You’d think that few types of software are as trustworthy as some of the best antivirus programs, but it turns out that perceptions can be deceiving. Avast, one of the most recognizable antivirus solutions for PCs, was found to be secretly collecting and selling user data to third-party corporations for a period of six years.
Following an investigation, the U.S. Federal Trade Commission (FTC) fined Avast $16.5 million and banned it from doing this again in the future. Even if you weren’t using Avast, your data may still have been compromised, as there are several antivirus software programs that all fall under the same umbrella.
According to the FTC, Jumpshot, an Avast subsidiary (that was “voluntarily closed” in 2020), was selling users’ browsing data to over 100 different companies between 2014 and January 2020. The FTC also found that Jumpshot amassed over eight petabytes (that’s 8,000 terabytes) of browsing data. The data included things that no antivirus should ever be selling to corporations, such as information related to health and medical status, religious beliefs, political leanings, finances, and more.
When PCMag and Motherboard (Vice) initially published an investigation regarding Avast selling user data, the company claimed that the data was first stripped of identifying information before being sold. However, Jumpshot also had deals with advertising companies like Lotame and Omnicom, allowing them to match up the data with their own sources, making individual users easier to identify.
Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in an announcement: “Avast promised users that its products would protect the privacy of their browsing data, but delivered the opposite. Avast’s bait-and-switch surveillance tactics compromised consumers’ privacy and broke the law.”
1. Avast promised users it would protect their browsing data from online tracking—but then did the exact opposite. @FTC’s action against Avast makes clear that browsing data is sensitive, and firms that sell this data could be violating the law. https://t.co/R41ci2LE8j
— Lina Khan (@linakhanFTC) February 22, 2024
The FTC notes that Jumpshot earned “tens of millions in gross revenues,” all by selling data collected through Avast — and the customers were never appropriately informed.
“Not only did Avast fail to inform consumers that it collected and sold their browsing data, the company claimed that its products would decrease tracking on the internet,” according to the FTC. The software promised to block “annoying tracking cookies” that collected data on browsing activities, as well as shield the user’s privacy.
Gen Digital, the company that owns Avast, also has a number of other products related to internet and PC security. This includes Norton, Avast, LifeLock, Avira, AVG, Reputation Defender, CCleaner, Recuva, Speccy, and Defraggler.
The company addressed the situation in a statement to PCMag, saying: “We are committed to our mission of protecting and empowering people’s digital lives. While we disagree with the FTC’s allegation and characterization of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world.” In addition to the $16.5 million fine and strict orders not to sell or license collected user data for advertising purposes, Avast will have to inform the affected users that their data was previously sold.
