Avast Spying On Users

If you use Avast or AVG antivirus applications or browser extensions, you should probably get rid of them.

A few weeks ago, a German web researcher named Wladimir Palant was looking at the Avast Online Security and Avast Secure Browser extensions for Firefox and Chrome and found something quite troubling.

Wladimir isn’t just a random blogger, either. He is the creator of the excellent Adblock Plus extension for Firefox and Chrome, so he definitely knows his stuff.

Avast Sending Data – Lots of Data

Apparently, these web extensions were collecting and sending data – lots of data – about their users’ web browsing habits. Now, data collection is something that almost every app does, but these applications were collecting far more data about their users than necessary.

You can read Wladimir’s complete post about his discoveries here, but here are the most important points:

  • The Avast Online Security extension sends and requests data about the web sites you visit. While some of this data collection is necessary, Avast goes far beyond what is required.
  • Data being sent back to Avast includes the page you visit, whenever you switch tabs, how you got to a page (bookmark, link, entering the address directly), a unique user ID, the browser your using, and more.
  • One especially interesting point – if you use a search engine (Google, Bing, etc.) then the Avast extension sends back every single link on the page. Even if you don’t visit them all (or any of them).
  • This data goes far beyond what is necessary to identify a malicious site. The extension should not care or send information about when you switch tabs, for example, or how often you visit a site.
  • Even though the user ID doesn’t identify you personally, if you visit social media sites while using this extension, it is possible to de-anonymize web browsing data.
  • The privacy policy is very vague and offers no protections about how they will collect and use the data how they see fit, including giving it to (unnamed) third parties for “trend analytics” (their phrase).
  • It’s interesting to note that Avast acquired a company called Jumpshot back in 2013. Jumpshot began as a way to improve the performance of personal PCs, but now it “provides insights into consumer’s online journeys”, according to their About page.

One can imagine how the information from Avast fits into this business model.

Use Avast? Stop!

The good news is that both Firefox and Google Chrome have removed the Avast Online Security extensions from their respective extension stores.

If you’re using Avast or AVG, I would highly recommend you not.

The good news, though, is that if you’re using Windows 10 its built-in antivirus (Windows Defender) is a very good option these days. Not only is it effective and (relatively) lightweight on your system, but since it’s part of Windows already, you’re not opening your system up to another company.

Read Wladimir’s entire post here.