Lately it has not been going well for Avast. The company is facing criticism for some of its business practices. It all started when Wladimir Palant gave in the light of publicity a detailed analysis of Avast browser extensions.
It revealed that the extensions were passing the browsing history information to Avast and showed that the amount of data exceeded the data the company needed to deliver the security its product promised. The data included the full URL of any page the user visited, the page title, the referrer (the site the user came from), and any links from result pages search.
Palant concluded that excessive data collection was intentional. Mozilla and Google immediately removed Avast and AVG extensions from their respective stores. Avast has updated its extensions and released them again.
A research but from Vice and PC Magazine took a closer look at Avast's business practices and user-generated data. According to the information, the subsidiary of Avast Jumpshot takes this data and processes it for sale to companies.
A product, called Feed All Clicks, provides businesses, (clients include large companies such as Google, Microsoft, Pepsi, Home Depot or McKinsey) detailed information on user behavior, clicks they make and generally every activity they do.
The data is anonymized according to Avast, meaning no personal information such as the user's IP address or email addresses post officeAll of these are removed before the collected data is sold.
However, a data packet can also include the IDs of the connected devices which makes it very easy to search for it record browsing a specific device. They also include the date and time, as well as information with the location of the end user.
Companies now buying data can use other data sources to locate individual users. Imagine large companies like Google and Amazon having huge volumes of information, cross-referencing their data to track every user activity.
Also, if the IP address removal does not happen as Avast claims, (why should we believe it anyway) the data does not even need to be cross-referenced to verify a user's location, and behavior. Visits to a personal page, replies to Twitter, uploads to YouTube or any other activity can easily be linked to accounts and provide information to third parties about real user identity.