Avast’s User Data Sold To Omnicom, Marketers, Big Tech

It was discovered that the free cyber security software, Avast, collects user data and that some of that data was given to a third-party known as Jumpshot, who in turn signed contracts with other companies and sold the data to them, which reportedly includes venture capital firms, marketers, big tech, and a global media firm known as Omnicom.

The Czech-based outfit was put under the microscope in a joint investigation by PCMag and Motherboard, who discovered that Avast was collecting user data that ranged from URLs visited, searches made, products purchased, and social media interactivity.

Avast had claimed that they used an algorithm to “de-identify” users, excising from their collected data any e-mail, IP address, location, or other personal identifying information. However, the article explains…

“PCMag and Motherboard learned about the details surrounding the data collection from a source familiar with Jumpshot’s products. And privacy experts we spoke to agreed the timestamp information, persistent device IDs, along with the collected URLs could be be analyzed to expose someone’s identity.”

It might sound like fearmongering based on conspiracy, but it turns out that the concerns raised by PCMag and Motherboard were also shared by a privacy researcher who came to the same conclusion that they did: that combining certain datasets could very well reveal the identity of the user, even without e-mail addresses, IP addresses, or location data.

This supposition turned out to be fact.

Some actual journalism turned up a contract that Avast’s partner Jumpshot had signed with Omnicon. The significance of this contract is that all of the data that Jumpshot collected from Avast was being given to Omnicon.

In the article they explain…

“[…] But in regards to one particular client, Jumpshot appears to have offered access to everything. In December 2018, Omnicom Media Group, a major marketing provider, signed a contract to receive what’s called the “All Clicks Feed,” or every click Jumpshot is collecting from Avast users. Normally, the All Clicks Feed is sold without device IDs “to protect against triangulation of PII (Personally Identifiable Information),” says Jumpshot’s product handbook. But when it comes to Omnicom, Jumpshot is delivering the product with device IDs attached to each click, according to the contract.


“In addition, the contract calls for Jumpshot to supply the URL string to each site visited, the referring URL, the timestamps down to the millisecond, along with the suspected age and gender of the user, which can inferred based on what sites the person is visiting.”

Both PCMag and Motherboard attempted to contact Omnicom but the company didn’t respond to their requests.

It was also discovered that various other big tech firms were clients of Jumpshot, too, ranging from IBM, Microsoft, and Google. IBM told them that they had “no record” of doing business with Jumpshot, while Microsoft said they have no “current” relationship with Jumpshot. Google opted not to respond.

Apparently Jumpshot had done business with a number of outfits across a number of fields, including Nestle Purina, Unilever, Intuit, and GfK.

Avast, however, responded to some of PCMag and Motherboard’s questions, but opted not to answer all of them. They explained in a statement…

“We completely discontinued the practice of using any data from the browser extensions for any other purpose than the core security engine, including sharing with Jumpshot,” […]


“[…] Users have always had the ability to opt out of sharing data with Jumpshot. As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV (antivirus), and we are now also prompting our existing free users to make an explicit choice, a process which will be completed in February 2020,”

However, Avast was caught with their hand in the cookie jar before when security researcher Wladimir Palant found out about their data collection on users back in October of 2019, which resulted in Mozilla and Google temporarily disabling the Avast add-on in December until the company removed the data collection spyware.

As pointed out in the article, most people also didn’t know that their data was being collected for the purpose of being sold when they agreed to the opt-in privacy policy by Avast, because most people don’t stop to read through the entire privacy policy to gather such information. Worse yet is that most privacy policies are vague enough that it gives companies like Avast leeway to shift and move the blame to Jumpshot, who was doing all the shuffling and moving of user information for premium contracts.

In any case, it’s probably best to avoid Avast if you don’t want your data being sold to big tech, marketers, or anyone else out there.

(Thanks for the news tip Mister Reland)

(Main image courtesy of The Average Joe)