Things haven't been going well for Avast lately. THE company faces criticism for some of its business practices. It all started when Wladimir Palant gave in the light of publicity a detailed analysis of Avast browser extensions.
He revealed that the extensions passed the browsing history information to Avast and showed that the volume of data exceeded the data the company needed to provide the security promised by its product. The data included the full URL of any page the user visited, the title of the page, the referer (the site the user came from), and any links from search results pages.
Palant concluded that excessive data collection was intentional. Mozilla and Google immediately removed Avast and AVG extensions from their respective stores. Avast has updated its extensions and released them again.
A research but from Vice and PC Magazine took a closer look at Avast's business practices and user-generated data. According to the information, the subsidiary of Avast Jumpshot takes this data and processes it for sale to companies.
One product, called Feed All Clicks, provides businesses (clients include major companies such as Google, the Microsoft, Pepsi, Home Depot or McKinsey) detailed information about user behavior, the clicks they make and generally their every activity.
The data is anonymous according to Avast, which means that there is no personal information, such as the user's IP address or e-mail addresses. All of this is removed before the data collected is sold.
However, a data packet can also include the IDs of the connected devices which makes it very easy to search for it record browsing a specific device. They also include the date and time, as well as information with the location of the end user.
Companies now buying data can use other data sources to locate individual users. Imagine large companies like Google and Amazon having huge volumes of information, cross-referencing their data to track every user activity.
If also the removal of the IP address does not happen as Avast reports, (why believe it anyway) the data does not even need to be crossed to verify the location, and the behavior of a user. Visits to a personal page, Twitter replies, YouTube uploads or any other activity can easily be linked to accounts and provide information to third parties about the user's true identity.
