Though data collection is a fact of life these days, many consumers were surprised to discover that Avast—maker of antivirus software designed to protect computers from security threats—has been sharing personal info collected from their devices with a subsidiary that sells trend analytics to Google, Home Depot, Microsoft, and Pepsi.
According to articles published Monday by Motherboard and PCMag, Avast's antivirus software appears to track users' clicks and movements across the web, collecting data on things like Google searches and visits to LinkedIn pages, YouTube videos, and pornography websites.
After being "de-identified," meaning information like name and email address is removed, the data reportedly is repackaged and sold by the subsidiary Jumpshot.
The software is used by more than 400 million people around the world, Avast says. And, according to Consumer Reports testers, it ranks among the best free security software options available to PC and Mac owners. The same goes for Avast's AVG-branded software.
That's why many people felt betrayed when they learned about Avast's stance on digital privacy.
"This one really struck me," says Jim Hansen, president and chief operating officer of the cybersecurity company Swimlane. "Do any of us really know how much data we're giving away?"
In a blog post on Tuesday, Avast said: "While we acted fully within legal bounds, always remaining vigilant to protect our users' privacy, we have listened to recent feedback and have already taken steps to align with the expectations of our users."
In July 2019, the company began testing a prompt that explicitly asked users whether they wanted to opt-in to such data-sharing during all new downloads of its desktop AV software. It's now in the process of rolling out that prompt to all existing AV users.
On its website, Avast says that most of the company's offerings collect some kind of anonymous user data, which is then used to improve the products and help the company react quickly to security threats.
The site doesn't mention anything about sharing data with outside companies. But Avast's privacy policy does say that consumer data is "stripped and de-identified' and used by Jumpshot to "provide trend analytics" for other companies.
So the big question for consumers is should they now uninstall their Avast AV software. And, according to security experts, the answer is no.
Having your search history and internet-browsing habits collected and sold may make you uncomfortable, but antivirus software goes a long way toward keeping malware out of your computer and fending off ransomware, phishing attacks, and other threats.
One thing you can do right now, though, is adjust your privacy settings. Avast's website provides instructions on how to limit data collection, including halting distribution to third parties for "analysis of trends, business, and marketing."
The next big question: Do other AV companies share your data in this way?
Right now there's no straightforward answer.
A quick review of the privacy policies posted by a few of the companies in our AV software ratings yields few clues, according to CR privacy researcher Bill Fitzgerald.
"Ironically, the Avast and AVG terms are clearer than most about what they share," he says. In its privacy policy, ZoneAlarm—yet another AV software maker included in our ratings—says that it shares search information with a firm called CodeFuel that offers "monetization solutions for websites, extensions, apps, and search engines." But beyond that, it's hard to find the details you need to make an informed decision about what software to use.
"For the free options, it's very difficult to know what they're doing and not doing with the data they're collecting," Fitzgerald says, "because the terms in the policy are so vague. It's just not realistic for a consumer to read them and understand what's happening."
Short of reaching out to each AV software provider with direct questions—which we are currently doing—there's not much you can do.
In an age where the profits of many tech companies hinge on their ability to collect and sell data, is it realistic to expect that AV companies would behave any differently?
Chris Brazdziunas, chief product officer for the cybersecurity company ThreatX, says consumers need to be wary anytime they use a "free" service that interacts with their data.
That includes asking any company that's supposed to be protecting your data how it keeps that information private. If you don't get a clear answer, consider doing business with someone else.
"In this market, there are choices," says Brazdziunas. "And it is our responsibility as consumers to be clear that we aren't going to settle for less-than-exceptional private data handling."
