Official statement on the recent news about privacy

In December 2019, we acted quickly to meet browser store standards and are now compliant with browser extension requirements for our online security extensions. At the same time, we completely discontinued the practice of using any data from the browser extensions for any other purpose than the core security engine, including sharing with our subsidiary Jumpshot.

We ensure that Jumpshot does not acquire personal identification information, including name, email address or contact details. Users have always had the ability to opt-out of sharing data with Jumpshot. As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an opt-in or opt-out choice, a process which will be completed in February 2020.
Our Privacy Policy details the protections we put in place for all our users. Users can also choose to adjust their privacy levels using the broad range of settings available in our products, including control over any data sharing at any time. We voluntarily comply with the GDPR and California Consumer Privacy Act (CCPA) privacy requirements across our entire global user base.
We have a long track record of protecting users’ devices and data against malware, and we understand and take seriously the responsibility to balance user privacy with the necessary use of data for our core security products.

UPDATE Jan 30: https://press.avast.com/avast-to-commence-wind-down-of-subsidiary-jumpshot

Hi Avast guys,

as a long-term PAYING customer and in light of the recent news of what you do with our data I’d like to ask two questions:

[ol]- Is paid version of Avast Internet Security also sharing any of user’s data (anonymized or not, aggregated, whatever) with any third party (most of the news mention only Free version)?

  • If so, is it possible to opt-out from any kind of such a sharing and what must you customers do to achieve that (suppose Avast IS is already installed as is the case of my PC)?[/ol]

Please give simple and honest answer, no references to EULA, etc. - we all know that nobody reads them, that’s why we (used to) trust some of the sw vendors. I believe that is the only way how your company can get out of this loss of trust with relatively little harm.

Thank you.

It is not very clear answer regarding user privacy.

Hello,
ad 1. It depends on the settings.
ad 2. yes, see the settings (screenshot attached).

Milos

Okay, gotta respond to this.

  1. That ‘ability to opt out’ ever since the GDPR wasn’t enough. It’s ‘consensual opt-in’, not ‘standard opt-in unless you change it’. You’ve been in breach of the GDPR for more then a YEAR.
  2. That ‘ability to opt out’ was quite hidden and never well communicated
  3. With the new engine update, you resetted it to standard opt-in for everyone, even if someone already had opted out. Plus, are you going to give the paying users the clear option too? Otherwise I see enough still unknowingly being opted-in to your data selling misuse.
  4. I saw the examples of the data you sold. That’s damnable identifiable.
  5. Are you going to give people free GDPR-insight into the data you gathered with the plug-in as well as core protection service data gathering abusals?
Our Privacy Policy details the protections we put in place for all our users. Users can also choose to adjust their privacy levels using the broad range of settings available in our products, including control over any data sharing at any time. We voluntarily comply with the GDPR and California Consumer Privacy Act (CCPA) privacy requirements across our entire global user base. We have a long track record of protecting users%u2019 devices and data against malware, and we understand and take seriously the responsibility to balance user privacy with the necessary use of data for our core security products.

‘Voluntarily comply with GDPR’? Mister, you’re based in the European Union, you also serve European users. GDPR compliancy is NOT voluntarily, it is MANDATORY. Yet you’re in breach of the GDPR. Also, ‘for your core security products’? What has selling data to Google etc to do with ‘core security products’?

Edit: Also, I just took a look and your ‘choice message’ is possibly not even GDPR-compliant either because you’re not really completely open about what you do with the gathered data. And your colouring of green for ‘Yes’ and red for ‘No’ possibly isn’t allowed either.

A somewhat vague statement. Are our data secure Avast? Our banking information and so on? What exactly are you collecting?

I’ve been a paying customer for several years. I chose you because I believed you were an trustworthy company. But you succumbed to the greed that seems to affect many companies that grow to be giants.

I went and opted out of data sharing but I’m going to have to rethink my renewal. I WILL be looking at alternatives.

Poor response.

It is interesting that the statement starts with a rather convoluted admission you were already taking advantage of user data via the browser extension. You only “quickly acted to meet browser store standards” because you were removed from the stores after the Wladimir Palant blog.

BenMS86 makes several good points in his response above, too. As they rightly point out, GDPR requires an unambiguous and clear affirmative action to ‘opt-in’. That should have been active from May 2018 and not only for new users. You don’t ‘voluntarily comply’ with GDPR, it’s the ‘actual’ law. Speak to your data protection officer.

The Information Commissioner’s Office also says pre-ticked boxes should not be used as a method of ‘default consent’. It seems this is exactly what you did with the new engine, again as BenMS86 points out. It seems the default was opt-in even if you had previously opted out. Unless you can confirm otherwise?

Your claim that the data shared with Jumpshot is “de-identified” has also been queried by several security experts. Wladimir Palant wrote about it yesterday, here.

Again, it is extraordinary that a company like Avast - which says it offers “powerful security for your digital life” - would sell user data via Jumpshot, an outfit that openly advertises it collects “Every search. Every click. Every buy. On every site”. Regardless of the legal ramifications of your actions, ethically it is mad.

The only acceptable resolution to this was an admission that you dropped the ball, an apology, and then an announcement that Jumpshot would no longer be involved in Avast products. What you gave us was a meek reproduction of a vague privacy / consent policy.

Avast is a company based in a EU country (the Czech Republic) and doing business in the EU as well as other countries. The GDPR is mandatory NOT voluntary. Failure to follow the GDPR leaves Avast open to larges fines.

Do the ‘check boxes’ in Privacy even work (I have them unchecked since the beginning), or they are just for placebo effect?

i would like to hear the answer myself.

GDPR fines can go into thousands of euros. And this is per case.

If there will be a lot of cases opened by consumer protecting instances this could mean the end of avast
as fines will be for any individual in the specific case it will add up quickly.

The initial post suddenly comes after the net is full of articles about this.

If the article didn’t appear they probably never posted about this either.

Too bad you bend over for ze money. Who knowes what else has been collected over the year.
The pop ups we get every day show that there is enough sniffing going on.

Does Avast read our HTTPS communication and send it somewhere? That is very important to know!

We comply with the GDPR and California Consumer Privacy Act (CCPA) privacy requirements and apply them voluntarily across our entire global user base.

Yes, they work.

Avast Web Shield scans HTTPS so my guess is - probably yes.

As a paying customer for several Avast Products, I suppose Avast must offer compensation to any paying user who got affected by this situation.

You made a fortune on selling our data and capitalized on our trust. Now it’s time to give back. Otherwise, lawyers might be involved, and you might end up facing a collective lawsuit. I’m not sure how these things work in the EU, but here in the United States, you can really get your ass kicked.

So, while it’s not too late, I seriously advise anyone from Avast who is reading this forum - show this message to your manager, and ask to show it to the next manager, etc, until it gets to the very top. But in any case - you have really dropped the ball, and I’ll be quite interested to see how you will try to make it up to all of us (paying customers), I’m sure that there are millions of people around the world paying for Avast products.

Good luck.

Wow. I’m thoroughly disappointed in Avast. I don’t feel the “did you read the terms of service?” argument suffices. I bought the product to protect me. I counted on you to protect me privacy. You sell anti-track products (which I’ve purchased). Then I find out that the guys I bought it from duped me? This sucks. How can we trust Avast when this happens?

For the paid versions, the settings shown in the screenshot should be the default settings.

Except you’ve already been caught selling user data.

Even your new ‘opt-in’ pop up might not be valid under GDPR. You can’t use language that nudges people toward consent. Nor is the language used transparent enough in explaining what Jumpshot does with the data given to them.

Have you deleted the browsing data you collected without consent yet?

I would advice those within the UK to make a complaint to the ICO - https://ico.org.uk/make-a-complaint/