UPDATE 12/5: Avast CEO Ondrej Vlcek tells PCMag's Neil J. Rubenking that "We have already implemented some of Mozilla's new requirements, and we will release further updated versions that are fully compliant and transparent per the new requirements."

He also noted that the extension takedowns occurred just 12 hours after Mozilla's announcement of its new store policies.

But what about all that data sent by the browser extensions? Vlcek went down the laundry list of data points identified by Wladimir Palant and explained each. Many, such as the referrer field, feed into URL analysis in the cloud. Some of the fields, such as the page title, aren't used and "will be removed."

Avast collects the country code for a general idea of location, in lieu of capturing the much more personal IP address. Browser type and version feed into aggregate statistics, though Vlcek said a future version will let you opt out of that feature.

As for the unique user IDs Palant reported, Vlcek confirmed they exist, but said they don't connect to any personal data. They simply let the cloud-based analysis system match reports coming from the same source.

When you install Avast, it makes a point of asking permission to gather information, specifically requesting "non-identifying data" and stating the data "is fully de-identified and aggregated and will not be used to personally identify or target you." You can click to agree or decline the sharing request.

Neil asked if declining to share data meant that Avast wouldn't use those unique identifiers. Vlcek said no, the only difference is that if you accept, Avast retains and aggregates data reported by the browser extension, while if you decline, it discards the data after use.

Just about every antivirus product includes the ability to steer your browser away from unsafe or fraudulent URLs. To do this, they must send the URLs you visit to the cloud for analysis. Yes, that means that they could construct a complete record of your browsing activity. But any actual misuse of that data by a security company would spell its destruction.

Original Story:

If you currently use the Avast Online Security, AVG Online Security, Avast SafePrice, or AVG SafePrice extensions in your browser of choice, stop. Avast has been found to be harvesting user data, which led Mozilla to remove all four extensions from its add-on site. Opera has also removed them.

As ZDNet reports, the data harvesting Avast is carrying out was first discovered by Wladimir Palant, creator of the Adblock Plus extension. In late October, Palant posted his findings and labeled Avast's browser extensions as spyware. When active, Avast receives anonymized data that "allows reconstructing your entire web browsing history and much of your browsing behavior," he said.

A new post by Palant this week confirms that both Mozilla and Opera have removed Avast's extensions from their sites; they remain on Google Chrome.

Another area of concern is the Avast Secure Browser, which has the Avast Online Security extension installed by default and hidden from the extension listing. If you use that browser, your data is being collected, Palant says.

Back in 2013, Avast acquired the company Jumpshot, which created a "clickstream data" product able to collect very detailed data from millions of online users. Palant believes it's this technology Avast is using in its browser extensions to collect the data.

An Avast spokesperson told ZDNet the following: "The Avast Online Security extension is a security tool that protects users online, including from infected websites and phishing attacks ... It is necessary for this service to collect the URL history to deliver its expected functionality. Avast does this without collecting or storing a user's identification. We have already implemented some of Mozilla's new requirements and will release further updated versions that are fully compliant and transparent per the new requirements ... These will be available as usual on the Mozilla store in the near future."

When Palant looked at the data being sent to Avast's servers he found it included the full address of the page visited, the page title, address of the referrer page, identifier for the window and tab ID loading the page, how you got to the page (bookmark, typed address, etc.), if you have visited the page before, country code, two different unique user IDs, browser type, and operating system used including version number. Other fields existed, including IP address and a hardware identifier, but they were unused at the time of review.

Further Reading

Security Reviews