The US Federal Trade Commission (FTC) has filed charges against cybersecurity firm Avast, accusing it of collecting and selling consumer web browsing data gathered through its browser extension and antivirus services. The antivirus firm is accused of selling the data to advertising companies without user consent.
According to the complaint, the cybersecurity firm was advertising its products as privacy-friendly. The company claimed their software would “block[] annoying tracking cookies that collect data on your browsing activities” and “[p]rotect your privacy by preventing . . . web services from tracking your online activity.”
“Since at least 2014, Respondents have collected consumers’ browsing information through browser extensions and antivirus software installed on consumers’ computers and mobile devices.” reads the FTC’s complaint. “Respondents sold the browsing information that they purported to protect, in many instances without notice to users.”
Avast subsidiary Jumpshot sold the collected information to over 100 third parties between 2014 and 2020.
FTC will also fine Avast $16.5 million and order to stop selling or licensing any web browsing data for advertising purposes.
Data collected by Avast could allow third parties to profile users and their habits, the cybersecurity firm could have combined this type of information with persistent identifiers that they created and that allowed identification of each consumer’s device uniquely.
Collected browsing information, including web searches and webpages visited, revealed consumers’ religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content, and interest in prurient content.
The Czech security company claimed to have anonymized the data before selling them to third parties, but FTC believes that the process did not prevent the identification of the users.
“Using a proprietary algorithm developed by Avast, Avast and Jumpshot purported to find and remove identifying information prior to each transfer of consumer browsing information to Jumpshot’s servers. But this process was not sufficient to anonymize consumers’ browsing information, which Jumpshot then sold, in non-aggregate form, through a variety of different products to third parties.” state the complaint.
Below is the statement shared by Avast in response to the FTC:
“Avast has reached a settlement with the FTC to resolve its investigation of Avast’s past provision of customer data to its Jumpshot subsidiary that Avast voluntarily closed in January of 2020. We are committed to our mission of protecting and empowering people’s digital lives. While we disagree with the FTC’s allegations and characterization of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, AVAST)
Laws and regulations / December 23, 2024