Avast faces fine for tracking and selling user data
Claimed to protect data, but collected and sold it instead
The US Federal Trade Commission (FTC) has levelled a a $16.5 million fine against cybersecurity vendor Avast for unlawfully harvesting and selling customer data without their consent.
The fine comes after a prolonged investigation into Avast's data privacy practices, alleging a breach of trust and privacy violations affecting millions of users.
Avast, which traces its roots back to the late 1980s in Czechoslovakia, has evolved into a global cybersecurity leader, offering antivirus software and other digital security solutions.
Now under the umbrella of Gen Digital, Avast has its headquarters in both Tempe, Arizona and Prague, Czech Republic.
The FTC alleges that, from 2014 to 2020, Avast secretly collected user web browsing data through its antivirus software and browser extensions. It used this to compile a repository of sensitive data including religious beliefs, health issues, political affiliations, geographic locations and financial details.
This data was stored indefinitely and one of Avast's subsidiaries, data harvesting arm Jumpshot, sold it to over 100 third parties, including advertising, marketing, and data analytics companies, without users' knowledge or consent.
The FTC's investigation was prompted by a joint probe conducted by Motherboard and PCMag in 2020, which shed light on Avast's questionable data privacy practices.
Avast closed Jumpshot in response to the public outcry.
Despite claims of anonymisation, the FTC found that Avast failed to adequately mask users' browsing information. It sold data bundled with unique identifiers, timestamps, device/browser specifics and location data.
"Bait-and-switch surveillance"
The FTC has also accused Avast of misleading consumers by falsely claiming that its software would enhance online privacy by blocking tracking activities; when, in reality, it was engaging in tracking and data monetisation itself.
"Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite," said Samuel Levine, director of the FTC's Bureau of Consumer Protection.
"Avast's bait-and-switch surveillance tactics compromised consumers' privacy and broke the law."
FTC chair Lina Khan underscored the sensitivity of browsing data, pointing out that it can unveil highly personal information, ranging from intimate preferences to financial status and political affiliations.
In addition to the fine, the FTC's proposed order imposes strict sanctions on Avast, including a ban on misrepresenting its data practices and the prohibition of selling or licensing browsing data from Avast products to advertisers.
The company is also required to delete all browsing data acquired by Jumpshot and notify affected users of the unauthorised sale of their data.
Avast will also have to implement a comprehensive privacy program to address the misconduct.
In response to the FTC's actions, Avast said it was committed to protecting users' digital lives.
"While we disagree with the FTC's allegations and characterisation of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world," the company said in a statement.
The proposed settlement, which was approved by a 3-0 vote from the FTC, is subject to public comment for 30 days before the Commission makes a final decision.
Instructions for filing comments will be published in the Federal Register, and once processed, will be made available on Regulations.gov.