Avast is collecting its users’ browsing histories and selling the data to third parties, according to a joint investigation by PCMag and Motherboard. This is just the latest example of free antivirus software harvesting data. After all, that free antivirus has to make money somehow.
Update: On January 30, 2020, Avast announced it will shut down to its Jumpshot subsidiary, which sold its users’ browser histories to marketers.
Avast’s Collects and Sells Your Browsing History
Do you use Avast’s antivirus? By default, Avast collects your web browsing activity and offers it to marketers through a subsidiary named Jumpshot. Companies who pay Avast can view full “clickstream data” to see what Avast users are doing online. Here’s how Michael Kan puts it over at PCMag:
The data collected is so granular that clients can view the individual clicks users are making on their browsing sessions, including the time down to the millisecond. And while the collected data is never linked to a person’s name, email or IP address, each user history is nevertheless assigned to an identifier called the device ID, which will persist unless the user uninstalls the Avast antivirus product.
Avast says this data is “anonymized,” but PCMag and Motherboard were able to link it to individuals. For example, if you know which Amazon user bought a specific product at a specific second on a specific date, you can identify the “anonymized” individual and then look back through their browsing history.
Avast Harvests the Data Through Its Desktop Antivirus
If you have Avast installed with the default settings, your browsing history is being sold to marketers through Jumpshot. This data isn’t collected through Avast’s browser extension. Instead, it’s collected through the main desktop Avast antivirus application.
When you install Avast, you’ll see a prompt asking whether you want to share data. Most people who clicked “I agree” probably didn’t realize everything they agreed too.
If you have Avast installed, you can open the Avast application and head to menu > Settings > General > Personal Privacy to control what data is collected and shared. Disable the data-sharing options here.
We recommend just uninstalling Avast. But, if you want to leave it installed and disable the data collection, this is where you do it.
Browser Extensions Are Only Part of the Problem
Antivirus software often bundles browser extensions that collect detailed data for marketing purposes. In October 2019, Adblock Plus creator Wladimir Palant cataloged the way several Avast browser extensions gather and transmit data about people’s browser histories. An AVG browser extension was doing the same thing, too—that’s not surprising, as Avast bought AVG a few years ago.
While Google and Mozilla can crack down on what an antivirus company’s browser extensions can do, no one’s stopping a company like Avast from collecting data using its desktop application. That may be one reason why Avast is engaging in such wholesale data collection through its desktop application.
We recommend against installing your antivirus’s browser extensions, but you can’t avoid privacy problems just by avoiding the browser extensions.
Free Antivirus Software Has to Be Paid For Somehow
Free antivirus software has to make a profit somehow, so it’s no surprise that companies like Avast have turned to gathering and monetizing their customers’ data.
In the past, Avast has even incorporated a “shopping” feature that added advertisements to other web pages as you browsed. Avast no longer does that, but the data collection doesn’t feel entirely out of character.
As we pointed out back in 2015, free antivirus software really isn’t “free” anymore. Many antivirus companies have turned to changing your default search engine, swapping your browser’s homepage, and integrating extra software “offers” into their installers. Today, many other antivirus applications are likely tracking your browsing and, presumably, selling that data.
What Antivirus Software Doesn’t Track You?
Not every free antivirus necessarily tracks you. We haven’t examined every antivirus out there. Some might provide a free trial that doesn’t collect and sell data, instead attempting to sell you the company’s paid antivirus product.
For example, Wladimir Palant, who exposed the data collection in Avast and AVG’s browser extensions, said in response to a comment that he hasn’t found any indication Kaspersky’s free antivirus is spying on its users. However, back in 2019, Kaspersky was previously injecting a unique identifier into web browsing traffic that would have allowed its users to be identified online.
We recommend Microsoft’s Windows Defender, which is integrated into Windows 10. Microsoft’s antivirus doesn’t have an agenda beyond keeping malware off your computer. It doesn’t track your web browsing. It doesn’t try to upsell you any extra software, although Microsoft does offer more advanced security software contracts for businesses.
We also like and recommend Malwarebytes, which we’ve found does a good job of detecting and removing junk software. The free version of Malwarebytes can’t run in the background. It only offers manual scans. Malwarebytes makes its money from Premium subscriptions rather than tracking its users.