A month ago I wrote about Avast browser extensions being essentially spyware. While this article only names Avast Online Security and AVG Online Security extensions, the browser extensions Avast SafePrice and AVG SafePrice show the same behavior: they upload detailed browsing profiles of their users to uib.ff.avast.com. The amount of data collected here exceeds by far what would be considered necessary or appropriate even for the security extensions, for the shopping helpers this functionality isn’t justifiable at all.
After I published my article I got the hint to look at Jumpshot, a company acquired by Avast in 2013. And indeed, that suddenly made perfect sense. On their website, Jumpshot praises its “clickstream data” product:
Incredibly detailed clickstream data from 100 million global online shoppers and 20 million global app users. Analyze it however you want: track what users searched for, how they interacted with a particular brand or product, and what they bought. Look into any category, country, or domain.
That sounds exactly like the data that Avast collects from their SafePrice and Online Security users. Yes, you are the product – even if you paid for that antivirus.
Spying on your users is clearly a violation of the terms that both Google and Mozilla make extension developers sign. So yesterday I reported these four extensions to Mozilla and Google. Mozilla immediately disabled the extension listings, so that these extensions can no longer be found on the Mozilla Add-ons site. Mozilla didn’t blacklist the extensions however, stating that they are still talking to Avast. So for existing users these extensions will still be active and continue spying on the users.
Update (2019-12-04): I also reported these extensions to Opera. 16 hours later I received a response from Opera:
Thanks for reporting it to us. We unpublished these extensions from our store.
And what about Google? Google Chrome is where the overwhelming majority of these users are. The only official way to report an extension here is the “report abuse” link. I used that one of course, but previous experience shows that it never has any effect. Extensions have only ever been removed from the Chrome Web Store after considerable news coverage. Or does anybody have a contact at Google who would be able to help?
Update (2019-12-18): Google unexpectedly removed three of the extensions from Chrome Web Store. Only AVG Online Security extensions remains listed.
Comments
Thanks!
Nice work! The web needs more people like you!
To quote ZDnet "We have already implemented some of Mozilla's new requirements and will release further updated versions that are fully compliant and transparent per the new requirements," the Avast spokesperson said. "These will be available as usual on the Mozilla store in the near future."
Amazing how they got caught, and think its perfectly OK to breach a contract and steal data from their clients.
Yes, I've seen their statements, and I wonder what their accepted solution is going to look like. Also whether they update the Chrome extension given that Google doesn't seem interested in taking action.
That said, these statements aren't true of course. First of all, Mozilla's policies haven't seen any changes in years that would have been relevant here. Second, they collect far more data than necessary for the functionality and they know it. I've looked at Microsoft's Windows Defender Browser Protection browser extension today, that one only sends the hostname and path, no parameters and no context information. Microsoft also has a problematic instanceID parameter, but at least that one changes daily - it's not a persistent user identifier. Never mind having the exact same functionality in a shopping helper.
But what else would one expect? Avast has already been caught four years ago, yet they somehow got away with claiming that they fixed the issue and simply continuing.
Either way Thank you for the hard work you put into this, keep up the good job.
Thanks, i'm sharing this on Twitter
I'm curious about what's happening with the Honey extension too. I recently was browsing macy's and noticed they started sending my email address back to their mothership...
Thanks for highlighting this. Avast are indeed collecting this data and re-selling it via Jumpshot, but they claim they have users consent to do this and that’s why they can to re-sell it. I’ve seen this data and it is incredibly granular. Data fields include a timestamp (to “millisecond precision”) as well as device ID, browser type and platform, full URL (which occasionally includes information like postcode, car registration, phone number etc), details of any searches undertaken while on that URL and derived location (from the IP). URLs can include visits to health websites, porn viewing etc. Everything that browser has looked at or searched for online. This data is sold to 3rd parties.
I'd doubt the "have user consent" part. The application indeed asks users about data collection when it is first installed. However, the browser extensions simply ignore this setting (yes, they know application settings and actually consider a bunch of them).
Ironic, how a security minded company is focusing on "hey no worries, not traceable", at the same time brushing off the entire data aggregation process, a process the average user is totally clueless about.
How about starting being ballsy and transparent from the get-go? Post up an informational "Here is the sort of data we gather up on you, as we need to pay the bills" page, complete with a comprehensive sample of the actual data structure you are sending over, arguing how it in fact isn't traceable.
Then get an opt-in checkbox. Honestly, if you inform me you need me to help you by giving you my data, you do have better chances telling me about it beforehand - like Mozilla does.
Oh, they already have an opt-in process for data collection. You see the corresponding screen when you install the antivirus. And then the browser extensions completely ignore it, even though they respect some other antivirus settings.
None of the people's data is used to target people as per the Avast terms of service. Where as all the walled gardens use that data to target people in their advertising offers. So cool. The Walled gardens get stronger and more and more money will sit with the Google, FB, and Amazon. If that is the goal then great. But it's not as simple as this makes it out to seem.
That's a weird logic. Of course, if there are hundreds of parties stealing and exchanging our data, then Google, Facebook and Amazon will loose an advantage. But is that the world that you want to strive for? Is it really the ideal scenario for us as consumers? Wouldn't it rather make more sense to restrict Google & Co. in what data they can collect and how they can use it?
As to Avast terms of service - sure, it's your choice if you want to rely on those to protect you. But terms of service generally exist to protect the company, not consumers. And Avast was already caught collecting and selling users' data without informing them. They went as far as to show a consent screen for the data collection in the antivirus application (not explaining that they turn data into profit of course), then ignoring the result in the browser extensions despite respecting some other antivirus settings. Now they are defending themselves with claims that are provably incorrect, e.g. talking about Mozilla changing add-on policies and delisting them on short notice when the policy in question is many years old.
So: yes, you can choose to trust Avast. But please don't expect other people to follow you there.
"… Mozilla … add-on policies … the policy in question is many years old. …"
Please, which policy is so old?
https://blog.mozilla.org/addons/2019/05/02/add-on-policy-and-process-updates/ (May 2019) was for the June 2019 update.
https://extensionworkshop.com/documentation/publish/add-on-policies/ itself wast updated this month. In the Wayback Machine: https://web.archive.org/web/20191004061029/https://extensionworkshop.com/documentation/publish/add-on-policies/
That most recent policy update only affects extensions using obfuscated code, presumably it has nothing with the Avast situation. The relevant update is rather https://blog.mozilla.org/addons/2018/03/05/updates-add-review-policies/ which is mentioning data collection, that's April 2018. But even that update was a mere clarification, that policy existed in a somewhat different form for almost as long as addons.mozilla.org itself.
extensionworkshop.com is a very new website, you have to look up https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Agreement in the Wayback Machine. For example, the 2015 version says: "Add-ons must not: make any unexpected features that can be privacy or security-sensitive strictly opt-in" (yes, the formulation is suboptimal but the meaning is clear nevertheless).
I use the Avast client but not any of the browser extensions and I've had my suspicions for a while that the antivirus client is also doing things with URL's you visit. For example if you visit an adult site it will popup an advert for their VPN service. Not every time mind you but often enough to not be a coincidence.