After reports emerged that antivirus software company Avast collected and sold users’ web browsing data, the company announced that it was ending this practice, closing Jumpshot, its data packaging and selling subsidiary, immediately.
The company announced its action in a blog post written by Avast CEO Ondrej Vlcek. Vlcek stated, “Avast’s core mission is to keep people around the world safe and secure, and I realize the recent news about Jumpshot has hurt the feelings of many of you, and rightfully raised a number of questions – including the fundamental question of trust.” Vlcek added, “[f]or these reasons, I – together with our board of directors – have decided to terminate the Jumpshot data collection and wind down Jumpshot’s operations, with immediate effect… the data collection business is not in line with our privacy priorities as a company in 2020 and beyond. It is key to me that Avast’s sole purpose is to make the world a safer place, and I knew that ultimately, everything in the company would have to become aligned with our North Star.”
An investigation led by VICE and PCMag revealed that Avast, via Jumpshot, was packaging user web browsing data and selling it to companies for advertising purposes. Jumpshot, self-described as “the only company that unlocks walled garden data… to provide marketers with unparalleled visibility, analytical insights and a more comprehensive understanding of the online customer journey that delivers a highly competitive advantage.” This information included web searches, location coordinates, and specific actions like viewing YouTube videos or visiting a company’s LinkedIn page. Some companies paid millions of dollars for this data. Avast claimed that users opted-in to the data collection, but some users claimed in the investigation that they did not realize they were opted-in and did not remember being asked.
After the revelations, an influx of angry customer posts hit the company’s social media accounts. The company has attempted to placate users, stating that it does not collect personally identifiable information and is compliant with GDPR (the European Union’s General Data Protection Regulation) and CCPA (California Consumer Privacy Act). Vlcek emphasized that Jumpshot was a separate entity while defending the way it collected data. Jumpshot claimed to have data from as many as 100 million devices.
Vlcek wrote, “[w]e started Jumpshot in 2015 with the idea of extending our data analytics capabilities beyond core security. This was during a period where it was becoming increasingly apparent that cybersecurity was going to be a big data game. We thought we could leverage our tools and resources to do this more securely than the countless other companies that were collecting data.”