Avast Faces $16.5m Fine for Unlawfully Selling User Browsing Data

Written by

UK-based cybersecurity firm Avast will be fined $16.5m by the US Federal Trade Commission (FTC) for selling customer web browsing data to third parties.

This broke Avast promises that its products would protect customers from online tracking, according to the consumer protection agency.

Under the proposed consent order, Avast will also be prohibited from selling or licensing any web browsing data for advertising purposes, and is expected to provide redress to customers.

Avast Unlawfully Sold User Data

The FTC order found that the company has collected consumers’ browsing information through Avast browser extensions and antivirus software installed on their computers and mobile devices since at least 2014.

This information included:

  • The URLs of webpages visited
  • The URLs of background resources, such as images pulled from domains other than the displayed URL
  • Consumers’ search queries
  • The value of cookies placed on consumers’ computers by third parties

These insights could reveal highly sensitive information about users, including their religious beliefs, political views and financial status.

The FTC said this data was stored indefinitely and sold without adequate notice and without consumer consent.

For example, products like browser extensions and desktop software could be installed without viewing any disclosures about Avast’s collection or sale of browsing information or seeing a link to the company’s privacy policy.

The order also argued that Avast deceived customers by making representations that its software would protect consumers’ privacy by blocking third party tracking.

This includes claims that the vendor would “block annoying tracking cookies that collect data on your browsing activities.”

In total, Avast is believed to have sold consumer browsing data to over 100 third parties through its subsidiary, Jumpshot. These third parties included consulting firms, investment companies, advertising companies, marketing data analytics companies and search engine optimization firms.

Jumpshot was a competitor anti-virus software provider acquired by Avast in 2013. It subsequently rebranded as an analytics company.

Avast and Jumpshot purported to find and remove identifying information prior to each transfer of consumer browsing data via a proprietary algorithm developed by Avast.

However, the FTC said this process was not sufficient to anonymize consumers’ browsing information, which Jumpshot then sold in non-aggregate form.

Jumpshot allegedly entered unique contracts with large data buyers to provide a large number of custom data feeds that permitted invasive uses of consumers’ browsing information. This includes an agreement with advertising giant Omnicom to provide an “All Clicks Feed” for 50% of its customers in the US, UK, Mexico, Australia, Canada, and Germany.

Its actions were found to have breached the Federal Trade Commission Act on several counts.

Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, commented: “Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite.

“Avast’s bait-and-switch surveillance tactics compromised consumers’ privacy and broke the law.”

Other Required Remediations for Avast

In addition to the fine and ban on selling web browsing data, Avast will be required to:

  • Inform consumers whose browsing information was sold to third parties without their consent about the FTC’s actions against the company
  • Delete the web browsing information transferred to Jumpshot
  • Implement a comprehensive privacy program that addresses the misconduct highlighted by the FTC
  • Obtain affirmative express consent from consumers before selling or licensing browsing data from non-Avast products to third parties for advertising purposes

The FTC will publish a description of the consent agreement package shortly, which will be subject to public comment for 30 days in the Federal Register.

After this period, the Commission will decide whether to make the proposed consent order final.

In a statement responding to the FTC’s order, Avast said: "While we disagree with the FTC's allegations and characterisation of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world."

What’s hot on Infosecurity Magazine?