As we’ve learned time and time again, “free” things on the internet are almost never truly free. If you’re not paying with money, you’re probably paying with your data. That’s the case with the free antivirus products from Avast, which harvest browsing history for sale to major corporations. Despite claims that its data is fully anonymized, an investigation by our sister site PCMag and Motherboard shows how easy it is to unmask individual users.

Avast, which offers antivirus products under its own brand as well as AVG, has traditionally gotten high marks for its malware blocking prowess. When setting up the company’s free AV suite, users are asked to opt into data collection. Many do so after being assured all the data is anonymized and aggregated to protect their identities. However, Avast is collecting much more granular data than anyone expected, and that puts your privacy at risk.

Avast markets user data through its Jumpshot subsidiary, which has relationships with firms like Google, Pepsi, Microsoft, and Home Depot. PCMag and Motherboard managed to gain access to internal documents and a sample of data from Jumpshot, and they found Avast is tracking user clicks down to the second. Here’s an example of Jumpshot’s data format.

Device ID: abc123x Date: 2019/12/01 Hour Minute Second: 12:03:05 Domain: Amazon.com Product: Apple iPad Pro 10.5 – 2017 Model – 256GB, Rose Gold Behavior: Add to Cart

That doesn’t tell you anything about the person behind the clicks — unless you’re Amazon. With access to Amazon data, you could simply look for users who executed the same click or series of clicks, and now you have a name associated with the device ID. Suddenly, Avast’s data contains a full record of that user’s internet usage. Other companies can do the same by matching anonymized clicks in Avast data with their own records.

Jumpshot offers various products to customers, some of which only include a fraction of the data it collects. For example, one product focuses on searches and what the user ultimately clicked, but Jumpshot also has an “All clicks feed” that includes all its data. Jumpshot usually sells the full feed without device IDs, but it agreed to provide the data with IDs to marketing company Omnicom Media Group in late 2018. Regardless of how much data Jumpshot offers in each package, calling it anonymized is extremely misleading. Once that data is in the wild, you can’t know for sure where it will end up.

Avast recently removed the user tracking features from its Chrome extensions, but the standalone desktop programs continue to collect every click. For this reason, PCMag no longer recommends Avast Antivirus.

Now read: