[English]A leaked document reveals that a subsidiary of the Avast antivirus manufacturer sold user data (searches, clicks, purchases, etc.) collected by its software to customers.
Advertising
Avast subsidiary sells user data
A few hours ago I came across the article Leaked Documents Expose the Secretive Market for Your Web Browsing Data at Medium. A subsidiary of the manufacturer of an antivirus program that is used on hundreds of millions of systems sells highly sensitive browser data of its users to third parties. Buyers include many of the world's largest companies, such as Home Depot, Google, Microsoft, Pepsi, and McKinsey.
The report is based on leaked user data, contracts and other corporate documents that show that the sale of this data is both highly sensitive and in many cases confidential between the company selling the data and the customers buying it.
Avast products collect data, Jumpshot sells them
The documents, which originate from the Jumpshot subsidiary of the anti-virus provider Avast, shed new light on the provider's secret sales and supply chains.
- According to Motherboard, the documents show that Avast's installed antivirus program collects data about the surfing behavior of users.
- The documents also show that Jumpshot feeds this data into various products, which it then sells to companies worldwide.
Jumpshot's past, present and potential customers include Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Condé Nast, Intuit and many other companies. Some customers have paid millions for products that include an "All Clicks Feed". This can track user behaviour, clicks and movements on the websites with high accuracy.
Complete online activities recorded
The data viewed by Motherboard and PCMag includes Google search queries, looking up locations and GPS coordinates on Google Maps, people who visit corporate LinkedIn pages, certain YouTube videos, and people who visit porn sites. The information collected can be used to determine the date and time the anonymous user visited YouPorn and PornHub, and in some cases, the search term entered on the porn site and the specific video viewed.
Advertising
Anonymous data allows users to be identified
Although the data does not contain any personal information such as the names of users, it does contain a wealth of specific browser data. Although the data is formally anonymised, I had pointed out in the article: Undermined privacy: How Apps spy on us legally that this data can also be deanonymized. PC-Mag points out here that the data records are provided with a Device ID. Together with the date and the data that can be assigned to this ID, the identity of a user can be revealed.
PCMag and Motherboard have learned the details of data acquisition from a source familiar with Jumpshot products. Privacy experts the two magazines spoke with confirmed that the time stamps in the data, as well as the persistent device IDs, can be analyzed along with the collected URLs to reveal a person's identity.
"Most of the threats posed by deanonymization (i.e., revealing a person's identity) stem from the ability to merge the information with other data," Gunes Acar, a privacy researcher involved in online tracking, is cited in the articles. Acar points out that large companies like Amazon, Google, and brand retailers and marketing firms can accumulate entire activity logs about their users. With Jumpshot's data, companies have another way to track the digital footprint of users on the Internet.
Jumpshot advertised with deep insights
In a July 2019 press release, Jumpshot advertises that it is "the only company that can release the data from the so-called "walled garden. The company promises to "give marketers deeper insight into the overall online activities of customers. Jumpshot has clients like Expedia, IBM, Intuit (TurboTax), Loreal and Home Depot. Employees are instructed not to speak publicly about Jumpshot's relationships with these companies.
Data collection continued
However, according to Motherboard's report, the collection of data is not yet complete. This can be concluded from information from the source and from available documents. Instead of collecting the information through software connected to the browser, Avast is now doing this through the anti-virus software itself. .
A few days, months ago, after it was discovered that it was sending data to Jumpshot with its browser extensions, Avast began asking its existing consumers of free antivirus software to choose to collect data, according to an internal document. Those who agreed to this were tracked afterwards. Further details can be found at Motherboard and at PCMag. By the way, we have the 28.1., European data protection day.
