Antivirus (AV) software giant Avast has announced that it will wind down one of its subsidiary businesses just days after leaked documents revealed the extent to which the Czech company was selling users’ browsing data to third parties.
On Monday, Viceand PCMag published details about how Avast had been collating browsing data covering web properties such as Google Maps and Search, LinkedIn, and YouTube and then repackaging it for sale under a subsidiary called Jumpshot, which has claimed clients such as Google, Microsoft, Yelp, Pepsi, Home Depot, and Condé Nast. Although the data was not thought to contain any personally identifiable information, it is often possible to “de-anonymize” data by combining and aligning it with different data sets to unearth shared patterns.
Jumpshot was founded back in 2010 but officially launched from a Kickstarter-funded project in 2012. In its original guise, Jumpshot offered a PC-based software that promised to rid machines of viruses, spyware, and the like, and the company was eventually bought by Avast.
According to the latest report, some Jumpshot clients paid millions of dollars for various products, including something called an “all clicks feed” that was apparently able to track user behavior such as clicks and movements between websites. For a company like Google — which has so far declined to comment on the report — this can significantly improve and measure targeted advertisements.
Avast has now said that it plans to “terminate its provision of data” to Jumpshot and will ultimately pull the plug on the product altogether. This won’t impact Avast’s core products, but it will seemingly diminish a significant revenue-generating stream for the company.
Data harvesting has played an increasingly prominent role in the online privacy debate, with the Facebook and Cambridge Analytica fiasco highlighting how digital data can be leveraged by political or commercial entities without the knowledge of the users involved.
With more than 400 million users, Avast is among the top five antivirus providers globally and remains one of the industry’s best known brands. By shuttering Jumpshot, Avast is essentially trying to protect its core AV software business, particularly since the company has public shareholders to answer to following its 2018 IPO. Avast’s shares had risen by around 90% year-on-year up until this week, but in the days following Vice’s report, the company’s stock fell by 25%.
In truth, Jumpshot had made no secret of the fact that it leveraged Avast data and had previously revealed that it uses data from 100 million devices, including PCs, smartphones, and tablets. But this latest report not only highlights the extent to which the data was used, it also raises questions over how much consent users actually gave. Ultimately, transparency is the bigger question.
According to Avast, up until last year users had to opt out of the program, which means that many people would not have been fully aware they were sharing data. The company said that from July, 2019 it had “begun implementing” an opt-in choice for all new downloads, and it added that it’s also now starting to prompt existing “free” users to choose whether to share their data with Jumpshot.
Anyone installing Avast now will see this opt-in box during setup — and it does mention that it “may share” aggregated insights with its customers. Avast also told Vice that it complies with privacy regulations such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) in Europe; however that is really up for debate.
Indeed, GDPR specifically forbids pre-ticked opt-in boxes, and the fact that Avast chooses to highlight the “I Agree” button could be construed as an attempt to influence the user’s selection. This is what is known as “dark pattern design,” and many technology companies — including Facebook — employ similar tactics to encourage users to cede to their whims. Last year, two U.S. senators introduced a new bill to prevent social media firms using dark pattern interface design techniques.
That Avast and Jumpshot had been working together to sell user data was not a closely guarded secret, but it’s fairly clear Avast has not been entirely transparent with users when they are installing its software.
Transparency is an issue that has reared its head time and time again. The underlying problem is not so much the data-sharing itself, but the lack of clarity from a user standpoint. Last year, Apple and Google were forced to temporarily halt human voice-data reviews of their digital assistants following a major privacy backlash, and here again the core issue was that the companies were not open about the fact that they used employees and contractors to listen in on private conversations.
Given that Avast pitches its security and privacy offerings — spanning antivirus software and VPNs, among other tools — the fact that it was sharing data with third parties is not a great look. But the failures around transparency make the whole thing worse.
“Avast’s core mission is to keep its users safe online and to give users control over their privacy,” Acast CEO Ondrej Vlcek said. “The bottom line is that any practices that jeopardize user trust are unacceptable to Avast. We are vigilant about our users’ privacy, and we took quick action to begin winding down Jumpshot’s operations after it became evident that some users questioned the alignment of data provision to Jumpshot with our mission and principles that define us as a company.”