After Avast's Malefaction, Data Protection should be High-Priority

• Avast had been harvesting the web browsing data habits from its hundreds of millions of customers to supply some of the world’s biggest firms.

• Avast's wrongdoings are what many privacy and security experts have long warned about: Attempts to deanonymize data sets.

• The story stands as a lesson for consumers and calls for them to ensure that their data is protected and safe at all times.

Avast, a free anti-virus software provider, which is being used by millions around the world, has admitted to selling " highly sensitive" web browsing data via a subsidiary company called Jumpshot.

Investigations done by Vice and PC Mag had reported that Avast had been harvesting the web browsing data habits from its hundreds of millions of customers to supply some of the world’s biggest firms.

Soon after the reports came out, Czech authorities bounce into action, to start an investigation of their own. The investigation found that the anonymized web history data could then be traced back to individual users. Avast via Jumpshot was tasked with selling the user data from millions of devices to major brands and e-commerce providers.

Shares in Avast tanked after reports of sale of user data surfaced.

Recap on the Avast's Malefactions

Jumpshot, a US-based marketing company was purchased by Avast back in 2013.

The Czech-based anti-virus giants scraped data from the software it provides to customers and handed the information to the marketing subsidiary Jumpshot, which then repackaged the information and sold it for millions of dollars.

Even though Avast required users to opt into this data sharing, the investigation found many were unaware Jumpshot was then selling on their data. The revelations emerged following a joint investigation by trade publications Motherboard and PCMag.

The data sold include Google searches, Google Maps location searches, activity on companies’ LinkedIn pages, YouTube visits and data on people visiting porn websites.

Avast did not deny the allegations and said it had moved to stop the data-sharing practices.

READ MORE: Privacy experts Skeptical of proposed data protection agency

What the Latest on it?

The expose has led to the Czech data protection authority starting up an investigation into Avast and its activities. In an official statement, the company has said that it has initiated a preliminary investigation of the case based on the information revealed.

At the moment we are collecting information on the whole case. There is a suspicion of a serious and extensive breach of the protection of users’ personal data. Based on the findings, further steps will be taken and general public will be informed in due time.

- Ivana Janu, President, Czech Office for Personal Data Protection.

Lessons for Information Security

The story raises several serious questions about the ethics of processing and selling data. It also stands as a lesson on information security for consumers and calls for them to ensure that their data is protected and safe at all times.

It is an unfortunate fact that in this day and age, consumers must be wary of who they trust with their data. When the antivirus companies are the bad guy, it’s difficult to see who is good. The best course of action is to constantly ensure that your personal data stays secure. This can be done by managing preferences on websites, but when it comes to software as a service (SaaS) it becomes even more sinister and we must be even more wary.

-Robert Ramsden-Board, VP EMEA, Securonix

“As the saying goes, if you're not paying for the product, then you are the product. That wisdom certainly proved true in this case. AVG and Avast abused users' trust and put them at risk, which could well be a death sentence for a business that users rely on for protection,” said Paul Bischoff, a privacy advocate at Comparitech.com, while talking about users preferring to use free anti-virus versions even though availability of paid products by both Avast and AVG.

Boris Cipot, a senior security engineer at Synopsys, while talking about the recent developments and the seriousness amongst the authorities regarding to GDPR said, “I just wonder how many of such cases will need to be uncovered before this type of data trafficking stops and we can finally rest assured that the companies we trust with our data will not reuse it, or in some cases even misuse it.”

Avast's wrongdoings are what many privacy and security experts have long warned about: Attempts to deanonymize data sets. Even data that has been purportedly made anonymous can still often be linked back to individual users. It also highlights a continuing gulf between increasingly strict data protection regulations and user expectations.

Is your anti-virus spying on you?

READ MORE: 3 trends in Data privacy breach laws that will carry over to 2020