Avast, an antivirus program with more than 435 million users worldwide, said it will stop collecting and selling the private web browsing histories of its users following a joint investigation by Motherboard and PCMag into the sale of that data. In addition, Avast said it will completely shut down Jumpshot, the subsidiary company it used to sell this data.
Our investigation found that Avast, through a subsidiary called Jumpshot, made millions of dollars following its users around the internet. Jumpshot told its clients, which include Microsoft, Google, McKinsey, Pepsi, Home Depot, Yelp, and many others that it could track “every search. Every click. Every buy. On every site.”
Avast CEO Ondrej Vlcek wrote in a public letter Thursday morning that he and the company’s board of directors have decided to “terminate the Jumpshot data collection and wind down Jumpshot’s operations, with immediate effect.”
Do you know about any other companies selling data? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
Earlier Thursday, the company announced that it had agreed to buy back a 35 percent stake in Jumpshot that it sold to the data analytics and marketing company Ascential last year. In July, Avast said that the 35 percent stake in Jumpshot was worth $60.76 million.
Vlcek, who became CEO of Avast seven months ago, said he has spent the first few months of his job “re-evaluating every portion of our business,” and that the Jumpshot revelations had eroded trust in the company: "I feel personally responsible and I would like to apologize to all concerned."
“I came to the conclusion that the data collection business is not in line with our privacy priorities as a company in 2020 and beyond,” he wrote. “It is key to me that Avast’s sole purpose is to make the world a safer place, and I knew that ultimately, everything in the company would have to become aligned with that North Star of ours.”
Vlcek said that the decision to shut down Jumpshot “will regrettably impact hundreds of loyal Jumpshot employees and dozens of its customer [but] it is absolutely the right thing to do.”
Multiple senators had called for action following Motherboard and PCMag's investigation. Senator Ron Wyden said "The only responsible course of action is to be fully transparent with customers going forward, and to purge data that was collected under suspect conditions in the past."
Senator Mark Warner said "Congress can’t afford to ignore these issues any longer." A spokesperson for Democratic presidential frontrunner Bernie Sanders added “If the FTC is to regain credibility and serve the public interest, it must take a stronger stand on issues like this one.”
In a new statement, Wyden said "Avast’s past practice of marrying antivirus software with the secret mining of consumers’ data was a terrible move. But the decision today to shutter its data broker subsidiary is a model for how companies should respond to criticism of privacy abuses. To stop future abuses, Congress needs to pass my bill to hold companies and their CEOs accountable for abusing Americans’ personal information."
Update: This piece has been updated to include a new statement from Senator Wyden.
Joseph Cox contributed reporting to this piece.
Subscribe to our cybersecurity podcast, CYBER.