Getting your Trinity Audio player ready...

The internet is riddled with all sorts of wickedness.  The opportunity to encounter malicious content is ever-present.  Protecting our technology and digital presences is a matter of necessity.  Quite often, the most frequent tool to assist with protection is an anti-virus application.

If you’re not running an anti-virus program on a modern computing device, it’s likely you’re either playing with fire, or, a very lucky person – in either case, it’s only a matter of time before the would-be bad actors reach success and infiltrate your devices with some virus or malware.  I’ve written extensively on the importance of protecting devices, updating software and maintaining a healthy dose of skepticism about “apps”.

However, it’s with a heavy heart that I inform you of a substantial issue with a common, and, free antivirus tool: Avast.

I suppose we shouldn’t be too shocked that trusted software can serve duplicitous roles.  You all have read of reported issues with other security tools sharing information via clandestine avenues with shadowy organizations.  So, let’s add Avast to the list of protective software accused of deceptive tactics.

Avast is well-known and loved.  Since 2017, Avast has been the most popular anti-virus vendor on the market.  The company holds the largest share of the market for anti-virus applications.  I’ve suggested it for many years, in fact, I use the tool.  Well, I suppose I should say, I used the tool until recently…

Earlier this week, an investigative report revealed that the Avast anti-virus platform was collecting personal data from its enormous user base and selling the collected personal data to third-parties.

The accusation sent waves through the security community.  Such a violation of trust by a provider of software anchored in trust was incorrigible.  I was both angered and disappointed.

There’s a reason why the endpoint protection axiom is shouted from the rooftops of every cybersecurity manual: it works.  Protect the endpoint, the end-user device, and your defenses are strengthened.  Neglect the endpoint and you will suffer the perils of the internet-connected world.

So, what happens when the good guys are suddenly exposed as supposed bad guys?

The trust relationship erodes quickly.

If my anti-virus program fails, that’s a big deal.  If I update the application frequently, scan my device intensively and discover that my computer is littered with a variety of badness, I will doubt the product, the company’s ability to deliver on their promise: protect me.

But, what are your concerns about an anti-virus company that protects you while simultaneously spiriting away personal data in the background?  Is a moral conundrum afoot?

As an aside, please review every social media platform article I’ve written.  But, back to Avast.

The harvesting of personal data is the claim via an investigation by Motherboard and PCMag.

Documents reveal that Avast has been purposefully collecting data from customers for years.  A subsidiary company of Avast, called Jumpshot, served as the intermediary for the sale of the data.

What types of data, you ask?

Well, for starters, web browsing history.

Yeah, pause for a moment and think about that.  Your anti-virus program protects your device from badness, while peaking over your shoulder.  All of those clicks, those websites have been bundled and sold.

Included among the web browsing history are shopping and search engine queries.

The report indicated that some of the biggest companies in the world paid millions of dollars for the data.

One option offered within the data was something referred to as “all clicks feed”.  The option tracks all web clicks and interactions with websites with an incredible degree of both accuracy and completeness.

In one example described in the investigative report, a user was observed visiting pornography sites.  Not only were the pornography sites listed, but, every click on the sites, every search on the sites, and how the user located the pornography site were included among the datasets.

The report revealed that the data was anonymized: personally identifiable features were not included among the data.  But, given the extent of the intrusion, it’s not hard to imagine that data exists somewhere.

So, what do you do?

According to several reports, simply installing Avast doesn’t necessarily equate to an invasion of privacy.  A specific browser plugin, suggested by Avast, appears to be the key to the data harvesting efforts.  The plugin is offered as a way to protect against cyberattacks and unauthorized connections from dubious web servers and traffic.  If the browser extension, plugin isn’t installed, it’s likely that your data hasn’t been pilfered.

Avast’s initial response to the report was weak.  They didn’t deny the operation, instead, they simply indicated that the data had been anonymized, bundled within large datasets, and can’t be used to personally identify or target a specific user.

While the statement appears to be technically true, Avast assigned an identifier as a substitute for a personally-identifiable attribute.  The assigned identifier persists on your device unless you uninstall the Avast anti-virus product.

However, in the world of big data, when large datasets are combined, the opportunity to specifically identify an individual increases greatly.  A collection of anonymized data in the right hands can be reassembled with other “known” data and a clearer picture of the user brought into focus.

On January 30, 2020, Avast announced that they would close Jumpshot and issued an apology.

So, what should you do?

Consider another product.  If you’re a Windows user, use Windows Defender.  The tool is robust, runs intimately with the operating system and is updated very frequently.

In the meantime, read those software agreements thoroughly and be safe!