Update: On Thursday and after this investigation, Avast announced it will stop the Jumpshot data collection and wind down Jumpshot’s operations with immediate effect. You can find the original story below.
An antivirus program used by hundreds of millions of people around the world is selling highly sensitive web browsing data to many of the world's biggest companies, a joint investigation by Motherboard and PCMag has found. Our report relies on leaked user data, contracts, and other company documents that show the sale of this data is both highly sensitive and is in many cases supposed to remain confidential between the company selling the data and the clients purchasing it.
The documents, from a subsidiary of the antivirus giant Avast called Jumpshot, shine new light on the secretive sale and supply chain of peoples' internet browsing histories. They show that the Avast antivirus program installed on a person's computer collects data, and that Jumpshot repackages it into various different products that are then sold to many of the largest companies in the world. Some past, present, and potential clients include Google, Yelp, Microsoft, McKinsey, Pepsi, Home Depot, Condé Nast, Intuit, and many others. Some clients paid millions of dollars for products that include a so-called "All Clicks Feed," which can track user behavior, clicks, and movement across websites in highly precise detail.
Avast claims to have more than 435 million active users per month, and Jumpshot says it has data from 100 million devices. Avast collects data from users that opt-in and then provides that to Jumpshot, but multiple Avast users told Motherboard they were not aware Avast sold browsing data, raising questions about how informed that consent is.
The data obtained by Motherboard and PCMag includes Google searches, lookups of locations and GPS coordinates on Google Maps, people visiting companies' LinkedIn pages, particular YouTube videos, and people visiting porn websites. It is possible to determine from the collected data what date and time the anonymized user visited YouPorn and PornHub, and in some cases what search term they entered into the porn site and which specific video they watched.
Do you know about any other companies selling data? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
Although the data does not include personal information such as users' names, it still contains a wealth of specific browsing data, and experts say it could be possible to deanonymize certain users.
In a press release from July, Jumpshot claims to be "the only company that unlocks walled garden data" and seeks to "provide marketers with deeper visibility into the entire online customer journey." Jumpshot has previously discussed some of its clients publicly. But other companies mentioned in Jumpshot documents include Expedia, IBM, Intuit, which makes TurboTax, Loreal, and Home Depot. Employees are instructed not to talk publicly about Jumpshot's relationships with these companies.
"It's very granular, and it's great data for these companies, because it's down to the device level with a timestamp," the source said, referring to the specificity and sensitivity of the data being sold. Motherboard granted the source anonymity to speak more candidly about Jumpshot's processes.
Until recently, Avast was collecting the browsing data of its customers who had installed the company's browser plugin, which is designed to warn users of suspicious websites. Security researcher and AdBlock Plus creator Wladimir Palant published a blog post in October showing that Avast harvest user data with that plugin. Shortly after, browser makers Mozilla, Opera, and Google removed Avast's and subsidiary AVG's extensions from their respective browser extension stores. Avast had previously explained this data collection and sharing in a blog and forum post in 2015. Avast has since stopped sending browsing data collected by these extensions to Jumpshot, Avast said in a statement to Motherboard and PCMag.
However, the data collection is ongoing, the source and documents indicate. Instead of harvesting information through software attached to the browser, Avast is doing it through the anti-virus software itself. Last week, months after it was spotted using its browser extensions to send data to Jumpshot, Avast began asking its existing free antivirus consumers to opt-in to data collection, according to an internal document.
"If they opt-in, that device becomes part of the Jumpshot Panel and all browser-based internet activity will be reported to Jumpshot," an internal product handbook reads. "What URLs did these devices visit, in what order and when?" it adds, summarising what questions the product may be able to answer.
Senator Ron Wyden, who in December asked Avast why it was selling users' browsing data, said in a statement, "It is encouraging that Avast has ended some of its most troubling practices after engaging constructively with my office. However I’m concerned that Avast has not yet committed to deleting user data that was collected and shared without the opt-in consent of its users, or to end the sale of sensitive internet browsing data. The only responsible course of action is to be fully transparent with customers going forward, and to purge data that was collected under suspect conditions in the past."
Despite Avast currently asking users to opt back into the data collection via a pop-up in the antivirus software, multiple Avast users said they did not know that Avast was selling browsing data.
"I was not aware of this," Keith, a user of the free Avast antivirus product who only provided their first name, told Motherboard. "That sounds scary. I usually say no to data tracking," they said, adding that they haven't yet seen the new opt-in pop-up from Avast.
"Did not know that they did that :(," another free Avast antivirus user said in a Twitter direct message.
Motherboard and PCMag contacted over two dozen companies mentioned in internal documents. Only a handful responded to questions asking what they do with data based on the browsing history of Avast users.
"We sometimes use information from third-party providers to help improve our business, products and services. We require these providers to have the appropriate rights to share this information with us. In this case, we receive anonymized audience data, which cannot be used to identify individual customers," a Home Depot spokesperson wrote in an emailed statement.
Microsoft declined to comment on the specifics of why it purchased products from Jumpshot, but said that it doesn't have a current relationship with the company. A Yelp spokesperson wrote in an email, "In 2018, as part of a request for information by antitrust authorities, Yelp's policy team was asked to estimate the impact of Google’s anticompetitive behavior on the local search marketplace. Jumpshot was engaged on a one-time basis to generate a report of anonymized, high-level trend data which validated other estimates of Google’s siphoning of traffic from the web. No PII was requested or accessed."
"Every search. Every click. Every buy. On every site."
Southwest Airlines said it had discussions with Jumpshot but didn't reach an agreement with the company. IBM said it did not have a record of being a client, and Altria said it is not working with Jumpshot, although didn't specify if it did so previously. Sephora said it has not worked with Jumpshot. Google did not respond to a request for comment.
As well as Expedia, Intuit, and Loreal, other companies which are not already mentioned in public Jumpshot announcements include coffee company Keurig, YouTube promotion service vidIQ, and consumer insights firm Hitwise. None of those companies responded to a request for comment.
On its website, Jumpshot lists some previous case studies for using its browsing data. Magazine and digital media giant Condé Nast, for example, used Jumpshot's products to see whether the media company's advertisements resulted in more purchases on Amazon and elsewhere. Condé Nast did not respond to a request for comment.
ALL THE CLICKS
Jumpshot sells a variety of different products based on data collected by Avast's antivirus software installed on users' computers. Clients in the institutional finance sector often buy a feed of the top 10,000 domains that Avast users are visiting to try and spot trends, the product handbook reads.
Another Jumpshot product is the company's so-called "All Click Feed." It allows a client to buy information on all of the clicks Jumpshot has seen on a particular domain, like Amazon.com, Walmart.com, Target.com, BestBuy.com, or Ebay.com.
In a tweet sent last month intended to entice new clients, Jumpshot noted that it collects "Every search. Every click. Every buy. On every site" [emphasis Jumpshot's.]
Jumpshot's data could show how someone with Avast antivirus installed on their computer searched for a product on Google, clicked on a link that went to Amazon, and then maybe added an item to their cart on a different website, before finally buying a product, the source who provided the documents explained.
One company that purchased the All Clicks Feed is New York-based marketing firm Omnicom Media Group, according to a copy of its contract with Jumpshot. Omnicom paid Jumpshot $2,075,000 for access to data in 2019, the contract shows. It also included another product called "Insight Feed" for 20 different domains. The fee for data in 2020 and then 2021 is listed as $2,225,000 and $2,275,000 respectively, the document adds.
Jumpshot gave Omnicom access to all click feeds from 14 different countries around the world, including the U.S., England, Canada, Australia, and New Zealand. The product also includes the inferred gender of users "based on browsing behavior," their inferred age, and "the entire URL string" but with personally identifiable information (PII) removed, the contract adds.
Omnicom did not respond to multiple requests for comment.
According to the Omnicom contract, the "device ID" of each user is hashed, meaning the company buying the data should not be able to identify who exactly is behind each piece of browsing activity. Instead, Jumpshot's products are supposed to give insights to companies who may want to see what products are particularly popular, or how effective an ad campaign is working.
"What we don't do is report on the Jumpshot Device ID that executed the clicks to protect against the triangulation of PII," one internal Jumpshot document reads.
But Jumpshot's data may not be totally anonymous. The internal product handbook says that device IDs do not change for each user, "unless a user completely uninstalls and reinstalls the security software." Numerous articles and academic studies have shown how it is possible to unmask people using so-called anonymized data. In 2006, New York Times reporters were able to identify a specific person from a cache of supposedly anonymous search data that AOL publicly released. Although the tested data was more focused on social media links, which Jumpshot redacts somewhat, a 2017 study from Stanford University found it was possible to identify people from anonymous web browsing data.
"De-identification has shown to be a very failure-prone process. There are so many ways it can go wrong," Günes Acar, who studies large-scale internet tracking at the Computer Security and Industrial Cryptography research group at the Department of Electrical Engineering of the Katholieke Universiteit Leuven, said.
De-anonymization becomes a greater concern when considering how the eventual end-users of Jumpshot's data could combine it with their own data.
"Most of the threats posed by de-anonymization—where you are identifying people—comes from the ability to merge the information with other data," Acar said. A set of Jumpshot data obtained by Motherboard and PCMag shows how each visited URL comes with a precise timestamp down to the millisecond, which could allow a company with its own bank of customer data to see one user visiting their own site, and then follow them across other sites in the Jumpshot data.
"It's almost impossible to de-identify data," Eric Goldman, a professor at the Santa Clara University School of Law, said. "When they promise to de-identify the data, I don't believe it."
Motherboard and PCMag asked Avast a series of detailed questions about how it protects user anonymity as well as details on some of the company's contracts. Avast did not answer most of the questions but wrote in a statement, "Because of our approach, we ensure that Jumpshot does not acquire personal identification information, including name, email address or contact details, from people using our popular free antivirus software."
"Users have always had the ability to opt out of sharing data with Jumpshot. As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an explicit choice, a process which will be completed in February 2020," it said, adding that the company complies with the California Consumer Privacy Act (CCPA) and Europe's General Data Protection Regulation (GDPR) across its entire global user base.
"We have a long track record of protecting users’ devices and data against malware, and we understand and take seriously the responsibility to balance user privacy with the necessary use of data," the statement added.
"It's almost impossible to de-identify data."
When PCMag installed Avast's antivirus product for the first time this month, the software did ask if they wanted to opt-in to data collection.
"If you allow it, we'll provide our subsidiary Jumpshot Inc. with a stripped and de-identified data set derived from your browsing history for the purpose of enabling Jumpshot to analyze markets and business trends and gather other valuable insights," the opt-in message read. The pop-up did not go into detail on how Jumpshot then uses this browsing data, however.
"The data is fully de-identified and aggregated and cannot be used to personally identify or target you. Jumpshot may share aggregated insights with its customers," the pop-up added.
Just a few days ago, the Twitter account for Avast subsidiary AVG tweeted, "Do you remember the last time you cleaned your #browser history? Storing your browsing history for a long time can take up memory on your device and can put your private info at risk."
Update: This piece has been updated to include a response from Sephora.
Subscribe to our cybersecurity podcast, CYBER.