It has been reported that an antivirus program used by hundreds of millions of people around the world is selling highly sensitive web browsing data to many of the world’s biggest companies, a joint investigation by Motherboard and PCMag has found. The Avast division charged with selling the data is Jumpshot, a company subsidiary that’s been offering access to user traffic from 100 million devices, including PCs and phones. In return, clients—from big brands to e-commerce providers—can learn what consumers are buying and where, whether it be from a Google or Amazon search, an ad from a news article, or a post on Instagram.
The data collected is so granular that clients can view the individual clicks users are making on their browsing sessions, including the time down to the millisecond. And while the collected data is never linked to a person’s name, email or IP address, each user history is nevertheless assigned to an identifier called the device ID, which will persist unless the user uninstalls the Avast antivirus product.
Antivirus companies who get into the practice of data brokering cease to be security companies, in my opinion, and should defend themselves with clear, transparent language and should remove conflicts of interest or they are spyware luring in customers with benefits that are misleading and frankly disgusting. I hope that Avast is proved innocent for the industry’s sake, but if it’s not, I reject them as a security company until they resolve this and make amends, transparently.
Avast is in a position of trust and is supposed to be protecting from not just the black and white world of malware, but also from the shades of grey of adware and spyware. The term PUP or “potentially unwanted program” is a bit of a cop-out: there’s nothing potentially unwanted about these programs, as the vast majority of them are collecting data and putting it to use in ways that we as online citizens wouldn’t want.
The reason for the PUP euphemism is that the manufactures of many spyware programs have legal departments that frighten antivirus makers and threaten to embroil them in expensive court cases and legal battles in civil court. The cry from the manufacturers of this nasty shady-ware is that the EULA (End User License Agreement) discloses that data might be re-used or re-sold. That isn’t good enough, though, and it’s especially not good enough from a company that is supposed to help us sort the black from the white and to parse the grey in between. By analogy, the police protect us from harm. You can hire a bodyguard to also protect you from harm in a private contract, but how do you feel when the police ask you for some direct funding for the same? How do you feel when the police perhaps also tell criminals about your whereabouts?
So now we come to the antivirus industry. From the big names to the small, we are uniformly supposed to be above this. We are the watchers who are supposed to spot the spyware and the PUPs and make the calls, and to never, ever fall into that grey zone. It’s corrupt, and hiding behind a EULA won’t do it. What’s required is informed, strong consent: any company providing any security benefit and in a position of trust that is selling information had better have used less than 10 words to alert the user clearly, gotten consent and be open to their users being directly asked if they knew this was a contractual agreement. It’s not OK to bury permission in a 200-page EULA, written passive voice run-on sentences in all caps. No one reads that.
It’s also not OK to go against a company’s explicit, public privacy statements. Time will tell and the truth will come out when companies cross this line. I will leave it to the lawyers to decide what subsidiaries of Avast said or did, what the EULA’s disclosed or not and whether they are within the bounds of their agreements with their customers.