Data Protection Authority Investigates Avast for Selling Users’ Browsing History

The move comes after a joint Motherboard and PCMag investigation uncovered details of the data collection through a series of leaked documents.
February 12, 2020, 3:48pm
Avast CEO Ondrej Vlcek
Image: Simon Dawson/Bloomberg via Getty Images

On Tuesday, the Czech data protection authority announced an investigation into antivirus company Avast, which was harvesting the browsing history of over 100 million users and then selling products based on that data to a slew of different companies including Google, Microsoft, and Home Depot. The move comes after a joint Motherboard and PCMag investigation uncovered details of the data collection through a series of leaked documents.

"On the basis of the information revealed describing the practices of Avast Software s.r.o., which was supposed to sell data on the activities of anti-virus users through its ‘Jumpshot division’ the Office initiated a preliminary investigation of the case," a statement from the Czech national data protection authority on its website reads. Under the European General Protection Regulation (GDPR) and national laws, the Czech Republic, like other EU states, has a data protection authority to enforce things like mishandling of personal data. With GDPR, companies can be fined for data abuses.

"At the moment we are collecting information on the whole case. There is a suspicion of a serious and extensive breach of the protection of users’ personal data. Based on the findings, further steps will be taken and general public will be informed in due time,“ added Ms Ivana Janů, President of the Czech Office for Personal Data Protection, in the statement. Avast is a Czech company.

Do you know about any other companies selling data? Do you have documents related to this? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Motherboard and PCMag's investigation found that the data sold included Avast users' Google searches and Google Maps lookups, particular YouTube videos, and people visiting specific porn videos. The data was anonymized, but multiple experts said it could be possible to unmask the identity of users, especially when that data, sold by Avast's subsidiary Jumpshot, was combined with other data that its clients may possess.

Days after the investigation, Avast bought back a 35 percent stake in Jumpshot worth $61 million, and shuttered Jumpshot. Avast's valuation fell by a quarter, will incur costs between $15 and $25 million, and the closure Jumpshot will cut annual revenues by around $36 million and underlying profits by $7 million, The Times reported.

In a statement which PCMag shared with Motherboard, Avast said “We are in receipt of the DPA's request and we will diligently work with the DPA in full cooperation. We take concern about our users' privacy very seriously, which is why we voluntarily made changes to our privacy policy in December, and made the decision to close Jumpshot last month. Avast's core mission is to keep its users' data safe online, and any practice that jeopardizes user trust is unacceptable. Protecting user privacy is embedded in everything we do in our business, and as such we remain focused on continuing to innovate our products for the benefit of our users and their privacy.”

Subscribe to our cybersecurity podcast, CYBER.

This article originally appeared on VICE US.