Jumpshot Bricked

I posted a few weeks ago about the discovery that Avast, a free (and popular) antivirus program for Windows, had been taking quite a bit more data from its users than necessary. You can find that post here.

I’m happy to say that the fallout from that discovery has been quick and clear. Not only did Mozilla and Google remove the Avast extension from the Firefox/Chrome browsers, but Jumpshot, the part of Avast responsible for the data selling, is shutting down.

“Anonymous” Data

For one thing, although the data was “anonymized” so as to not include details like a names or IP addresses, the data was linked to a specific device ID, which could allow it to be linked back to a single user.

This unique device ID seems to have been tied to a specific Avast installation, so it would only be reset if a Avast was completely uninstalled and reinstalled. Removing the browser plugin (or using a different browser on the same computer) wouldn’t change the device ID.

The PC Mag article on Avast/Jumpshot points out how this anonymous ID can be used to figure out a user’s identity:

For instance, a single click can theoretically look like this:

Device ID: abc123x Date: 2019/12/01 Hour Minute Second: 12:03:05 Domain: Amazon.com Product:Apple iPad Pro 10.5 - 2017 Model - 256GB, Rose Gold Behavior: Add to Cart

At first glance, the click looks harmless. You can’t pin it to an exact user. That is, unless you’re Amazon.com, which could easily figure out which Amazon user bought an iPad Pro at 12:03:05 on Dec. 1, 2019. Suddenly, device ID: 123abcx is a known user. And whatever else Jumpshot has on 123abcx’s activity—from other e-commerce purchases to Google searches—is no longer anonymous.

And this data was being sold to lots of major companies – certainly some of which have resources to discover this information if they wanted to.

According to this Vice article about Avast/Jumpshot, over two dozen companies, like Microsoft, Home Depot, Yelp, Expedia, Intuit have used Jumpshot’s data either currently or in the past.

If these companies were buying data showing how people interacted with their own sites as well as competitors, then it’s possible that they could identify individual users, even though the data from Jumpshot was technically “anonymous”.

Jumpshot Defenders

Even though I’m glad that Jumpshot is gone, not everyone is.

Rand Fishkin, the founder of Moz, a company that makes SEO (search engine optimization) software that used Jumpshot data, came out pretty strongly in favor of Jumpshot and their practices.

He also wrote a blog about Jumpshot that goes into a little bit more depth about his though process. His main point seems to be that:

  1. Jumpshot data helps small/medium businesses compete against giant tech companies.
  2. Jumpshot data provides 3rd party SEO services with valuable data they can’t get otherwise.
  3. Jumpshot made it clear that they were capturing the data they collected.
  4. Jumpshot data showed how Facebook and Google can siphon traffic to themselves instead of other sites, cutting off smaller sites from revenue.

Traffic Siphoning

Regarding point 4 – there is no question that Google and Facebook do this.

For the past few years Google has been slowly reducing the need for people to click anywhere else. Using “features” like the Featured Snippet, Knowledge Panels and Related Questions, Google can drastically reduce the traffic that flows through Google.

Today you can go to Google, ask a question, and then get an answer. All without leaving Google’s site.

Facebook does similar things with their embedded articles. Instead of clicking through to an external site, people stay on Facebook to read an article (or their news feed) and then they can see more ads.

So while Rand is right about this, we hardly need external data to prove this.

Jumpshot Helping Small Companies

Regarding point 1 – Jumpshot selling data to smaller companies to defeat tech giants.

While I’m sure that Jumpshot did sell data to smaller companies, they probably sold a lot more (and a lot more granular) data to larger companies.

The PC Mag and Vice articles linked above discuss data sales to companies costing millions of dollars. This isn’t going to help a small mom-and-pop store compete against something like Amazon. It’s going to help one giant (Microsoft) compete against another (Google).

And while Jumpshot did provide additional data to 3rd party SEO services (like Moz, Ahrefs, and others) that was more expansive than the data provided by Google or Bing, that doesn’t make up for the fact that while they may not have lied about what they were doing, they were definitely less-than-upfront with the amount of data they collected.

Clarity In Capturing Data

This is where Jumpshot took their biggest hits in the media and in the public, and why I’m glad they are gone.

While Avast/Jumpshot did eventually provide some opt-in (there is some disagreement if it always had one), I don’t think they made it clear that they were doing such granular tracking of what users were doing.

After all, while it’s not only tracking the web pages you visit, it’s also tracking things like when you switch tabs, how long a tab may be in the background, when you close (or open) tabs and what pages you visit.

According to the Vice investigation, Jumpshot could:

Jumpshot’s data could show how someone with Avast antivirus installed on their computer searched for a product on Google, clicked on a link that went to Amazon, and then maybe added an item to their cart on a different website, before finally buying a product

Additionally, since antivirus software, by its very nature, has to hook in at a lower level of an operating system than other “normal” applications, they should be held to a higher standard of trust and openness.

While Avast may have (eventually) provided opt-ins for the data collection, I think it was too little, too late. They really should have made it abundantly clear exactly what they were collecting. Their most recent “opt-in” screen is still vague, unless you’re paranoid about data tracking (which you apparently have to be these days).

Jumpshot’s last opt-in form. Still vague.

If including phrases like “tracking your active tabs”, “seeing your search engine queries”, or “see your purchase activity” feels too creepy, then maybe don’t do it.

What Comes Next

Since Jumpshot was likely a major source of revenue for Avast, I wonder what is coming next.

Their business model seemed to center around “giving away” free antivirus software, and while they did have options for consumers to pay for protection, I doubt many people did. It will be interesting to see how the companies monetization strategy changes in the future, or if they also close down.

This is whole story is one of the reasons why I’ve started moving a bit more towards paying for services I find valuable. It may be a worn-out phrase now, but it really is true that if you’re not paying with money, you’re likely paying in some other way you may not realize.

Additionally, if you’re using Windows, you need to be using Windows 10. Some small comfort for Windows 10 users is that even though many aspects of OS seem to be randomly bursting into flames, the built-in antivirus software (Windows Defender) is more than adequate for a majority of users.