Editors’ Note: In January 2020, we learned about a problem with sharing of user data between Avast and its subsidiary Jumpshot. Based on this privacy slip, we knocked this product’s rating down one-half star and removed its Editors’ Choice designation. Avast resolved the problem and terminated Jumpshot shortly thereafter. We’ve seen no sign of any inappropriate use of private user data since then, so we’ve taken Avast out of the penalty box, restoring its star rating and Editors’ Choice honor.
Your antivirus should protect you, but what if it’s handing over your browser history to a major marketing company?
Relax. That’s what Avast told the public after its browser extensions were found harvesting users’ data to supply to marketers. Last month, the antivirus company tried to justify the practice by claiming the collected web histories were stripped of users’ personal details before being handed off.
“The data is fully de-identified and aggregated and cannot be used to personally identify or target you,” Avast told users, who opt in to the data sharing. In return, your privacy is preserved, Avast gets paid, and online marketers get a trove of “aggregate” consumer data to help them sell more products.
There’s just one problem: What should be a giant chunk of anonymized web history data can actually be picked apart and linked back to individual Avast users, according to a joint investigation by PCMag and Motherboard(Opens in a new window).
How ‘De-Identification’ Can Fail
The Avast division charged with selling the data is Jumpshot, a company subsidiary that’s been offering access to user traffic from 100 million devices, including PCs and phones. In return, clients—from big brands to e-commerce providers—can learn what consumers are buying and where, whether it be from a Google or Amazon search, an ad from a news article, or a post on Instagram.
The data collected is so granular that clients can view the individual clicks users are making on their browsing sessions, including the time down to the millisecond. And while the collected data is never linked to a person’s name, email or IP address, each user history is nevertheless assigned to an identifier called the device ID, which will persist unless the user uninstalls the Avast antivirus product.
For instance, a single click can theoretically look like this:
Device ID: abc123x Date: 2019/12/01 Hour Minute Second: 12:03:05 Domain: Amazon.com Product: Apple iPad Pro 10.5 – 2017 Model – 256GB, Rose Gold Behavior: Add to Cart
At first glance, the click looks harmless. You can’t pin it to an exact user. That is, unless you’re Amazon.com, which could easily figure out which Amazon user bought an iPad Pro at 12:03:05 on Dec. 1, 2019. Suddenly, device ID: 123abcx is a known user. And whatever else Jumpshot has on 123abcx’s activity—from other e-commerce purchases to Google searches—is no longer anonymous.
PCMag and Motherboard learned about the details surrounding the data collection from a source familiar with Jumpshot’s products. And privacy experts we spoke to agreed the timestamp information, persistent device IDs, along with the collected URLs could be be analyzed to expose someone’s identity.
“Most of the threats posed by de-anonymization—where you are identifying people—comes from the ability to merge the information with other data,” said Gunes Acar, a privacy researcher who studies online tracking.
He points out that major companies such as Amazon, Google, and branded retailers and marketing firms can amass entire activity logs on their users. With Jumpshot’s data, the companies have another way to trace users’ digital footprints across the internet.
“Maybe the (Jumpshot) data itself is not identifying people,”…