Once upon a time, you couldn’t go living a normal Internet-connected life without an anti-virus software of some kind. While the threat and effects of malware haven’t really gone down, the quality of said security software sadly has. Some of the giants in that industry have been gobbled up by even bigger giants while others have been accused of using their reach for their government or for their own profit. The latest to fall prey to that tactic is Avast, which also owns the free AVG software, and its questionable activities are apparently also at work even on web browsers.
It may not be one of the biggest names in the software security market but Avast and AVG gained a following thanks to their offer of free or affordable anti-malware software. Some that don’t even need a full suite may have found themselves installing just a browser extension to keep them safe. Ironically, however, those don’t keep users safe from Avast itself.
Security researcher Wladimir Palant reported last October that Avast web browser extensions, both for security as well as doing price checks, are sending home more data than they should have access to. While it might be understandable that the extension sends Avast the URL of a web page you are visiting to check it against their database, it doesn’t exactly have any business knowing how you got there, how many times you go there, how much time you spend on that page, and, more importantly, what you click on.
These are the activities of spyware that Avast is supposed to protect users against. Palant’s research led him in the direction of “clickstream data analysis” company Jumpshot that was also acquired by Avast not too long ago. It gives Jumpshot’s customers data about “100 million global online shoppers” with almost the same pieces of data collected by Avast’s browser extensions.
Whether it does use that data for such purposes, Avast’s data collection activities run afoul of browsers’ privacy policies. Opera has already removed the extensions for its web store while Mozilla has only blacklisted them pending communication with Avast. Google has yet to respond to the report.