On Monday Motherboard and PCMag published a joint investigation which found hugely popular free antivirus Avast is harvesting and selling its users' browsing data to some of the biggest companies in the world. In response, Senator Mark Warner said the Federal Trade Commission (FTC) is not doing enough to police this sort of data selling.
The news comes at a time of renewed focus on the sale of private data, be that by private businesses or some government departments.
"Time and again we’ve seen that consumers are totally unwitting to the ways their data is being collected, commercialized and sold. This gulf between consumer expectations and business practices is unsettling in general, but particularly troubling in the context of trust relationships like as the provision of antivirus software, web browsers, and VPNs. Yet in each of these cases we’ve repeatedly seen trusted intermediaries undermine the privacy and security of consumers," Senator Warner told Motherboard in a statement.
Do you know about any other companies selling data? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
Using leaked documents, contracts, and data, Motherboard and PCMag found a subsidiary of Avast called Jumpshot sold products based on browsing data for millions of dollars. The data has personal information like names and email addresses removed, but still includes highly sensitive browsing data. The data includes Google searches, lookups of locations and GPS coordinates on Google Maps, YouTube videos, and particular porn videos and searches on porn sites. One Jumpshot product derived from this data is a so-called All Clicks Feed, and Jumpshot's clients have included Home Depot, Google, Microsoft, Pepsi, and McKinsey. Multiple experts also said it could be possible de-anonymize the data.
After security researcher and AdBlock Plus creator Wladimir Palant published a blog post last year finding that Avast harvests user data with its browser plugin, browser makers Google, Mozilla, and Opera removed the software from their plugin stores. Now Avast is collecting browsing data through its antivirus software itself, our investigation found.
Avast is currently in the process of asking existing antivirus users to opt into the practice, but multiple Avast users told Motherboard they were not aware Avast sold browsing data.
"No consumer would realistically have an inkling that their antivirus software could be selling their browsing data," Warner added. "It’s increasingly clear that the FTC hasn’t kept up with how these markets for data operate, and appears to be unwilling to use its authorities to do so. Congress can’t afford to ignore these issues any longer," the statement read.
In a statement, Avast previously said, "Because of our approach, we ensure that Jumpshot does not acquire personal identification information, including name, email address or contact details, from people using our popular free antivirus software."
An FTC spokesperson told Motherboard in an email "FTC investigations are nonpublic so we can’t comment on whether we are investigating a particular matter. However, we are very familiar with how these markets for data operate, and will not hesitate to take appropriate action as necessary where we find conduct that violates the laws we enforce."
Last year, the FTC testified before the House Energy and Commerce Subcommittee urging Congress to enact privacy and data security legislation that would give the FTC authority to pursue more cases.
Update: This piece has been updated to include comment from the FTC and mention its recent testimony.
Subscribe to our cybersecurity podcast, CYBER.