Prague-based security giant Avast is accused of earning millions of Euros from selling sensitive data of its millions of Dutch customers.
According to a recent report from AD.nl by Sebastiaan Quekel, Avast, now under the Gen Digital mega-conglomerate, is facing a potential billion-euro lawsuit. The accusation? Violation of its users’ trust by selling sensitive data collected over years.
The lawsuit is being spearheaded by Stichting CUIC, a branch of well-known civil rights organization Privacy First, demanding between €800 and €1100 in damages per user. This would amount to a multi-billion Euro claim. “It is bizarre that Avast, a company that stands for online security, has so massively abused our trust,” a CUIC spokesperson told the news site.
In December 2019, Avast came under fire when it was discovered that it had been collecting sensitive information from users. This information included Google search queries, GPS coordinates, YouTube videos, visits to adult websites, online purchases, and even users’ complete search histories. Avast could even determine when a user visited adult sites and in some cases, what specific video they watched.
“This is the reverse world. You install antivirus software to secure your PC, and you get espionage in return. We consider this a big scandal,” the CUIC spokesperson remarked.
The Data Sales
Avast sold this collected information via Jumpshot, another Avast subsidiary that promised to optimize customers’ computers ‘in the blink of an eye’. However, in the meantime, Avast was selling personal data to giants like Google, Yelp, Microsoft, and Pepsi.
Jumpshot’s ‘all clicks feed’ service allowed these companies to analyze user behavior, track user clicks, and register how they navigated websites in detail. In 2018, Jumpshot claimed it had data from 100 million unique devices.
Aftermath and Excuses
Avast’s actions drew criticism not only from consumers but also from other businesses. Internet giant Mozilla Corporation removed Avast’s and AVG’s extensions from Firefox when it became evident that Avast was collecting more data than permitted. Wladimir Palant, creator of AdBlock Plus, accused Avast and AVG of spying on users through the Online Security extensions.
Although Avast’s management has since apologized, the Dutch privacy watchdog considers this insufficient. “You shouldn’t be able to get away with these practices where money has knowingly been earned from privacy violations,” said Wilmar Hendriks, chairman of the Consumers United in Court (CUIC), which is preparing the class action suit with Privacy First.
Deception and Theft
Over the past years, 435 million users, including five million Dutch, had installed antivirus software from Avast on their phones or PCs. Users installed the software expecting to protect their data from malware. However, while the company capitalized on their need for digital security, it turned their data into a form of merchandise. “This is just theft,” says the CUIC spokesperson.
Not Just “Anonymous” Data
While Avast claims in its user agreements that it collects browsing history under the condition that data are ‘anonymized’, privacy experts argue this data can indeed be traced back to users. All information is linked to a ‘device ID’, and it’s not hard for companies to match these IDs to real individuals, rendering users easily identifiable.
In January 2020, Avast stopped selling user data to companies. Still, a conversation between a delegation from Avast and CUIC in November last year yielded no results, leading CUIC and Privacy First to prepare a lawsuit. “Saying sorry is one thing, but compensating customers for their stolen data would really send a good signal.”
Avast has always emphasized that it does not collect ‘personal identification information such as names, email addresses or contact information’. “Users always had the choice to stop sharing data,” it said in a statement. However, Stichting CUIC does not believe this to be true.