Antivirus (AV) software giant Avast has announced that it will wind down one of its subsidiary businesses just days after leaked documents revealed the extent to which the Czech company was selling users' browsing data to third-parties.
On Monday, Vice and PCMag published details on how Avast had been collating browsing data covering web properties such as Google Maps and Search, LinkedIn, and youtube, and then repackaging it for sale under a subsidiary called Jumpshot which has claimed clients such as Google, Microsoft, Yelp, Pepsi, Home Depot, and Condé Nast. Although the data was not thought to contain any personally identifiable information, it is often possible to “deanonymize” data through combining and aligning it with other different datasets to spot shared patterns.
Jumpshot was officially founded back in 2010 but officially launched from a Kickstarter-funded project back in 2012. In its original guise, Jumpshot was a PC-based software that promised to rid machines from viruses, spyware, and such like, and was eventually bought by Avast the following year.
According to the latest report, some Jumpshot clients paid millions of dollars for various different products, including something called an “all clicks feed” which was apparently able to track user behavior such as clicks and movements between websites. To a company such as Google — which has so far declined to comment on the report — this can significantly improve and measure targeted advertisements.
Now, Avast has said that it plans to “terminate its provision of data” to Jumpshot, and ultimately will pull the plug on the product altogether. This won't impact Avast's core products, but it will seemingly diminish a significant revenue-generating stream for the company.
Data harvesting has played an increasingly prominent role in the online privacy debate, with the Facebook and Cambridge Analytica fiasco highlighting how digital data can be leveraged by political or commercial entities without the active knowledge of the users involved.
With more than 400 million users, Avast is among the top five antivirus providers globally and remains one of the industry's most well-known brands. By shuttering Jumpshot, this is Avast essentially trying to protect its core AV software business, particularly since the company now has public shareholders to answer to following its 2018 IPO. Avast's shares had risen by around 90% year-on-year up until this week, but in the days following Vice‘s report, the company's stock fell by 25%.
In truth, Jumpshot had made no secret of the fact that it leveraged Avast data, and has previously revealed that it uses data from 100 million devices including PCs, smartphones, and tablets. But this latest report not only highlights the extent to which the data was used, but also raises questions over how much consent it really had from users. Ultimately, transparency is the big question here.
According to Avast, up until last year users had to opt-out of the program, which means that many people likely would not have been fully aware that they were sharing data. The company said that from July, 2019, it “begun implementing” an opt-in choice for all new downloads, while it said that it's also now starting to prompt existing “free” users to make a choice over whether to share their data with Jumpshot.
Anyone installing Avast now see this opt-in box during setup — it does mention that it “may share” aggregated insights with its customers. Avast also told Vice that it complies with privacy regulations such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) in Europe, however that really is up for debate.
Indeed, GDPR specifically forbids pre-ticked opt-in boxes, and the fact that Avast chooses to highlight the “I Agree” button could be construed as an attempt to influence the selection of the user. This is what is known as “dark pattern design,” and many technology companies — including Facebook — employ similar tactics to encourage users to agree to their whims. Last year, two U.S. senators introduced a new bill to ban social media firms from using dark pattern interface design techniques.
That Avast and Jumpshot had been working together to sell user data was not a closely guarded secret, but it's fairly clear that Avast has not been entirely open from the outset about this to the average user when installing the software — it was first an opt-out, and still today new users are guided toward agreeing to share data through interface's design.
This is an issue that has reared its head time and time again. It's not so much the data-sharing itself that is the issue, it's the lack of clarity and transparency that is the core underlying problem. Last year, Apple and Google were forced to temporarily halt human voice-data reviews from their digital assistants following a major privacy backlash, but again the core issue was that the companies had not been open about the fact that they used employees and contractors to listen in on private conversations.
Given that Avast's pitch to its users is one of security and privacy, spanning antivirus software, VPNs, among other tools, that it was sharing data at all with third-parties is not a great look. The issues around transparency make the whole thing worse.
“Avast's core mission is to keep its users safe online and to give users control over their privacy,” Acast CEO Ondrej Vlcek said. “The bottom line is that any practices that jeopardize user trust are unacceptable to Avast. We are vigilant about our users' privacy, and we took quick action to begin winding down Jumpshot's operations after it became evident that some users questioned the alignment of data provision to Jumpshot with our mission and principles that define us as a company.”