Avast dumps subsidiary Jumpshot over data-selling controversy

A joint investigation by PCMag and Motherboard found that Avast had been selling “highly sensitive” browsing data from its users. The free software is used widely, with Avast boasting that it has more than 435 million active users.

The investigation found that the free software collects browsing data, which was being repackaged and sold by Jumpshot, an Avast subsidiary. Jumpshot claims to sell “Every search. Every click. Every buy. On every site.”

Clients include Google, Microsoft, Unilever, McKinsey, Revlon, Yelp, Home Depot, Pepsi, and Conde Nast. Some of these clients paid millions for “All Clicks Feed” packages, which tracked browsing activity in minute detail, down to every click within an individual domain. Data included search engine queries, URLs and the exact time they were visited, and in some cases specific search terms used on pornographic websites. Jumpshot claimed to have collected data from 100 million devices.

Avast said that personal information, such as names, email addresses and other contact details were never sold and that it can protect privacy by anonymising datasets. However, the investigation found that the datasets being sold could be linked to individual users in some cases.

Avast has not denied the allegations made in the PCMag and Motherboard reports.

In a blog post, Avast CEO Ondrej Vlcek apologised and announced that the board of directors has agreed to “terminate the Jumpshot data collection and wind down Jumpshot’s operations” with immediate effect.

According to Vleck, Jumpshot was started in 2015 with the idea of extending Avast’s data analytics capabilities beyond core security, with Avast using its tools and resources to do this more securely than other data collection companies. He wrote that he had spent much of his seven months as CEO re-evaluating the data collection side of the business and had concluded that it is “not in line with our privacy priorities as a company in 2020 and beyond”. However, Vleck asserts that the company acted within the law, including complying with GDPR.

Senator Ron Wyden, a prominent tech hawk who has previously scrutinised Avast over its data-selling practices, wrote on Twitter: “I commend Avast for taking these steps to secure consumer data after I requested additional information about their practices of selling data to shady third parties. This should be the rule, not the exception.”