One of the world's largest antivirus providers is ending a program that collected and sold users' Web browsing data a few days after media reports exposed the platform.

Avast CEO Ondrej Vlcek announced late Thursday the end of the data-selling subsidiary, known as Jumpshot. Writing in an open letter, he said that he and the company's board "have decided to terminate the Jumpshot data collection and wind down Jumpshot's operations, with immediate effect."

The pervasive operations of Jumpshot came to light earlier this week following reporting by Vice Motherboard and PCMag. Jumpshot described itself as "the only company that unlocks walled garden data... to provide marketers with unparalleled visibility, analytical insights and a more comprehensive understanding of the online customer journey that delivers a highly competitive advantage."

PCMag and Motherboard obtained leaked internal documents showing exactly what kind of walled-garden data Jumpshot had in mind, such as "Google searches, lookups of locations and GPS coordinates on Google Maps, people visiting companies' LinkedIn pages, particular YouTube videos, and people visiting porn websites," among other things. Avast told reporters that data collection was presented as an opt-in mechanism, but several users told Motherboard they had no idea they were opted into such a service and did not recall being asked.

One source told Motherboard that Jumpshot is, "very granular, and it's great data for these companies, because it's down to the device level with a timestamp." While the data did not include specific personal identifiers such as names, email addresses, or IP addresses, it is linked to a specific device ID which, in turn, allows Jumpshot clients to connect it back to individual users.

PC Mag provides an example of a hypothetical user, coded as abc123x, adding a rose-gold iPad to an Amazon cart at a specific time. From there, it elaborates:

At first glance, the click looks harmless. You can't pin it to an exact user. That is, unless you're Amazon.com, which could easily figure out which Amazon user bought an iPad Pro at 12:03:05 on Dec. 1, 2019. Suddenly, device ID: 123abcx is a known user. And whatever else Jumpshot has on 123abcx's activity—from other e-commerce purchases to Google searches—is no longer anonymous.

Feedback from Avast users has been swift and voluminous. The company's own Twitter account for several days has been trying to soothe angry users, repeating the message, "Please be assured, Jumpshot does not acquire any personally identifiable information from our users. We are fully compliant with GDPR & the California Consumer Privacy Act (CCPA). Users may choose to adjust their privacy levels using the settings available in our products."

In his letter, Vlcek tried to explain why Avast, which bills itself as an Internet security and privacy-protection firm, was even in the business of selling users' data.

"We started Jumpshot in 2015 with the idea of extending our data analytics capabilities beyond core security," Vlcek wrote. "This was during a period where it was becoming increasingly apparent that cybersecurity was going to be a big data game. We thought we could leverage our tools and resources to do this more securely than the countless other companies that were collecting data."

The decision to shutter Jumpshot "will regrettably impact hundreds of loyal Jumpshot employees and dozens of its customers," Vlcek added, but "it is absolutely the right thing to do" to "become aligned with that North Star," which is the company's goal to "make the world a safer place."

Better late than never?

Jumpshot is the second major privacy-related strike against Avast in recent months. Last fall, a security researcher found that Avast Online Security's browser plugin was gathering up information about the websites users visited, then transmitting back data allowing the firm to reconstruct someone's entire Web browsing history and behavior.

Google, Opera, and Mozilla pulled some Avast and AVG (which is owned by Avast) extensions from their browsers in early December, after the data harvesting came to light. They were later added back as optional extensions in Firefox after Avast made changes to the extensions' data-collection practices.

Sen. Ron Wyden (D-Ore.) asked Avast to explain itself following reports about the browser extension. The company at the time confirmed to Motherboard that it had "a brief conversation" with someone from Wyden's office, adding, "confident in our data processing practices and are happy to delve deeper into the conversation with the Senator’s office."

Upon learning Jumpshot was being axed, Wyden commended Avast for ending the program, adding, "This should be the rule, not the exception."

Wyden is one of several lawmakers attempting to get some kind of general nationwide data privacy law passed. He introduced his proposal in the Senate last October. Sens. Maria Cantwell (D-Wash.), Amy Klobuchar (D-Minn.), Ed Markey (D-Mass.), and Brian Schatz (D-Hawaii) introduced a different privacy bill a month later, shortly after Reps. Anna Eshoo and Zoe Lofgren, both California Democrats, proposed another different one in the House.

Disclosure: Condé Nast, Ars Technica's parent company, is one of the firms that received data from Jumpshot.