News, Culture & Society

Anti-virus company Avast ‘winding down’ subsidiary that sold millions of users’ sensitive web data

Anti-virus company Avast says it will shut down a subsidiary that was harvesting sensitive web data from users, including what they clicked on and even what porn they searched for.

In a statement on Thursday, Avast announced its decision to wind won ‘Jumpshot’, a subsidiary that drew public scrutiny following a report by Motherboard and PCMag revealing how it tracked users data.

‘Avast’s core mission is to keep its users safe online and to give users control over their privacy,’ said Ondrej Vlcek, CEO of Avast in a statement. 

‘The bottom line is that any practices that jeopardize user trust are unacceptable to Avast. We are vigilant about our users’ privacy, and we took quick action to begin winding down Jumpshot’s operations after it became evident that some users questioned the alignment of data provision to Jumpshot with our mission and principles that define us as a Company.’

While Avast said it’s ‘winding down’ Jumpshot, it did not elaborate on when exactly operations would fully shut down. 

Antivirus company Avast and its subsidiary Jumpshot were funnelling data to companies around the world including Microsoft, Google and more

Avast said it will compensate companies that currently have contracts with the company to receive user data.

‘Jumpshot intends to continue paying its vendors and suppliers in full as necessary and in the ordinary course for products and services provided to Jumpshot during its wind down process,’ the company said in a statement. 

‘Jumpshot will be promptly notifying its customers in due course about the termination of its data services.’

It also did not say what it would do with the user data already collected. A request for comment from MailOnline was not immediately returned before time of publication.   


Companies that bought Avast’s user data include:

Google, Yelp, Microsoft, McKinsey, Pepsi, Home Depot, Condé Nast, Intuit, Trip Advisor, and  many more. 

Many of those companies chose not to respond to inquiries about what they did with Avast data. 

Documents and leaked user data obtained in an investigation that was reported this week reveal that information collected by Avast on tens of millions of its users include details that most consider to be sensitive, 

Among them are web browsing history, some of which was granular enough to track individual clicks on a web page. 

In addition to search histories, location histories, and which videos a user watched on YouTube, documents show that Avast tracked visits to porn sites like PornHub or YouPorn and in some cases logged the time a user visited the site and which specific video they watched and what queries they entered.

Though the data was reportedly not personally-identifiable, meaning it’s not accompanied by a name or other identifier, experts interviewed by Motherboard say the level of detail tracked by Avast may undermine its anonymity. 

‘De-identification has shown to be a very failure-prone process. There are so many ways it can go wrong,’ Günes Acar, who studies large-scale internet tracking at the Computer Security and Industrial Cryptography research group at the Department of Electrical Engineering of the Katholieke Universiteit Leuven told Motherboard.

‘Most of the threats posed by de-anonymization—where you are identifying people—comes from the ability to merge the information with other data. 

Acar told Motherboard that with the specificity of timestamp data and other points, identities could feasibly be reconstructed. 

Depending on the specificity of that data, Avast would adjust its pricing and packages, selling more granular information for millions of dollars.  

Comprehensive packages purchased by a New York-based media company called Ominicom total upwards of $4.5 million and in Jumpshot’s own words, give access to ‘Every search. Every click. Every buy. On every site.’

That package gave Omincom access to data of users from 14 different countries and some personal data like gender which is inferred based on browsing data.

While Jumpshot ‘hashed’ – encrypted – device IDs of its users, it also said that those IDs never change, meaning they’re permanently linked to a user’s information, making it more likely to identify a subject.

Despite a tweak in its policies that asks for permission to track web data, some users say they were unaware that Avast had ever engaged in the practice (Stock photo)

Despite a tweak in its policies that asks for permission to track web data, some users say they were unaware that Avast had ever engaged in the practice (Stock photo)

Just what each company used the data for varied, according to Motherboard.

Home Depot, one of a handful of companies to respond to inquiries about Avast’s services told Motherboard: ‘We sometimes use information from third-party providers to help improve our business, products and services. We require these providers to have the appropriate rights to share this information with us. In this case, we receive anonymized audience data, which cannot be used to identify individual customers.’

Microsoft didn’t elaborate on what it used data for but reportedly has no ongoing relation with Avast while Yelp says it used Avast data to help it in an antitrust suit with Google.

‘In 2018, as part of a request for information by antitrust authorities, Yelp’s policy team was asked to estimate the impact of Google’s anticompetitive behavior on the local search marketplace. Jumpshot was engaged on a one-time basis to generate a report of anonymized, high-level trend data which validated other estimates of Google’s siphoning of traffic from the web. No PII was requested or accessed,’ a Yelp spokesperson told Motherboard.


Find local lawyers and law firms at