Last week, Avast decided to stop collecting users’ browser histories from its free antivirus products following a PCMag-Motherboard investigation into the privacy risks around the data sharing. But what will happen to the existing information the company has already harvested?

Well, it won’t be immediately deleted. Avast will hold on to the collected data from Jumpshot, the now-defunct company subsidiary that was selling the browser histories to third-party firms. "With the termination of the Jumpshot business, the company's data will be securely archived,” an Avast spokesperson told PCMag in an email.

Avast hasn’t elaborated on the decision, which will probably rattle privacy-conscious users. But the company may be holding on to the data for an ironic reason; under privacy regulations in both Europe and California, the antivirus vendor is legally obligated to keep records on the data in the event a user demands to know what information was collected and who was it shared with.

"They (Avast) are probably evaluating all the legal circumstances and determining the appropriate way to go,” said Adam Solander, a partner at the legal firm King & Spalding, who specializes in data privacy law. He points to Europe’s GDPR law, along with the California Consumer Privacy Act, which went into effect last month.

"In California, for example, you have the right to understand where your data has been disclosed. If they deleted all the data, they (Avast) wouldn't be able to respond to those requests,” Solander said.

Avast's response on Twitter to a user demanding their data

Indeed, some users have been demanding the antivirus vendor tell them whether their browser histories were collected or shared with third-party companies. They’ve done so by lodging complaints on Twitter while citing GDPR and CCPA. Under the same regulations, a user can also request to be forgotten. However, the nuclear option of purging the data would immediately eliminate the risk of the data ever being used again.

"It's difficult to say what is appropriate,” Solander said. “You have your individual rights on the one hand to request the data, whereas other individuals will claim [Avast] shouldn't have the data—that it's better to destroy it than to secure the data and not use it.

"There's probably no clear answer on the correct path, given the individual rights people have under GDPR [or] CCPA,” he added.

Avast's privacy policy has been recently revised to delete any mention of Jumpshot. But the document previously said the antivirus vendor could hold on to the Jumpshot data for as long as 36 months. So an eventual purge should occur. We've asked Avast for clarification, but have heard nothing back so far.

In the meantime, the antivirus vendor maintains it did nothing illegal by collecting the browser histories, which were stripped of personal information such as names, logins and IP addresses. What Avast claims it was selling through Jumpshot was “de-identified” web traffic data to help big brands and marketers track e-commerce sales. However, a joint investigation from PCMag and Motherboard found the same browser histories could be combined with other information to reveal individual Avast user’s identities and what websites they've been visiting.

The collected data could fall under the protection of GDPR, which also covers “pseudonymized” data, or data that can be attributed back to the original user “by the use of additional information.” Still, Avast might try to argue differently, and claim the data has been "anonymized," making it fall out of the bounds of GDPR's scope.

"If Avast were needed to mount a legal defense, without the data, I don't know how you would be able to defend yourself," Solander added.

As many as 100 million users from across the globe had their data harvested and sent to Jumpshot. In response to the GDPR and CCPA requests, Avast has been directing users to contact the company’s data protection officer at [email protected] One Avast user told PCMag he did so to learn what information was disclosed to Jumpshot.

“There is no excuse. My trust in them (Avast) has been lost,” said Paul, who asked his surname not to be published for privacy reasons. He’s been a user of Avast products for seven or eight years, but decided to uninstall the company’s antivirus software from both his desktop and mobile devices following PCMag-Motherboard’s investigation into the data-harvesting.

So far, Avast has not responded to Paul’s request. Under GDPR rules, the company has within a month to comply. “If the purpose has finished, Avast should not be retaining the data further,” he added.

Further Reading

Security Reviews