
Avast caught selling user data - rsj_hn
https://www.forbes.com/sites/thomasbrewster/2020/01/30/avast-is-going-to-stop-selling-your-web-habits/#41e4252389db
======
dang
[https://news.ycombinator.com/item?id=22159385](https://news.ycombinator.com/item?id=22159385)

------
lebaux
Please don't give Forbes a link, they don't deserve it. This story was brought
to light thanks to a joint investigation by Motherboard and PCMag:

[https://www.vice.com/en_us/article/qjdkq7/avast-antivirus-
se...](https://www.vice.com/en_us/article/qjdkq7/avast-antivirus-sells-user-
browsing-data-investigation)

[https://www.pcmag.com/news/the-cost-of-avasts-free-
antivirus...](https://www.pcmag.com/news/the-cost-of-avasts-free-antivirus-
companies-can-spy-on-your-clicks)

~~~
pimmen
This was a rare occasion when I opened the comments before the link, and it
was good that I did.

~~~
moneytide1
I've slowly been developing the opposite habit. Over the years I've become
more interested in how articles are digested by people without an agenda
(which the modern, salaried digital author may be increasingly pressured to
succumb to). Reception is demonstrated in comment sections, and that sometimes
feels like a more pure read, stripped of whatever fluff or flair a journalist
may feel compelled to add (accelerated portfolio enrichment attempt? Agenda
implies bonus payment).

We can assume these may also be populated by automatically generated comments
to suggest support or rejection of the content. Sometimes this leads me into
[rabbit-hole] investigations through a user's post history if I am
significantly moved by their angle(s).

I needn't read anything more than the title, as the meat content would likely
just be an assimilation of empirical evidence and/or gossip. I'm not even
going to bother turning off ad blocker or using archive.is with this one - in
aggregate I just see it as yet another "distrust [insert internet company]
with your data" offensive (defensive?) campaign.

~~~
untog
I think it's dangerous to consider commenters "people without an agenda".
Automatically generated comments aside, I'm quite sure that plenty of real
human beings have "an agenda" when they're commenting on an article.

I'm also not really sure what agenda the "modern, salaried digital author" is
supposed to be succumbing to. Clickbait? If they're salaried then they aren't
paid per click. Again, the journalist is a known employee of a known
organisation. To think of anonymous commenters as _more_ reliable feels a
little baffling to me.

~~~
moneytide1
I am judging a book by its cover twice by not reading either our parent
article or "Only the Paranoid Survive" by Andy Grove.

------
Daniel_sk
They just announced "killing" of Jumpshot:

[https://blog.avast.com/a-message-from-ceo-ondrej-
vlcek](https://blog.avast.com/a-message-from-ceo-ondrej-vlcek)

[https://www.nasdaq.com/articles/avast-cuts-data-access-to-
ju...](https://www.nasdaq.com/articles/avast-cuts-data-access-to-jumpshot-
after-data-privacy-concerns-2020-01-30)

"For these reasons, I – together with our board of directors – have decided to
terminate the Jumpshot data collection and wind down Jumpshot’s operations,
with immediate effect." Ondrej Vlcek, CEO.

A lot of staff will be laid off, but I think this was the only good choice.

~~~
drivingmenuts
That statement makes it sound like a rogue operation. The responsibility goes
to the top. Perhaps the CEO should get the chop as well.

~~~
johnebgd
Current CEO has been there 7 months. This program had been there for years.

------
altdatathrow
I work in this world. This is just one company of many doing the exact same
thing. We're going to need a lot more investigative journalists.

They sell which apps are installed on your phone and how often you use each
[1], they sell your credit card transactions [2], they sell your emails [3],
they sell your web browsing activity (jumpshot on this list) [4], and they
sell your precise timestampped locations [5].

Senators are trying to get Yodlee investigated by the FTC [6] and they sell
data to numerous companies. Second Measure's (YC S15) entire business model is
cleaning up and reselling Yodlee's data.

[1] [https://alternativedata.org/data-providers//category,app-
usa...](https://alternativedata.org/data-providers//category,app-usage)

[2] [https://alternativedata.org/data-
providers//category,credit-...](https://alternativedata.org/data-
providers//category,credit-debit-card)

[3] [https://alternativedata.org/data-
providers//category,email-c...](https://alternativedata.org/data-
providers//category,email-consumer-receipts-2)

[4] [https://alternativedata.org/data-providers//category,web-
tra...](https://alternativedata.org/data-providers//category,web-traffic)

[5] [https://alternativedata.org/data-providers//category,geo-
loc...](https://alternativedata.org/data-providers//category,geo-location)

[6] [https://thehill.com/policy/technology/478766-lawmakers-
call-...](https://thehill.com/policy/technology/478766-lawmakers-call-for-ftc-
probe-into-top-financial-data-aggregator)

~~~
clmul
Makes me wonder at what point they will sell your input (keyboard) history...
There's technically nothing stopping them from it, if they have access to all
this other information.

~~~
prashnts
Swiftkey, Grammarly and the likes already do/did collect the keyboard input. I
don’t know if they sell it though.

------
apacheCamel
I think my biggest problem with all of this is the word "caught". Why, still
in 2020, is there no requirement for software/websites to disclose the
information they keep and the information they sell to the end user? Is it
secretly there deep in some terms of service? Nobody would ever plaster "we
sell your data" on their front page, but once we start shining a light on it,
maybe companies will see how much people care.

~~~
_Codemonkeyism
There is, it's called GDPR - if you live in a country that cares.

~~~
chopin
Which would be? I am living in Germany and I am pretty disappointed so far.

GDPR has (intentionally?) a huge loophole: It is up to national agencies to
enforce it, with no individual right to sue. These are heavily underfunded
thus enforcement is weak to non-existent.

~~~
_Codemonkeyism
Well, I made some input to data protection agencies and got some feedback, so
I'm rather happy on how things do progress.

That said I assume nearly all companies out there are not in compliance. To
the point of the article, privacy policies are mostly not detailed enough and
it will take some time before companies come into compliance.

This is the trade off between a strict PCI level compliancy policy with a
strict checklist of things to do and the "vague" GDPR compliancy which was
created that way to be independent of technology changing over time. The
downside is it's not clear how to be really compliant and companies do the
very minimum on what they think they get away with.

Also there are so many huge violations, that yes, the data protection agencies
can't cover everything, so they start from the top with the companies that get
the most complaints (1&1 getting a 10M EUR fine) or have the biggest missteps.
I assume the Buchbinder fine will be much larger than the 1&1 fine, and it
will for the first time proof to companies that they are still responsible
when they hire an IT company to manage their data - which was the point of the
parent.

Until the GDPR arrived data leaks were just "Ooopsy" moments to companies.
This culture has festered for decades and it will take some time to change.

And my comment was to the parent "and the information they sell to the end
user? Is it secretly there deep in some terms of service" where the GDPR
requires you to tell people what you do with the data in terms that they
understand it without obfuscating the message or hand weaving. I would have
wished that companies need to open their process directory to the public
though.

------
OtterGauze
A surprise to nobody, really. Its a free service, you're kinda expected to
suspect they're attempting to make money by some other means.

Can't deny the irony in security software compromising security though.

~~~
js8
> Its a free service, you're kinda expected to suspect they're attempting to
> make money by some other means.

No, you are not, and you should not be expected to suspect that. This is moral
fatalism.

~~~
dTal
Seems to me like basic financial physics. No one is saying it's _moral_ , or
that we should put up with it - but if a for-profit company is paying a bunch
of employees to provide a free service to you, you'd have to be dumb not to be
curious about their business model.

~~~
js8
I get it. But to be fair, there are many for-profit companies that offer lower
tiers of their products for free (or even opensource), no (or little) strings
attached. So it is certainly not the norm.

~~~
MrGilbert
Whelp, at least from a business case I know, it goes like: "Hey, you get our
basic tier for free, but please, let us send you a newsletter occasionally.
You don't like that? That's fine, you'll find a unsubscribe link in every
newsletter."

So the business case doesn't sell the data (that's screaming for trouble), but
rather uses it for their own ads.

------
robotron
> I realize the recent news about Jumpshot has hurt the feelings of many of
> you

Wow, that's a nice way of blaming your users.

------
Scea91
To people saying that this is obvious because it is free so customer is the
product.

In this case Avast made only 5-10 % of revenue this way. The rest is made
through various micro-transactions etc. IIRC.

~~~
gregd
They also didn't magically disable the data collection once you became a
paying customer.

------
amelius
Isn't it time we forbid (by law) the brokering of personal user data?

~~~
Daniel_sk
This was anonymized data, but of course you de-anonymize a lot of it if you
get raw data and you have reasons to put effort into it (e.g. you can find the
account ID based on the exact purchase time and then follow his journey
because of an unique anonymous ID). I don't think the intent was to spy on
individuals, but it's not easy (or possible?) to truly anonymize data without
loosing 99% of the information value.

~~~
saiya-jin
The whole premise is ridiculously bad - this is done by _antivirus_ software.
It doesn't matter how the data is handled, the act of losing trust is in
action itself.

Its like adware-blocker would install its own adware upon removal of all the
others. But it would be a 'good' one ie for 'optimizing internet connection'
or similar bullshit.

Trust is a finicky issue - long time to build, can be lost with 1 mistake.
This event can kill Avast company in long term. Stupid, stupid move from
owners, only explainable by greed, and not really justifiable.

~~~
Daniel_sk
Yes, in this case it's a very bad decision. I guess it made business sense if
you want to have a free-tier of AV for tens or hundreds of millions of users -
you need to somehow generate the money, but it's a ticking bomb.

------
dutchCourage
So while I disapprove of this kind of data collection and wish it was more
tightly regulated, I wonder...

What makes this newsworthy compared to the "regular" data collection done by
Facebook and Google?

~~~
dathinab
Well because it's a anti-virus program.

Users trust this kind of programs normally more. It's the fallacy of "oh they
help us to be protected from bad guys so they can't be bad themselves"

Through many (most?/nearly all?) anti-virus companies are untrustworthy in my
opinion so it's not really surprising for me.

