Data To Marketing Companies

Surveillance by Jonathan McIntosh

A joint investigation by Motherboard and PCMag revealed some concerning business practices of an antivirus company named Avast, which offers free security software to customers, with the option of a paid premium version. Leaked documents from Jumpshot, one of Avast’s subsidiaries, revealed marketing documents and confidential business arrangements with multiple marketing firms who paid for large collections of historical user activity data. The data included web searches, unfiltered browsing history, map and navigation history, video viewing history, online purchase history, and social media usage history. The collection was then marketed and sold to multiple firms as a highly unique data set, with “Every search. Every click. Every buy. On every site.” included in the offering.

Avast claims to have more than 400 million users, most of which subscribe to their free antivirus product. The free product enticed millions of users away from other commercial alternatives, later upselling them premium versions of the software that provide additional features. But while users enjoyed a free antivirus product, as part of the installation process they are presented with an option to anonymously share data with the company. If the option is selected, a new profile is created for that user, and the software begins to collect information about user activity on that computer.

Illustrative example of user profile data collected about a user

Users are assigned an identifier that is used for their profile, called a User ID. A separate table links that user ID to their personally identifiable information such as name, address, email address and phone number, but that personal information is not sold to other firms due to restrictions imposed by privacy laws. Because the antivirus software is installed on the device, it has access to a wealth of user activity, and can log which websites the user visited, what they purchased, what they viewed, and what their interests are. Websites do not have access to this level of detail and can only log the usage history of visitors to that specific site, with that data governed by a privacy policy.

Digital marketing firms ingest log data and use it to enhance their advertising campaigns, enabling them to target users with a high level of precision, based on their interests, their browsing history, their purchase history, and their location. Privacy advocates have decried these practices as an invasion of user privacy, and companies have pointed to their data privacy policies and the anonymization of users to defend themselves. When contacted for comment, many Jumpshot client were quick to absolve themselves, either stating that the data was used only for constructive or investigative purposes.

Read More