Avast has been fined $16.5m by the US Federal Trade Commission. The regulator said that the cybersecurity firm had been harvesting information from users about their browsing habits through its antivirus software. The FTC added that Avast misled users by informing them that their software would protect their online privacy by blocking third-party trackers, while instead collecting and then re-selling their re-identifiable browsing data.
“Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite,” said the director of the FTC’s Bureau of Consumer Protection, Samuel Levine. “Avast’s bait-and-switch surveillance tactics compromised consumers’ privacy and broke the law.”
Avast sold user data since 2014
The FTC said that Avast had been collecting users’ browser data since 2014. This included their search history which, when pieced together by interested third parties, revealed “consumers’ religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information.”
Most of this data was sold to customers by Jumpshot, an analytics company and a Czech subsidiary of Avast. While publicly claiming it was anonymising the information it had acquired through the use of what it described as a “special algorithm,” Jumpshot did nothing of the kind, failing to remove unique identifiers that could be associated with individual users’ web browsers. It was in this way that customer data was sold to over 100 third parties, including advertising companies, data brokers and analytics firms.
Cybersecurity firm to be banned from re-selling browser data
In addition to fining the cybersecurity firm $16.5m for these infractions, the FTC has also issued a proposed order to prevent Avast from re-selling or licensing browser data. The company will also be required to obtain explicit consent from users when Avast wishes to re-sell or license browsing data it has acquired from non-Avast products, delete any web browsing data delivered to Jumpshot, and “inform consumers whose browsing information was sold to third parties without their consent about the FTC’s actions against the company.”
A spokesperson from Avast told Reuters that the company had agreed to pay the fine issued by the FTC and that it had closed Jumpshot in 2020 following a joint investigation by Motherboard and PCMag. As for the other provisions of the proposed order, they said, the “operational provisions of the settlement are already consistent with Avast’s current privacy and security programs.”