The US Federal Trade Commission (FTC) hit antivirus vendor Avast with a $16.5 million fine for selling users’ browsing data to advertisers after claiming its products would block online tracking .
Additionally, the company was banned from selling or licensing web browsing data for advertising purposes. It will also have to inform users whose browsing data has been sold to third parties without their consent.
The FTC, in its complaint, said that Avast “wrongfully collected consumers’ browsing information through the company’s browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and without the consumer’s consent”.
It also accused the UK-based company of misleading users by claiming the software would block third-party tracking and protect users’ privacy, but failing to inform them that it would sell their “detailed and identifiable browsing data” to multiple of 100 third parties through its subsidiary Jumpshot.
Additionally, data buyers could associate non-personally identifiable information with Avast users’ browsing information, allowing other companies to track and associate users and their browsing history with other information they already have.
The misleading data privacy practice came to light in January 2020 following a joint investigation by Motherboard and PCMag, which identified Google, Yelp, Microsoft, McKinsey, Pepsi, Home Depot, Condé Nast, and Intuit as some of the ” past, present and potential customers.”
A month earlier, web browsers Google Chrome, Mozilla Firefox and Opera had removed Avast browser add-ons from their respective stores, with previous research by security researcher Wladimir Palant in October 2019 deeming such extensions to be spyware.
The data, which includes a user’s Google searches, location searches and internet footprint, was collected via the Avast antivirus program installed on a person’s computer without asking for their informed consent.
“Navigation data [sold by Jumpshot] included information about users’ web searches and web pages visited, revealing consumers’ religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content, and other sensitive information.” the FTC said.
Jumpshot described itself as “the only company unlocking walled garden data” and claimed to have data from as many as 100 million devices as of August 2018. The browsing information is said to have been collected since at least 2014.
The privacy backlash prompted Avast to “end Jumpshot data collection and shut down Jumpshot operations, effective immediately.”
Avast has since merged with another cybersecurity company NortonLifeLock to form a new parent company called Gen Digital, which also includes other products such as AVG, Avira, and CCleaner.
“Avast promised users that its products would protect the privacy of their browsing data, but it did the opposite,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “Avast’s bait-and-switch surveillance tactics have compromised consumer privacy and broken the law.”