Avast Hit With $16.5 Million Fine for Selling Customer Data – Source: securityboulevard.com

Avast Software will pay a $16.5 million fine to settle a federal complaint accusing the antivirus vendor of collecting users’ browsing data over six years and selling it to advertising companies without their consent.

In fact, Avast did all this while promising users that its products would protect consumers from being tracked online, according to the U.S. Federal Trade Commission.

The FTC, in its 18-page order made public this week, also is prohibiting Avast from selling such browsing data to third-party advertisers and is requiring the company to delete the web browsing information that it transferred to its Jumpshot subsidiary and products and algorithms Jumpshot derived from the data and to get consent from consumers before selling or licensing browser data from non-Avast products to third parties.

In addition, Avast has to create a privacy program and notify customers whose data was sold without their consent about the FTC’s order.

The case against Avast is only the latest by federal and state agencies to target organizations – including increasingly data brokers – that collect vast amounts of personal information from consumers and sell it without their consent. The FTC last month settled complaints against two data brokers, Outlogic and InMarket Media.

More recently, food delivery service DoorDash this week settled with the state of California over accusations that it violated the California privacy laws by selling customers’ personal information – including names, addresses, and transaction history – without telling them or allowing them to opt out. The violations occurred as part of DoorDash’s participation in a marketing cooperative.

DoorDash was ordered to pay a $375,000 fine and must comply with state privacy laws.

False Promises

In Avast’s case, the UK company sold the browser data to third parties after telling users that its products would protect them, according to the FTC’s complaint.

“Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “Avast’s bait-and-switch surveillance tactics compromised consumers’ privacy and broke the law.”

From 2014 until this year, Avast representatives told consumers that the software would block tracking cookies used to collect browsing data and prevent web services from tracking online activities, the FTC wrote in its complaint. Still, between 2014 and 2020, Avast sold the browsing information.

In addition, Avast said it used an algorithm to remove identifying information, ensuring that whatever was shared would be in “anonymous and aggregate” form to protect their privacy. However, the company didn’t anonymize the browsing information enough before selling it in non-aggregate form.

“For example, its data feeds included a unique identifier for each web browser it collected information from and could include every website visited, precise timestamps, type of device and browser, and the city, state, and country,” the FTC wrote.

Personal Information Revealed

The browsing data provided third parties with information about the users’ web searches and webpages visited, which the agency said revealed details about consumers, including their religious beliefs, health concerns, political leanings, financial status, and location.

The agency said Avast sold the data to more than 100 third party through Jumpstart. Avast bought antivirus competitor Jumpshot in 2013 and remade it into a data analysis firm. For six years, Jumpshot sold the browsing information that Avast created.

Avast didn’t prohibit some data buyers from re-identifying its users based on the data supplied by Jumpshot, and even when its contracts did include prohibitions, “the contracts were worded in a way that enabled data buyers to associate non-personally identifiable information with Avast users’ browsing information,” the FTC wrote.

“In fact, some of the Jumpshot products were designed to allow clients to track specific users or even to associate specific users – and their browsing histories – with other information those clients had.”

Jumpshot at the Center of Controversy

The agency pointed to a Jumpshot contract with Omnicom, an advertising conglomerate. Jumpshot had a product called “All Clicks Feed,” which included every click the company was collecting from Avast users. In 2018, Jumpshot offered an All Clicks Feed to Omnicom from 50% of its customers six countries, including the United States, Canada, and the UK.

“According to the contract, Omnicom was permitted to associate Avast’s data with data brokers’ sources of data, on an individual user basis,” the FTC wrote.

Such practices came to light in a joint investigation by news sites Vice and PCMag in January 2020 that detailed was Jumpshot was doing and outed such companies as Google, Microsoft, Home Depot, Pepsi, and McKinsey as customers.

Avast shut down Jumpshot days after that investigation was published, with CEO Ondrej Vlcek – who was put into the top spot in 2019 – saying at the time that the company’s mission was to keep users safe online and give them control over their privacy.

“The bottom line is that any practices that jeopardize user trust are unacceptable to Avast,” Vlcek said. “We are vigilant about our users’ privacy, and we took quick action to begin winding down Jumpshot’s operations after it became evident that some users questioned the alignment of data provision to Jumpshot with our mission and principles.”