The subsidiary of Avast antivirus offers ‘ Each quest. Each press. Every click. Every order. Every order. Home Depot, Facebook, Ibm, Pepsi and McKinsey were included among its consumers.
Update: Avast announced on Thursday and after that investigation that it would immediately stop collecting the Jumpshot data and wind down operations of Jumpshot. The full story can be found below.
A recent Motherboard and PCMag study has shown that an antivirus program used by hundreds of millions of people around the world transfers highly sensitive web browsing details to many of the world’s largest businesses. The research focuses on revealing user data, contracts and other business papers indicating that the sale of the data is highly sensitive as well as proprietary between the data selling company and the consumers buying it in many situations.
The records, from a company named Jumpshot from the anti-virus corporation Avast, shed new light on the underground distribution and supply chain of Web surfing history of people. We reveal that the Avast antivirus program on your device collects data and Jumpshot repackages it into various products which are then distributed to many of the world’s largest corporations. Google, Yelp, Microsoft, McKinsey, Pepsi, Home Depot, Condé Nast, Intuit, and many others have been among other past, present and potential customers. Some customers have paid millions of dollars for so-called All-Click Feed products that can track user behavior, clicks and websites with high precision.
Avast reports to have more than 435 million active users each month, and Jumpshot estimates data from a total of 100 million devices are available. Avast gathers data from users who opt in, and then reveals that several Avast customers have informed Motherboard that they do not realize Avast provided browsing data, raising questions around reminding them of that approval. Motherboard and PCMag collected details from Google searches, position searches and Google Maps GPS synchronization, LinkedIn website views, and information. From the collected data it is possible to determine where and when the anonymized user viewed YouPorn and PornHub and in some instances what search term they used on the porn website and which other video they recorded.
Do you know about any other companies selling data? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.
Although the data did not include personal data such as user names, it still includes a variety of sensitive browsing data, and experts say those accounts could be classified declared declared.
In a July press release, Jumpshot says that it is “the only organization to open walled garden info” and intends to “provide advertisers with more in-depth exposure in the entire online client travel.” Nevertheless, other companies listed in Jumpshot records include Expedia, IBM, Intuit, make TurboTax, Loreal and Home Depot. Employees are directed not to speak openly about the relationship between Jumpshot and these companies.
“It’s very granular, and it’s great data for these companies, because it’s down to the device level with a timestamp,” the source said, referring to the specificity and sensitivity of the data being sold.
Before recently, Avast had gathered browsing details from its consumers who had enabled the business software extension to warn users to questionable websites. Security researcher Wladimir Palant and AdBlock Plus founder posted a blog post in October revealing Avast’s processing of user data with it. Soon afterwards, the browsers Firefox, Chrome, and Google were dropped from their separate web app shops for Avast’s and affiliate AVG plugins. Avast had already clarified the processing and distribution of this data in 2015 in a website and blog post. Avast has since stopped sending browsing data from the Jumpshot extensions, Avast told Motherboard and PCMag.
Credits: Motherboard
The collection of data is however underway, showing the origins and documentation. Instead of collecting information from the browser’s software, Avast does so via the anti-virus software itself. Avast began asking its existing free anti-virus users to opt-in to data collection last week, months after its software extensions were used to send data to Jumpshot, according to the internal document.
This mass data collection activities related to data obtained that reported by the Motherboard and PCMag has including various highly sensitive users behavior and activities including Google searches, lookups of locations and GPS coordinates on Google Maps, people visiting companies’ LinkedIn pages, particular YouTube videos, and people visiting porn websites.
Evidence from these activities shows that Avast also collects sensitive searches for pornographic activities such as underage sex through Jubmsuit.
“Jumpsuit also offering the data based on the price and how much they are paying for them and supply the URL string to each site visited, the referring URL, the timestamps down to the millisecond, along with the suspected age and gender of the user, which can inferred based on what sites the person is visiting,” PCMag said.
Last year Avast conducted data collection operations via its browsers and shortly after Firefox, Opera and Google dropped from the respective software extension stores Avast’s and AVG’s subsidiaries.
When you open Avast or AVG products, it pops up and asks users to do so “Mind sharing some data with us? ” and it tells you that the collected data will be de-identified and aggregated as a way to protect your privacy.
Furthermore, there was no clear information as to how the same details can be mixed with other information to link the identification with the browser history gathered, but users still find it preserves their privacy.
Nonetheless, data collection is a persistent reaction to this accusation and states that data collected through these Jumpshot extensions have been prevented from being exchanged, however documents say the data collection is on-going.
But Avast does not commit massive data collection via its free anti-virus software by means of the browser software extension.
In addition, journalists approached businesses that have bought data from Jumpsuit utilizing third-party suppliers ‘ information to help develop our brand, products and services.
” Despite Avast currently asking users to opt back into the data collection via a pop-up in the antivirus software, multiple Avast users said they did not know that Avast was selling browsing data.”
Jumpshot made all click streams from 14 different countries, including the US, Uk, Canada, Australia and New Zealand, open to Omnicom, a marketing company. Omnicom did not answer the question about these activities.
In this situation, Microsoft strongly denied the explanation why they acquired these collected data and said that they had no direct relationship with the company.
Avast refused to respond to so many questions and said: “Because of our methodology, we guarantee that Jumpshot does not get personal identification information from individuals who use our popular free antivirus software, like name, e-mail address or contact details.”