Czech authorities are investigating antivirus vendor Avast over its sale of users’ browser histories to third-party companies.

“At the moment we are collecting information on the whole case. There is a suspicion of a serious and extensive breach of the protection of users’ personal data,” Ivana Janu, President of the Czech Office for Personal Data Protection, said in a Tuesday statement.

The Czech regulator’s “preliminary” probe into the company appears to be in response to a PCMag-Motherboard investigation into the privacy risks of Avast’s free antivirus software, which is used across the globe. The same products were also collecting users’ browser histories for an Avast subsidiary called Jumpshot, which then sold the information to major brands and market research companies.

Avast, which is based in the Czech Republic, claimed it was stripping away users’ personal details from the collected browser histories as a way to “de-identify” the data, and preserve their customers’ privacy. However, the joint investigation from PCMag and Motherboard found the contrary: The same data can actually be combined with other information to identify the web activities of individual Avast users, including their internet searches. As many as 100 million users had their data collected.

The news shook trust in Avast’s antivirus products, which prompted the company to end the data-sharing practice and terminate the Jumpshot subsidiary. However, it still remains unclear which third-party companies had access to the collected browser histories, and how the information was used. Based on Jumpshot’s own marketing, past clients included Google, Unilever, McKinsey & Co., TurboTax provider Intuit, Expedia, and Conde Nast, among many others. However, PCMag’s attempts to confirm the customer relationships were largely met with no responses.

For now, the Czech data-protection agency is remaining mum on what potential action it could take against Avast. But the agency will likely examine whether the antivirus vendor broke any privacy rules under Europe's GDPR regulations. “Based on the findings, further steps will be taken and general public will be informed in due time,” Janu said in her brief statement.

In response to the investigation, Avast told PCMag: “We are in receipt of the DPA's request and we will diligently work with the DPA in full cooperation.

“We take concern about our users' privacy very seriously, which is why we voluntarily made changes to our privacy policy in December, and made the decision to close Jumpshot last month. Avast's core mission is to keep its users' data safe online, and any practice that jeopardizes user trust is unacceptable,” the company added. “Protecting user privacy is embedded in everything we do in our business, and as such we remain focused on continuing to innovate our products for the benefit of our users and their privacy.”

Although Avast has ended the data-sharing practice, the antivirus vendor plans on “archiving” the browser histories it collected and sold through Jumpshot, rather than immediately deleting the information. One lawyer told PCMag the company may be holding on to the data in the event it faces legal action.

Further Reading

Security Reviews