
Leaked documents expose Avast antivirus subsidiary selling web browsing data - jeremiahlee
https://www.vice.com/en_us/article/qjdkq7/avast-antivirus-sells-user-browsing-data-investigation
======
dessant
Here's the rejected Firefox blocklist request for Avast extensions:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1600600](https://bugzilla.mozilla.org/show_bug.cgi?id=1600600)

Blocklisting the extensions would disable existing installations and stop
ancillary data collection, which is prohibited by Firefox Add-on Policies.

[https://extensionworkshop.com/documentation/publish/add-
on-p...](https://extensionworkshop.com/documentation/publish/add-on-policies/)

> Mozilla expects that the add-on limits data collection whenever possible, in
> keeping with Mozilla's Lean Data Practices and Mozilla's Data Privacy
> Principles, and uses the data only for the purpose for which it was
> originally collected.

There are a number of browser extensions maintained by antivirus companies
that use security as a disguise to collect and monetize user data. It is time
for Google and Mozilla to act on this issue and protect users from these
predatory practices.

Benign extensions that are genuinely useful and don't have a company behind
them do not get this treatment [1], they are blocked whitout preliminary
contact with developers [2].

[1] [https://www.jeremiahlee.com/posts/page-translator-is-
dead/](https://www.jeremiahlee.com/posts/page-translator-is-dead/)

[2] [https://www.ghacks.net/2019/11/05/mozilla-bans-all-
extension...](https://www.ghacks.net/2019/11/05/mozilla-bans-all-extensions-
that-execute-remote-code/)

~~~
horsawlarway
I want to second this sentiment and EXPLICITLY call out Mozilla.

I am the lead dev for a relatively small Firefox extension. We do not do ANY
tracking.

We were rejected and removed for simply including the sdk for Microsoft
outlook addins as a script in one of our html pages (we share the codebase for
an outlook addon as well). This script is well documented and published by
Microsoft.

I find the hypocrisy here staggering.

I know that Firefox gets a lot of love, particularly on HN because it _feels_
like Mozilla is still a trustworthy company. I want to clearly express that I
no longer believe this. They want addons in the store that they can use for
marketing and sales. Period.

~~~
gnicholas
Thanks for posting this. I have had similarly odd experiences recently with
the Firefox addon store, which my startup has been in since 2013. All of a
sudden we got yanked, among other things because we modify third party
libraries. Apparently we would have been fine if we did exactly the same thing
but wrote the code ourselves, but since we used a library, and then modified
it, we were in violation. To be clear, we provide all our source code in the
review process, so it is 100% clear what we are doing. And we don't do
anything that is remotely privacy- or security-compromising, which is very
clear from the code.

We tried to understand this bizarre no-modifying-third-party-libraries policy
and see how we could fix it, but they stopped responding and eventually even
deleted our extension from the browsers where our users had previously
installed it. (Even Apple doesn't do this when it yanks apps — only rarely if
there is proven bad behavior will the pull an already-installed/paid-for app
from a device.)

I happen to know a couple very high-up people at Mozilla, and one of them was
able to flag our mistreatment, and the reviewers now seem to be walking back
the previously-described global ban on modifying third-party libraries, but
we're still not back in the addon store (it's been months).

The (alleged?) policy makes no sense to me, and I also don't understand why
Mozilla is now blocking users from installing any addon that hasn't been
blessed by Mozilla. I understand that they want to vet addons that are listed
in their store, but they've assured me that users can't even install off our
website unless Mozilla signs off. That seems very un-Mozilla-ish to me. What
happened to the open web?

For the record, I used to love Mozilla/Firefox, and have used their browsers
for decades. I now use Brave, both because of experiences like this one, and
because it's much faster on my Mac.

~~~
the8472
> The (alleged?) policy makes no sense to me

The most charitable explanation I can come up with is that they want to avoid
confusion attacks on their reviewers. But then again they already have a list
of hashes for trusted libs, so clearly they could just diff the modified
library against the canonical version when a hash doesn't match.

> but they've assured me that users can't even install off our website unless
> Mozilla signs off. That seems very un-Mozilla-ish to me. What happened to
> the open web?

I have clashed with their addons staff over similar issues. Their argument is
basically security absolutism, motivated by (some) users easily being tricked.
Any inch of rope you give the user they will use to hang themselves. So any
security-related decisions they make are based on this dumbest possible user.
Additionally they consider it a reputational issue, if an extension screws up
firefox then firefox is blamed, or so they say.

Firefox stable basically means nannying. If you want more control you're
supposed to use developer edition or (on linux) the distribution builds. They
don't say it quite that directly, but that's what their answers boil down to.

~~~
gnicholas
> _Their argument is basically security absolutism, motivated by (some) users
> easily being tricked._

Honestly, most of the people I know who use FF these days are pretty tech-
savvy. This wasn't always the case — my mom used to use Firefox. But
Chrome/Safari/Edge are the default browsers these days, and they're pretty
good. The only people installing other browsers are either pretty savvy, or
being helped out by people who are savvy.

I realize that Mozilla perhaps yearns of the days when they had much larger
market share (and therefore many more easily-tricked users). But those days
seem to have passed.

Likewise, they may be trying to position themselves to become the go-to
browser for the unwise masses. And perhaps someday they will retake that
crown. But in the meantime, these nanny-state restrictions piss of their
developer-heavy base.

------
rkagerer
The article seems a little sensationalized, but even viewed in a generous
light it's still downright creepy.

 _...clients include Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home
Depot, Condé Nast, Intuit, and many others._

 _It is possible to determine from the collected data what date and time the
anonymized user visited YouPorn and PornHub, and in some cases what search
term they entered into the porn site and which specific video they watched._

 _Although the data does not include personal information such as users '
names, it still contains a wealth of specific browsing data, and experts say
it could be possible to deanonymize certain users._

~~~
adossi
Yeah it's creepy, but I wonder how that data is used? Like, what ads will
Google show me depending on the type of porn I watch?

~~~
mikejb
IIUC, porn is used as an example to highlight that these are very personal
details that are being sold, and porn preferences are things people often fear
more of leaking than - for example - their financial data.

John Oliver, in his work on the NSA scandal had Snowden explain individual NSA
programs based on "dick picks", to help people visualize and clarify the
consequences of what otherwise is just generically described as
"selling/stealing your data".

~~~
freehunter
Yeah people always assume the buyers of the data are companies like Google,
and not some group who wants to blackmail you if you don't give them five
Bitcoins.

------
markosaric
Avast/Jumpshot data is bought by many marketing companies too and packaged as
SEO tools, market research/analysis. They've been really proud to talk about
their ability to collect all this data in the past [1]. But recently it became
clear that all the data is stolen without user permission.

[1] "Jumpshot Knows What You're Buying, Browsing, Searching"
[https://www.cmswire.com/digital-marketing/jumpshot-knows-
wha...](https://www.cmswire.com/digital-marketing/jumpshot-knows-what-youre-
buying-browsing-searching/)

~~~
BlueTemplar
_Puts the popcorn in the microwave._

------
sct202
My dad had me remove Avast (that he paid for) from his laptop over Christmas
because he started to get mailers based on his browsing activity. It literally
locked up his computer for an hour uninstalling and giving prompts that would
try to get you to accidentally cancel the uninstall.

~~~
AJ007
You should send this to the Vice authors.

I emailed some journalists about Jumpshot a few years back. It’s good that
everyone now understands what is going on.

------
_jal
Kind of amusing that this is currently the #2 story, while #1 is "Trust Is at
the Core of Software Marketing".

If you had told me five years ago that I would stand up exfil monitors on my
home network because commercial and criminal surveillance was so pervasive, I
would have said that would be crazy talk. And yet here we are.

~~~
dredmorbius
What are you using for this, what is blocked / how do you construct
blocklists?

~~~
_jal
This is very much a new work in progress.

Basically, DNS logging forwards to a daemon I wrote that detects
Base64/UU/other encodings in DNS requests and asks the network manager[1] to
shut off connectivity to the client asking such questions. There is a volume-
of-queries timer, and I have some other ideas to add to it.

I'm working on a TLS-inspecting proxy with squid and sslsplit, as I expect
there's a lot to look at. I very much want to know if something emits any of
various magic numbers - SSN, bank account numbers, address book entries,
IMEIs, etc.

As far as more general blocking, I use parts of Pihole, which merges with some
other data sources, to defeat DNS resolution for folks I don't want on my
internet. And I use Maxmind's geoip data to generate iptables rules to block
most of the world on public facing infra - my tiny user base is not in most of
it.

[1] I use Unifi gear, this will do you no good if you don't:
[https://github.com/Art-of-WiFi/UniFi-API-client](https://github.com/Art-of-
WiFi/UniFi-API-client)

~~~
dredmorbius
Thanks.

EFF's analysis of Amazon Ring egress traffic mentions some possibly useful
tools for inspecting SSL/TLS traffic. Specifically: mitmproxy and Frida.

[https://www.eff.org/deeplinks/2020/01/ring-doorbell-app-
pack...](https://www.eff.org/deeplinks/2020/01/ring-doorbell-app-packed-third-
party-trackers)
([https://news.ycombinator.com/item?id=22165568](https://news.ycombinator.com/item?id=22165568))

------
drewrem11
PCMag article talks about how Avast's 'de-identification' of the collected
browser histories can fail and be used to by third-party companies to link
your web clicks to your real identity [https://www.pcmag.com/news/the-cost-of-
avasts-free-antivirus...](https://www.pcmag.com/news/the-cost-of-avasts-free-
antivirus-companies-can-spy-on-your-clicks)

------
beart
I've often felt that antivirus software is like the rock that keeps the tigers
away. I haven't used it since the AOL days, and that's also the last time I
was actually hit with Malware (something from Kazaa I would guess.)

It's also worth noting that every corporate IT department I've ever seen
installs antivirus software on employee machines, so it must be good for
something? I'm curious what the actual statistics are for caught viruses.

~~~
Spooky23
For corporate IT, it’s a compliance requirement. It is the equivalent of
putting a sign in the bathroom that says to wash your hands, only less
effective. AV does almost nothing and costs almost nothing.

The newer products are different and more effective, and come with an
appropriate price tag. (The Microsoft solution costs as much as O365!)

~~~
freehunter
For those that might not understand the compliance requirement, PCI compliance
is a good example. If you process credit card payments, you need to be PCI
(Payment Card Industry) compliant. And PCI DSS Requirement 5.1 [1] states

> _Deploy anti-virus software on all systems commonly affected by malicious
> software (particularly personal computers and servers)._

So most enterprise companies have to have AV on their workstation and servers
(yes Mac and Linux too) in order to keep processing credit card payments.

[1]
[https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_...](https://www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf)

~~~
mywittyname
Sounds like there's an opportunity for micro AV: the smallest possible
compliant antivirus software.

~~~
Spooky23
That's called Windows Defender.

Before that, you could drive down the big vendors, alot. I think I paid like
$2/pc/year for McAfee back in the day.

~~~
BlueTemplar
Sounds like Windows Defender is not listed as a compliant antivirus?

~~~
Spooky23
I haven't done a PCI project with windows in a long time. If it isn't
compliant, it's probably because it's unmanaged.

If you use SCEP (Windows Defender Managed by SCCM) or other tools, you're
probably ok. But don't quote me!

------
Animats
Look at in Avast's privacy policy: "Enable use of your personal data to create
a de-identified data set that is provided to Jumpshot to build trend analytics
products and services."[1]

Where does the "consent" mentioned there occur? They claim to be GPDR
compliant; it has to be explicit and separate from other agreements.

[1] [https://www.avast.com/privacy-policy](https://www.avast.com/privacy-
policy)

------
jacquesm
AV software acts like and treats your computer pretty much the same way that
malware does, it should not be surprising the companies do the same.

They're in Prague, would be nice to see the teeth of the GDPR used to put the
fear of god into parties in this space. Maximum penalty times the number of
clients they had should do the job nicely.

~~~
catalogia
Is there any chance what they're doing might fall under some sort of
'unauthorized access' computer hacking criminal law? Something that could get
individuals sent to prison rather than just getting the company fined? There
is no way they had meaningful informed consent for any of this.

I don't think shit like this will stop unless executives and the engineers who
humor them start getting their lives justifiably destroyed.

~~~
BlueTemplar
Maybe, if government computers were involved ?

------
s_dev
Can we discuss how ridiculous PCI compliance is to require anti-virus softare?
Particularly in mac OS where anti-virus software is the primary surface area
for introducing viruses.

Why hasn't this requirement been updated to somthing more sensible?

~~~
GordonS
Keep in mind that PCI requirements only apply to machines _within the
cardholder environment_ \- everything else is out of scope.

What this means is that as long as you isolate your cardholder environment,
you don't need to deploy AV across your whole company - only on those in
scope.

I'm not a huge fan of AV, but I do advocate for a layered approach to
security, and have to concede that AV may have some value as a "last chance"
layer if malware somehow manages to get past your other defences.

------
ThePhysicist
Funny, just today I looked at their analyst presentation, which mentions that
17 % of their revenue comes from user data monetization:
[https://investors.avast.com/Document-
Download/Analyst%20Teac...](https://investors.avast.com/Document-
Download/Analyst%20Teach-
In/986db62f-83c5-46c5-bb2e-212475ef6bb5/Analyst%20Presentation%205%20July%20F)

------
Joeri
I'm not surprised. The antivirus sector seems to prey on people as much as the
virus makers. I had my PC infected accidentally by norton antivirus a few
years ago. They snuck it onto my system by hiding themselves in an oracle java
update. They didn't install right away, waited a bit so I couldn't immediately
link it back to what caused it. The uninstall function in programs and
settings was a misdirection and threw an obscure error. The uninstaller
downloadable from their website would pretend to uninstall, require a reboot,
and after the reboot the malware would reseat itself on my system. Eventually
I had to start up in safe mode and painstakingly go through my system file by
file, and registry key by registry key, to root it out. They know all the
techniques the viruses use, and they use most of them.

That was when I decided to stop using Oracle Java on all my personal systems
and minimize my use of Oracle products on a professional basis. Learning they
were a malware distributor was the drop that tipped the bucket.

~~~
mschuetz
Glad I'm not the only one. I was a Java dev for many years and also used it
for private projects. When they started shipping unwanted malware together
with Java was when I decided to remove Java from my toolset.

~~~
bArray
> When they started shipping unwanted malware together with

> Java was when I decided to remove Java from my toolset.

Would just like to say, OpenJDK is quite a solid step-in replacement for
Oracle's Java: [https://openjdk.java.net/](https://openjdk.java.net/)

I've used it in production, I've built apps that I then _had to_ use Oracle's
Java (without problem), using older and newer versions have been very stable -
would very much recommend. I had one issue 8 years ago between versions, but
nothing since.

------
rmist
> Avast was collecting the browsing data of its customers who had installed
> the company's browser plugin, which is designed to warn users of suspicious
> websites.

I have never really felt the need of antivirus plugins. Firefox's built in
features ([https://support.mozilla.org/en-US/kb/how-does-phishing-
and-m...](https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-
protection-work)) has always been good enough in my experience.

~~~
lucasmullens
I doubt anyone's installing the Avast chrome extension voluntarily. It's
mostly just people forgetting to uncheck a box when installing some software.

~~~
roryokane
No, Chrome and Firefox nowadays don’t allow extensions to be automatically
installed and enabled. Any extensions running were specifically enabled by the
user at some point.

I know this because I helped someone install McAfee antivirus a few days ago.
Both Chrome and Firefox showed a small, non-modal popover on the next launch
saying that an extension had tried to install itself. The popover contained
two buttons, one for enabling the extension and one for keeping it disabled
(Chrome) or uninstalling it (Firefox). If you never clicked inside the popover
(as many alert-blind users might do), the extension would stay disabled.

------
partiallypro
Until Windows 10 (which just has a great built in virus detection system,) I
would always push people to Avast. I am shamefully disappointed that they've
fallen this far.

~~~
BlueTemplar
Sadly, I wouldn't be certain about Windows 10 itself not spying on users and
exfiltrating this information... (Today or in the future.)

------
chinathrow
Avira Free just installed Avira VPN while updating a client to Win 10
recently, I assume that they're after data collection too.

That was the last straw - Windows Defender only at this point of time.

------
skocznymroczny
Most antivirus software feels sketchy in general (snake oil).

The only antivirus I run at the moment is Windows Defender. For me the main
reason is that Microsoft actually benefits from a virus free system because it
improves Windows as a platform. Antivirus software vendors benefit from
viruses spreading around because it improves sales of their products.

Also Windows Defender is fairly non-intrusive, it doesn't advertise a sketchy
VPN, a sketchy adblock, a sketchy torrent or any other tool that usually anti-
virus vendors try to bundle together.

~~~
bsharitt
> Also Windows Defender is fairly non-intrusive

Microsoft and antivirus vendors have very different goals. Microsoft wants to
quietly protect your computer without making a big deal out of viruses, while
antivirus vendors always want to let you know that they're hard at work
protecting you and that the world is a dangerous place so keep giving them
money(or in the case of free versions, keep it installed so they can keep
vacuuming that data).

~~~
Brave-Steak
I think one of the worst parts of this kind of stuff is that paying for the
product doesn't mean they stop selling all your data. It just means they make
even more money off of you.

~~~
simias
That's the standard these days unfortunately. Why turn these options off when
most users won't even notice and you get more money in the end?

I wish that my various "premium" subscriptions to services like Spotify or
various other apps meant that my privacy will be respected but I have
absolutely no illusions about it. That's why I'll never ever consent to
turning off u-block, I want the freemium/ad-driven model to die, it's the
original evil that makes all these practices worthwhile.

~~~
reaperducer
_Why turn these options off when most users won 't even notice and you get
more money in the end?_

Because it's the right thing to do? Why is it so hard for people in technology
to simply do what's right?

I don't buy the hackneyed HN arguments about "A company is required to
maximize profits for the shareholder!" or high school thought exercises like,
"Who gets to decide what is right?" It's simply not that hard.

I wonder if software engineers had to pass ethics classes like other types of
engineers if the world would be a different place today.

~~~
salawat
They do in some universities. Even when I was going. Most just treat it as a
"Yup, okay fine" course, and many instructors are really bad about making it
clear just the kind of heinous things to watch out for.

Example:

What is an acceptable use case:

A) Utilizing photo manipulation to place an individual somewhere they haven't
been before.

B) The same except for them to enter in a contest.

C) The same, for some one who just wants the picture to flesh out a personal
scrapbook with a picture of them and their SO having done something they
wanted to do, but the SOwasno longer alive for somehow.

They don't do a great job at preparing you to understand how industry gets you
to actually do unethical things, or how to react when they do.

I.e. It's rarely, in my experience, "Hey, do blatantly unethical thing."
Though that happens. I've had some snuck by my filters in the form of

>Hey welcome aboard! <Several months of innocuous work later>. Okay guys, time
for <skeevy thing>. Business really needs this, so it's pretty high
visibility.

Generally it escapes your notice because for once you're just happy to have
clear requirements, and to not be getting jerked around, so you do it. Minimal
complaint is encouraged, or will at least be pretended to be entertained,
relying on the cushy salary and in-house benefits to carry you through to job
completion.

But the ball keeps rolling regardless. You can decide to not work on certain
stuff, but that generally gets shluffed off to another team that doesn't share
your ethical proclivities.

The sad thing is, you almost need a labor or professional organization like
structure to be capable of keeping major divergence from the ethical straight
and narrow in check, because otherwise you can pay lip service to higher
ethical and moral standards, but when it comes paycheck time, most are going
to go with that phat paycheck.

I'm working on considering my next link in the career chain, and ethical
implications are strongly influencing my choice. I'm sick and tired of being
someone else's money vacuum mechanic. I'd like to work on software that
actually helps people.

And I'll stop anyone who suggests "but those systems are capital pumps, and
help people because the free market." No they don't not in any but the most
indirect of ways. If people overall weren't having all their siphoned off
them, I'dwager there would be a much higher degree of actualization or
entrepreneurial development in the hands of less capital starved people.

I know a positive feedback loop when I see one, and you can damn well bet
that's why every tech company is scrambling to become a fintech in one way or
another.

~~~
BlueTemplar
Well yeah, as long as you can't have your engineering degree stripped away for
doing unethical things like the OP, _and_ be forbidden to even code for other
people for free - like AFAIK it's the case for doctors violating the
Hippocratic Oath - then the situation will not get better !

------
tomaskafka
It's amusing to watch how slowly is this becoming a common knowledge - company
I worked for at the time has been buying complete Jumpshot url logs 4 years
ago, and everyone knew where the data is coming from.

------
sagunsh
I don't use any antivirus software now a days. They basically seems to slow
down the computer (I am not quite sure about this) but here I got one more
reason not to use one. I guess qindows defender is okay and sufficient for
most of the cases and you can always switch to Linux.

~~~
rafaelvasco
Yeah, I stopped using AV in Win7. Never looked back;

------
annoyingnoob
I thought this was well known. I wrote code to ingest Jumpshot data years ago.
You have to wonder about the quality of the data though - maybe those using
Avast aren't the best measure of all things web related.

------
jammygit
Anything named an antivirus should be possibly to sue for this sort of thing,
right? It could not possibly be more misleading

It’s like a locksmith company monetizing by sneaking people into your home
when you’re asleep

~~~
bradknowles
That would be William Brodie. See
[https://en.wikipedia.org/wiki/William_Brodie](https://en.wikipedia.org/wiki/William_Brodie)

Edit: I only know this because I recently heard about this guy on the British
TV show "QI".

------
Sophistifunk
I'm glad Vice is writing about this, but how many mb of browser-tracking crap
do you think Jane Sixpack gets alongside that article if she doesn't have a
(real) adblocker and noscript?

------
smrtinsert
This just feeds my conspiracy that all antivirus companies are worse than the
viruses themselves.

------
inkeddeveloper
Is it bad that my first reaction is, "Of course."

~~~
zentiggr
Nope, just confirms you're seeing reality.

------
lousken
Eset and Windows Defender is pretty much the only two antiviruses left that I
still kinda trust. The rest has become either bloatware or straight up
spyware.

~~~
tomaskafka
Why would you trust Eset? Once they can monetize the user data (and every
AV/browser company can), their shareholders will compel them to do it.

~~~
lousken
Well e.g. they don't spam you with ads for their other products. They like to
say that your PC is slow and show you their nice tools that should fix it
(although I know avg does that, not sure if avast too, but they're supposed to
be the same thing now). People tend to freak out if they see something like
this popping out of taskbar. Eset doesn't do any of this and keeps quiet
unless there is a problem.

Also don't add snake oil parts to their products like registry cleaners and
install extensions. The most obtrusive thing they do is probably MITM TLS
connections which I don't agree with but at least kinda understand.

As for the data monetization, you can compare privacy policy of those two
companies [https://help.eset.com/eav/12/en-
US/privacy_policy.html](https://help.eset.com/eav/12/en-
US/privacy_policy.html) vs [https://www.avast.com/products-
policy](https://www.avast.com/products-policy) . They speak for themselves.

------
ggregoire
How are the AV companies still alive with Windows Defender installed on every
Windows since like Windows 7 or 8?

~~~
mywittyname
Computer salesman have talking points about how WD doesn't catch 95% of virus
out there. Of course, they leave out the part about how WD focuses on the 5%
of viruses actually found in the wild, as continuously surveyed by Microsoft,
not the 30k variants of known viruses that are not relevant to a Windows 10
machine.

My go to is to say, the security lead for Google Chrome once tweeted, "the
biggest impediment to implementing a secure browser is AV software."

~~~
alibert
I saw that quote being posted quite often in HN. I always smile at this
because Google Chrome (on Windows only) includes a cleanup tool based on an
popular AV engine.

[https://www.blog.google/products/chrome/cleaner-safer-web-
ch...](https://www.blog.google/products/chrome/cleaner-safer-web-chrome-
cleanup/)

[https://www.eset.com/int/google-chrome-
cleanup/](https://www.eset.com/int/google-chrome-cleanup/)

~~~
mywittyname
I think his original criticism was that the OS hooks that typical AV install
are a source of vulnerabilities and bugs.

I don't think he took issue with the idea of a well-maintained database of
signatures used to identify malicious code, just most vendors implementations
that check against such.

------
tomc1985
I wish there was a way to punish all the people participating in these data
sharing things. Because it is endemic, a gold rush even, with every single
individual involved lacking scruples as they sell their fellow man out

~~~
1000units
Many people who post here are involved.

------
coldcode
The power of customer data making money is hard to resist.

------
dgaudet
> Some past, present, and potential clients include ...

i'm having a hard time reading past the word "potential". that suggests
exaggeration to me.

~~~
Mtinie
It could be exaggeration, or “potential” in this case could include data from
people and companies who expressed interest in the product captured during
lead generation.

------
js8
I work in Prague and I know some people who work for Avast. It's an open
secret that the company got pretty rich on selling customer data from their
antivirus (that was before GDPR, though). I am glad that somebody confirmed
the rumor.

------
asasidh
If you are using a product that dials home, paid or otherwise, you have to
assume it is collecting and selling your data.

------
ansmithz42
My question on avast is: How do we know it has completely uninstalled from our
devices? Given the reputability of this company whose to say they don't leave
something behind after we uninstall. It would be great if someone with the
means could do a before and after test to verify this.

------
whatsmyusername
Avast also portscans your local network. I kept getting alarms on my Symantec
laptop and couldn't figure out why. Took running TCPNetView on the two avast
machines full time and waiting for the alarm to fire to figure it out.

------
detcader
I just tried to uninstall the Avast desktop software, but "avast.hub" and
avast "worker" processes remained running even after the "Uninstall Avast"
process quit.

Probably just incompetence... Probably!

~~~
Sophistifunk
>Probably just incompetence... Probably

Right. Just like Zoom.

------
jannes
I don't use Avast myself (for obvious reasons), but how do they get around
HTTPS encryption? Do they install a self-signed root certificate into the
OS/browser? Wouldn't that be easily detectable?

~~~
stordoff
They can instruct the browser to log/leak HTTPS keys:
[https://textslashplain.com/2019/08/11/spying-on-
https/](https://textslashplain.com/2019/08/11/spying-on-https/)

NB this article also notes the selling of data - from the article it cites:

> Jumpshot is the data arm of Avast[...] This suite of products, in order to
> function, must collect and analyze every URL visited by every browser of
> every machine on which its installed. [...] Because Avast has to see and
> process all these URLs anyway (in order to serve their function of providing
> web security), they anonymize, aggregate, and remove any personally-
> identifiable information from the browser URL visits and then provide them
> to Jumpshot, who then makes estimates about broad web usage behavior. In my
> opinion, this is both an ethical way to gather crucial data about what’s
> happening on the web[...]

~~~
tomaskafka
They aren't "making estimates about broad usage behavior", they just sell the
raw clickstream. Amd lie.

------
ropiwqefjnpoa
Does this include AVG for Business? I dropped them just over a year ago.

------
dancemethis1
Another day, another leak of proprietary software collecting and selling
sensitive user data.

Hopefully Discord's day is coming soon.

------
jameslin
If you are not being sold a product, you are being sold as a product.

------
d-c
They entice us with free products, meanwhile they're biting...

------
acvny
Haha, you wanted free antivirus?

------
nif2ee
Most B2C privacy/security based companies are either snake oil or outright
scams.

------
klohto
The data is heavily anonymized and aggregated before selling. Avast is a Czech
company under GDPR with regulators breathing on it’s neck. “Selling data to
Google” is true as much as when my github project is cloned by Google guy and
I claim it’s used by Google :)

It’s a free product and it’s written in T&S, why is Vice so sensational?

EDIT: Calm it, I was proven wrong about the EULA

~~~
tastroder
We regularly call out random browser extensions doing the same thing, it's not
sensationalized to call out a top 10 manufacturer in the "security" space on
this behaviour. Anonymization of search histories has, time and time again,
been shown to be largely ineffective.

[https://www.avast.com/eula](https://www.avast.com/eula) does not mention
Jumpshot and grepping around does not indicate any sensible anonymization and
aggregation efforts, just the default legalese whereas the demo video on
[https://www.jumpshot.com/solutions/industry/retail](https://www.jumpshot.com/solutions/industry/retail)
leads me to believe that while they might not tie histories to a single user,
they show statistics like "XX% of users shopping at A, went on to buy at B"
which indicates at least some level of unaggregated data / tracking.

If the Vice article is to be believed, that's certainly enough to at least
raise an eyebrow. The opt-in the article talks about is likely to be an
underspecified mess that's intended to decieve the user, this functionality
has simply no place in an AV package. Let's not act like it's hard to get
users to press a shiny green button these days. That might be found GDPR
compliant in court, it's still not morally right.

~~~
klohto
You’re correct about the EULA, any idea when it was last changed? I’ll look
into this and correct myself but since I know few people working there, I
heard stories about the process and how regulated it is.

~~~
tastroder
The top of that page says "Version 1.11 (Revised April 1, 2019)", the history
seems to be this (linked at the bottom): [https://www.avast.com/eula-
legacy](https://www.avast.com/eula-legacy)

I'll give them the benefit of the doubt but if the Vice report is accurate,
the business practice needs changing, not their terms of service.

