FTC hits Avast with $16.5 million fine over allegations of selling users’ browsing data
Avast Limited will pay $16.5 million and be barred from selling or licensing web browsing data for advertising as part of a settlement with the Federal Trade Commission (FTC), which alleges the company and its subsidiaries sold vast amounts of aggregated, re-identifiable browsing data to third parties, the agency announced Thursday.
The FTC alleges that Avast’s Czechia-based cybersecurity software arm used its browser extensions and antivirus software to collect, indefinitely store and allow a partner company to sell users’ web browsing histories from 2014-2020 without “adequate” notice and consumer consent.
Avast also “deceived users by claiming that the software would protect consumers’ privacy by blocking third party tracking,” the agency said. What Avast didn’t say, the FTC alleged in its complaint, is that it would peddle their “detailed, re-identifiable browsing data.”
Avast sold the web browsing data to more than a 100 third parties through its Delaware-based subsidiary Jumpshot, the FTC alleges. “Re-identifiable” means the data could be combined with other publicly held data or that amassed by data brokers to determine the identity of specific consumers.
The FTC complaint said that while Avast and its subsidiaries were telling customers its software would “block[] annoying tracking cookies that collect data on your browsing activities” and that it would “[p]rotect your privacy by preventing . . . web services from tracking your online activity,” in actuality it was flagrantly profiting from users’ data, without providing proper notice.
A spokesperson for Avast, officially based in London, said the company settled with the FTC to “resolve its investigation of Avast’s past provision of customer data to its Jumpshot subsidiary that Avast voluntarily closed in January of 2020.”
“We are committed to our mission of protecting and empowering people’s digital lives,” the statement said. “While we disagree with the FTC’s allegations and characterization of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world.”
The FTC complaint notes that Avast’s product was meant to deliver security and privacy, making the breach of consumer privacy all the more egregious.
For example, beginning in 2015, the complaint said, on the download page for Avast Desktop Software, the company encouraged users to “reclaim your browser” and “shield your privacy” by getting “rid of unwanted extensions and hackers making money off your searches.”
The actual selling of the web browsing data was led by Avast’s American subsidiary Jumpshot, which the FTC said told customers that data from its more than 100 million online global consumers could allow them to “see where your audience is going before and after they visit your site or your competitors’ sites, and even track those who visit a specific URL.”
Jumpshot, originally an antivirus software provider, was remade into an analytics firm upon being acquired by Avast Limited in 2014. The company closed Jumpshot in 2020.
Clients buying the information included consulting firms, investment companies, advertising companies, marketing data analytics companies, individual brands, search engine optimization firms and data brokers, the FTC said in its complaint.
The company relied on a faulty algorithm to de-identify data, the FTC said.
“Using a proprietary algorithm developed by Avast, Avast and Jumpshot purported to find and remove identifying information prior to each transfer of consumer browsing information to Jumpshot’s servers,” the FTC complaint said. “But this process was not sufficient to anonymize consumers’ browsing information, which Jumpshot then sold, in non-aggregate form, through a variety of different products to third parties.’
Extremely detailed re-identifiable data
The granularity of the web browsing data Jumpshot allegedly sold is striking, including each web page visited, precise timestamps, the type of device and browser used, and the city, state and country where a user was based, the complaint said. The FTC added that much of the data sold included a “unique and persistent device identifier associated with each particular browser … allowing Jumpshot and the third-party buyer to trace individuals across multiple domains over time.”
Jumpshot sold the data to companies with massive reach, including the advertising giant Omnicom. A 2017 contract with Omnicom contained terms requiring Jumpshot to provide an “All Clicks Feed” — meaning all URLs “clicked during particular consumers’ browsing sessions” — for half of Omnicom’s U.S., U.K., Mexican, Australian, Canadian and German clients, across all domains.
Omnicom was also allowed to “associate Avast’s data with data brokers’ sources of data, on an individual user basis,” the FTC said in a press release.
“The contract also permitted Omnicom to ‘transmit, market and sublicense’ to its own customers products derived from the raw data,” the complaint said, adding that Jumpshot’s fee in the deal was about $2 million per year.
Privacy advocates were stunned by the extent of the violations and called the case unprecedented.
“It's hard to overstate how invasive Avast's actions were,” said John Davisson, litigation director at the Electronic Privacy Information Center. “Browsing information is among the most sensitive personal data there is, often yielding private insights that consumers don't even share with family or friends.”
Davisson added that the case underscores how companies use “false assurances of ‘anonymized’ data to defend their commercial exploitation of our personal information.”
Avast closed Jumpshot after the FTC notified the company of its investigation, the complaint said.
How it worked
Prior to being closed, Jumpshot never deleted any of the data it amassed over six years of siphoning data from Avast’s Czech software subsidiary. When it closed in January 2020, Jumpshot held more than eight petabytes of browsing information going back to 2014, the FTC complaint said.
Pointing to a random sample of 100 data entries held by the company, the FTC said it found searches for breast cancer symptoms; an announcement for Sen. Elizabeth Warren’s presidential candidacy; Google Maps directions from one location to another; a link to a French dating website, including a unique member ID; and cosplay erotica.
The complaint said this browsing information was then paired with “persistent identifiers,” including by identifying each consumer’s unique device.
The data included “identifiers collected directly from consumers’ devices—as well as coarse location information. The fact that browsing information was linked to an identifier over time increased the likelihood that a consumer could be reidentified,” the complaint said.
What’s next
The $16.5 million fine is paired with several conditions meant to stop Avast and its subsidiaries from deceiving consumers about how it treats their data. These conditions, outlined in a proposed order, include:
- A prohibition on selling browsing data to third parties for advertising.
- A requirement to get express consent from consumers before “selling or licensing browsing data from non-Avast products to third parties for advertising purposes.”
- The creation of a data and model deletion program under which the company erases web browsing information it still holds.
- A requirement to notify consumers whose browsing information was sold without consent.
- A mandate for a privacy program addressing the misconduct identified by the FTC.
Editor's Note: Updated with statement from Avast at 3:35 p.m. Eastern.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.