Back in October, Wladimir Palant, developer of the popular AdBlock Plus browser extension, published a blog post outlining how extensions from security company Avast/AVG were collecting massive amounts of data from users. In a somewhat-belated response, Google has now removed some of Avast's extensions from the Chrome Web Store.

The original blog post found that the Avast Online Security extension, which is usually installed as part of Avast's anti-virus products, transmits far more data than is necessary to check if a page is 'safe' or not. The extension was recording every page visited, how you got to the page (the referrer), your IP address and locale, and other information — all attached to a unique ID for easy tracking.

Needless to say, this level of tracking is absolutely not necessary for checking if a certain website is safe. Google's own Safe Browsing feature (which Firefox and Safari also rely on) simply downloads a list of malicious websites, so your browser can compare the pages you visit without sending network requests. Palant hypothesized that the extensive data collection was for selling to third parties, based on a section in the Avast privacy policy.

Google has now removed Avast SafePrice, Avast Online Security, and AVG SafePrice from the Chrome Web Store. However, AVG Online Security is still available. Mozilla also removed the extensions from its website (but did not blacklist already-installed copies from running), but Avast Online Security returned after the company complied with Mozilla's requirements, and the other extensions will likely return after changes are made to them.

(2 of 2) The Avast Online Security extension is a security tool that protects users online. Avast does this without collecting or storing a user's identification. Fully compliant and transparent versions will be available in the Mozilla store in the near future. — Avast (@avast_antivirus) December 11, 2019

Anti-virus products often have a reputation for being as invasive as viruses themselves, and even though there wasn't any evidence discovered that Avast's data was personally-identifiable, the data collection was still far over the top. To quote Obi-Wan, "you have become the very thing you swore to destroy."