Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

FTC Accuses Avast of Selling Customer Browsing Data to Advertisers

European security vendor Avast is charged with harvesting consumer web browsing data through its browser extension and anti-virus software and “and sold it without adequate notice and without consumer consent.”

The US government’s consumer protection agency is moving to ban anti-malware software vendor Avast from selling customer web browsing data to third-party advertising companies.

A complaint from the Federal Trade Commission (FTC) accused the European security company of unfairly collecting consumer web browsing data through its browser extension and anti-virus software and “and sold it without adequate notice and without consumer consent.”

The agency also plans to slap Avast with a $16.5 million fine and an order to stop selling or licensing any web browsing data for advertising purposes.

In its complaint, the FTC also charges the Czech company deceived users by claiming that the software would protect consumers’ privacy by blocking third party tracking, but failed to adequately inform consumers that it would sell their detailed, re-identifiable browsing data. 

The complaint alleges that Avast sold that data to more than 100 third parties through its Jumpshot subsidiary.

 “Avast’s bait-and-switch surveillance tactics compromised consumers’ privacy and broke the law,” said FTC director Samuel Levine. “Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite.”

The FTC said the browsing data, collected and resold since at least 2014, included information about users’ web searches and the web pages they visited — revealing consumers’ religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information.

The commission said Avast acquired rival Jumpshot and rebranded the firm as an analytics play that sold browsing information that Avast had collected to advertising, marketing and data analytics companies and data brokers.

Advertisement. Scroll to continue reading.

Despite Avast claims that it used special tools to remove identifying information before transferring the data to its clients, the watchdog agency said the company failed to sufficiently anonymize consumers’ browsing information that it sold in non-aggregate form through various products. 

“For example, its data feeds included a unique identifier for each web browser it collected information from and could include every website visited, precise timestamps, type of device and browser, and the city, state, and country. When Avast did describe its data sharing practices, Avast falsely claimed it would only transfer consumers’ personal information in aggregate and anonymous form, according to the complaint,” the FTC said.

UPDATE: Avast has issued the following statement on the FTC’s proposed order:

Avast has reached a settlement with the FTC to resolve its investigation of Avast’s past provision of customer data to its Jumpshot subsidiary that Avast voluntarily closed in January of 2020. We are committed to our mission of protecting and empowering people’s digital lives. While we disagree with the FTC’s allegations and characterization of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world.”

Related: UK Clears Norton’s $8B Avast Cyber Security Takeover

Related: FTC Orders Blackbaud to Address Poor Security Practices

Related: Flaws in Avast, AVG Software Could Cause Attacks on Millions of Devices

Related: FTC Accuses Data Broker of Selling Sensitive Location Data

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Shay Mowlem has been named CMO of runtime and application security company Contrast Security.

Attack detection firm Vectra AI has appointed Jeff Reed to the newly created role of Chief Product Officer.

Shaun Khalfan has joined payments giant PayPal as SVP, CISO.

More People On The Move

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...