- Home page
- Why Avast antivirus is at the heart of a privacy controversy
The company Avast has been in the midst of much controversy since last fall, due to the monetization of its users’ browsing habits. Although the group took steps to anonymize them, subsequent surveys showed that this process could be reversed. Since then, the publisher’s gone backwards.
Big weather warning for Avast. The famous Czech antivirus has been at the heart of a major controversy for several months now over the way it collects and monetizes the browsing habits of its customers. This controversy was given a new impetus on 27 January with the joint publication by Motherboard and PCMag of a survey criticising a little more the business conducted by the publisher.
The two publications are particularly critical of Avast’s claims to protect the privacy of its users. The company, which had already been singled out in December, said it had additionally put in place a data anonymisation procedure to avoid associating online activities with a particular person. But in reality, it’s far from certain.
The premises of the antivirus editor // Source: Avast
“Avast collects the history of web browsers of Internet users under the pretext that the data has been ‘de-identified’ […]. But this data, which is sold to third parties, can be linked to the true identity of individuals,” warns PCMag at the outset, which may in fact compromise the private, or even intimate, nature of some online queries.
Experts quoted by Motherboard confirm: “De-identification has proven to be a very fail-prone process. There are so many ways it can go wrong,” Judge Günes Acar said. “Most of the threats posed by de-anonymization come from the ability to merge information with other data,” he adds. Eric Goldman is adamant: “It’s almost impossible to de-identify the data.
The release of these two articles is a major breakthrough in the media release of Ondrej Vlcek, the head of Avast, on 9 December, after the first controversies involving the browser extensions of Avast and AVG (which also belongs to the Czech publisher). At the time, in Forbes’s columns, he had assured that there was no scandal here in connection with the private lives of his clients.
As a sign of the seriousness of the affair, Mozilla removed no less than four extensions (two from Avast and two from AVG) as a retaliation, just like Opera. Google had followed suit, setting aside three extensions, after Wladimir Palant’s reports, who had been at the root of the case on 28 October 2019 in a blog post denouncing the spying of Avast Online Security and Avast Secure Browser.
Mozilla has reacted by temporarily excluding the disputed extensions until they are rectified // Source: Mozilla
Ondrej Vlcek explained to the magazine that his web browser extensions do indeed collect the surfing habits of Internet users. Once this step has been completed, anything that might reveal the identity of an individual is removed (this can be a name in a URL, as in the case of a link pointing to a Facebook profile), then what remains is sent to Avast’s servers.
The analytical work is then carried out by a company called Jumpshot, which is 65 % owned by Avast. The results of these analyses are then sold to various customers (Google, Microsoft, Pepsi, Sephora or Yelp are mentioned among past or potential customers). According to Avast, this is only a glimpse of how “cohorts of Internet users” use the web.
“We do not allow any advertiser or third party to obtain access through Avast or to data that would allow the third party to target that particular person,” said Ondrej Vlcek, before the January surveys challenged his claims. And to state that this activity is actually minimal in the group’s business – about 5%.
The controversy that has been going on since December is likely to be difficult for Avast to pass off as the company finds itself in a paradoxical situation: the company, which markets solutions to protect Internet users, finds itself in an activity that is likely to expose them, even if it takes measures to ensure that the data does not make it possible to find someone.
However, despite Ondrej Vlcek’s assurances, there was a problem with privacy since, according to Motherboard and PCMag, Avast stopped sending Jumpshot the data on surfing habits that its various browser extensions collected. These are again available in the application shops of the browsers.