Avast Shells Out $17M To Shoo Away Claims It Peddled People's Personal Data

Avast has agreed to cough up $16.5 million after the FTC accused the antivirus vendor of selling customer information to third parties.

The US regulator filed [PDF] a lengthy complaint against Avast regarding its use and alleged misuse of customer data. The security shop collected people's info through its browser extensions and antivirus software, stored it indefinitely, failed to properly anonymize it, and sold it to "more than 100 third parties" – including "advertising, marketing and data analytics companies and data brokers," the FTC alleged.

"While the FTC's privacy lawsuits routinely take on firms that misrepresent their data practices, Avast's decision to expressly market its products as safeguarding people's browsing records and protecting data from tracking only to then sell those records is especially galling," FTC chair Lina Khan declared in a statement [PDF] earlier today.

Avast apparently sold the data through a subsidiary, Jumpshot, that it purchased in 2014 and set up as an analytics firm. According to the FTC's allegations it sold browsing information collected by its parent from 2014 until Avast grounded the biz in 2020 when allegations of customer data sales emerged.

"Browsing data [sold by Jumpshot] included information about users' web searches and the web pages they visited – revealing consumers' religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information," the FTC alleged.

Beyond simply collecting and selling the data, the FTC argued that Avast's attempts to anonymize user info were paltry at best – allowing buyers to easily re-associate their data troves with an individual. Data feeds from Jumpshot included unique identifiers that could be teased out to determine device type and location, and contracts that were supposed to protect user data "were worded in a way that enabled data buyers to associate non-personally identifiable information with Avast users," the watchdog revealed.

By 2020 when it was shut down, Jumpshot had reportedly amassed more than eight petabytes of browsing data, according to the FTC complaint.

• Avast's AntiTrack promised to protect your privacy. Instead, it opened you to miscreant-in-the-middle snooping
• 'I Don't Care About Cookies' extension sold to Avast
• Been hit by BianLian ransomware? Here's your get-out-of-jail-free card
• MOVEit victim count latest: 2.6K+ orgs hit, 77M+ people's data stolen

In addition to paying $16.5 million to the FTC, Avast has been prohibited from selling browser data and must destroy all web browsing data transferred to Jumpshot as well as any algorithms derived from said data. Avast will also have to ensure it secures express consent for data licensing from users, implement a privacy program, and inform all users whose data was sold by Jumpshot about the FTC's decision.

Avast has not, however, admitted guilt – a typical outcome in these sorts of scenarios.

"Avast has reached a settlement with the FTC to resolve its investigation of Avast's past provision of customer data to its Jumpshot subsidiary that Avast voluntarily closed in January of 2020," Avast told The Register on Thursday.

"While we disagree with the FTC's allegations and characterization of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world." ®