Cybersecurity Company Fined For Spying On Users, Selling Clickstream Data

Continuing its privacy crackdown, the Federal Trade Commission said Thursday that security company Avast had agreed to pay $16.5 million for allegedly providing consumers' web browsing data to outside companies, including Omnicom, Lotame and LiveRamp.

“While the FTC’s privacy lawsuits routinely take on firms that misrepresent their data practices, Avast’s decision to expressly market its products as safeguarding people’s browsing records and protecting data from tracking only to then sell those records is especially galling,” Chair Lina Khan said Thursday in a statement joined by Commissioners Rebecca Kelly Slaughter and Alvaro Bedoya.

Avast, which offered free malware protection, allegedly “collected highly detailed browsing data from millions of users and then, through its subsidiary Jumpshot, sold those browsing records to over a hundred clients, including major advertising firms,” the commissioners stated.

“Avast also released this data in individualized, re-identifiable form, allowing these browsing histories to be traced back to specific people -- in direct contravention of what Avast had promised,” Khan and the others added.

In addition to the fine, the settlement agreement bans Avast from selling browsing data for ad purposes, and requires it to delete any products or algorithms derived from that data.

The U.K.-based Avast stated Thursday that it disagrees with the FTC's “allegation and characterization of the facts.”

The company added that it “voluntarily” closed Jumpshot in 2020.

Privacy advocate John Davisson, director of litigation at the Electronic Privacy Information Center, cheered news of the FTC's complaint.

“We're very pleased to see this case,” he says. “It's important as an enforcement action on its own merits, and hopefully as a precedent for future action around online data.”

The FTC's privacy charges against Avast follow enforcement actions against mobile data brokers including Kochava, Outlogic (formerly X-Mode), and InMarket Media, as well as cases against online therapy service BetterHelp and prescription discounter GoodRx.

In Avast's case, allegations that the company sold consumers' clickstream data appear to have first surfaced in December 2019, prompting Mozilla to temporarily remove Avast's extensions from Firefox's add-ons site.

At around that same time, Senator Ron Wyden (R-Oregon) questioned the company over its practices.

The FTC says after it issued Avast a demand for information, the company announced in a January 30, 2020 blog post that it was winding down Jumpshot.

The FTC's complaint alleges that between 2014 and 2020 Avast's Jumpshot subsidiary gathered users' web browsing data from software and downloadable extensions, and sold that information in non-aggregated form to outside companies.

“Many of the Jumpshot products (or 'data feeds') provided third-party data buyers with extraordinary detail regarding how consumers navigated the Internet, including each webpage visited, precise timestamp, the type of device and browser, and the city, state, and country,” the complaint alleged. “Most of the data feeds included a unique and persistent device identifier associated with each particular browser ('Jumpshot GUID'), allowing Jumpshot and the third-party buyer to trace individuals across multiple domains over time.”

The FTC also says Avast's privacy policies -- which were revised several times between 2014 and 2020 -- misrepresented its practices.

For instance, the complaint alleges that prior to October 2018, Avast said in its privacy policy that the company only collected web browsing data to identify the source of a malware infection, and that it collected “no more information than is required in order to provide full functionality.”

“The vast majority of consumers would not know that the Avast software would surveil their every move on the internet or that their browsing information might be sold to more than 100 third parties and stored indefinitely, in granular, re-identifiable form,” the FTC wrote.

The FTC adds that clickstream data -- at least when re-identifiable -- is “sensitive data.”

Browsing information reveals “consumers’ religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content, and interest in prurient content,” the complaint alleges.

The complaint also includes specific allegations regarding Avast's contracts with LiveRamp, Lotame and Omnicom. 

For instance, between May 2017 and April 2019, Avast's Jumpshot gave LiveRamp a license “to use consumers’ granular browsing information, including all clicks, timestamps, persistent identifiers, and cookie values,” for ad targeting, among other purposes, according to the FTC.

Jumpshot's contract with Lotame allegedly allowed it to combine its data with Jumpshot's for ad targeting.

“The parties agreed that Jumpshot would receive a share of the revenue that Lotame earned through the targeting of consumer audiences made up of, or derived from, browsing information held by Jumpshot,” the FTC alleged.

Avast's contract with Omnicom allegedly called for Jumpshot to provide Omnicom with an “all clicks feed” for 50% of customers in the United States, United Kingdom, Mexico, Australia, Canada, and Germany.

That contract allowed Omnicom to “map out/translate” Jumpshot's user identifiers with identifiers created by the data broker Neustar, and to “match with LiveRamp,” according to the complaint.

Those terms allegedly let Omnicom associate Avast's data “with other sources of data, on an individual user basis," and also allowed Omnicom to “'transmit, market and sublicense' to its own customers products derived from the raw data."

“The production fee schedule stated in the first work order to the contract was approximately $2 million per year,” the FTC alleged.

The FTC hasn't accused LiveRamp, Lotame or Omnicom of wrongdoing. Those companies haven't yet responded to MediaPost's request for comment.

Next story loading loading..