In a recent and significant development, Avast, a prominent name in cybersecurity, faces a substantial fine of US$16.5 million. This action by the Federal Trade Commission (FTC) follows revelations that the company was covertly selling its users’ browsing data, raising serious questions about privacy violations and the ethical conduct of tech firms.
Extensive data selling without consent
The case against Avast dates back to the period between 2014 and 2020. During this time, the company allegedly harvested vast web browsing data through its antivirus software and various browser extensions. This data collection wasn’t just extensive but also deeply personal. It included sensitive details about users’ religious beliefs, health concerns, political affiliations, geographical locations, and financial situations. Making matters worse, this information was stored indefinitely and sold to more than 100 different third-party entities without the knowledge or consent of the individuals whose data was being traded.
The issue became public following a collaborative investigation by Motherboard and PCMag in 2020. As a result, Avast ceased operations of Jumpshot, its subsidiary responsible for data harvesting. Despite Avast’s claim of anonymising the data before its sale, the FTC discovered it still contained unique identifiers for each browser. These identifiers gave third parties access to comprehensive browsing histories, timestamps, device and browser types, and user locations.
FTC’s stringent response and Avast’s stance
The FTC’s response to Avast’s malpractices has been robust and uncompromising. The agency’s order includes a substantial monetary fine and imposes strict regulations on Avast’s future operations. The company is now prohibited from misrepresenting its data collection and usage practices and is barred from selling or licensing browsing data for advertising purposes. Additionally, Avast must delete all the web browsing data it acquired through Jumpshot and inform affected customers about the unauthorised sale of their data.
Avast spokesperson Jess Monney expressed the company’s commitment to protecting digital lives in a statement he gave recently. While Avast disagrees with the FTC’s allegations and the portrayal of the facts, it is ready to resolve the matter and focus on serving its global customer base.
Broader implications for digital privacy
This case is not isolated but part of a more significant movement by the FTC to clamp down on inadequate data privacy practices. Earlier in the year, the FTC settled with Outlogic, formerly X-Mode Social, to stop the company from selling location-tracking data. InMarket, another firm, was also banned from selling precise user locations.
The Avast incident serves as a critical reminder of the delicate balance between user privacy and the business objectives of technology companies. In an era where digital privacy is increasingly becoming a paramount concern, businesses are challenged to find innovative solutions that respect user privacy while maintaining commercial viability.
