After revelations about data gathering and selling the Avast team in charge of both its popular Antivirus and other products is claiming that it continues to focus on the privacy of its users and that it will make some changes to clarify the way it handles personal data in its services.
Avast Software s.r.o., the Czech headquarters company, is using an extensive blog post to respond to revelations coming from a joint investigation from PC Mag in the United Kingdom and Motherboard in the United States.
The two publications revealed that a subsidiary called Jumpshot is selling access to information gathered from Avast products, like Antivirus and Secure Line VPN, that is specific enough that companies can use their own records to create a detailed picture of what a particular user does on the Internet.
The process of de-anonymization used was not good enough to strip identification details from data and the company even delivered device IDs to its corporate clients, which included major companies like Google, IBM, and Microsoft.
We have a more detailed explanation of the privacy issues of Avast Antivirus, which can also affect Avast Secure Line VPN, in a previous article.
Avast defends its practices as necessary
The development teams explain that it cares about privacy and trust and that it pledges to keep working on the behalf of more than 400 million users that have chosen to use its products, encouraging them to offer feedback and to propose improvements.
A crucial paragraph in the official blog post states:
We want to reassure our users that at no time have we sold any personally identifiable information to a third party. We want to give confidence to all our users and partners that they have made the right decision to choose Avast and reassure them that their privacy is secure and their personal data safe.
Avast also says that data gathering is very important to the world of cybersecurity and that it needs data in order to use artificial intelligence to respond to threats that would not be identified by a human researcher.
The company continues to maintain that all data that has been sold via Jumpshot since 2015 was de-identified and handled in an ethical way and within legal bounds.
Avast explains that it has been testing, since July of 2019, an explicit opt-out choice for all new downloads of its products that will replace the current mechanism, which is considered to be ambiguous. The company plans to roll-out the new solution to existing users soon and to allow them to have more control over their privacy choices.
The new pop-up screen, which includes information about Jumpshot and the fact that it sells data to third party companies, although it makes clear that it will never be used to target a user.
The Avast privacy scandal is focused on the meaning of identity
The initial reporting from PC Mag and Motherboard explains that the data coming from Avast via Jumpshot did not directly, on its own, identify what a user was doing when using products like Antivirus or Secure Line VPN.
But the journalist claim that the identity of a particular user can be pieced together when that logged information is paired with the other tracking data that big companies have gathered on their own.
Correlation between two sets of information can be used to essentially narrow down a search enough that only one specific user or device ID could be the one accessing a site or a service.
Meanwhile, Avast is not looking at the big picture and only focuses on its own gathered data, claiming truthfully that its own data set cannot be used to identify someone and track their activities.
Unfortunately, modern Internet users exist in a universe where both companies and governments seek to gather as much data as possible and they can then use this aggregation process to eliminate much if not all privacy.
The steps announced by Avast might convince some of their fans to continue using their Antivirus solution and their Secure Line VPN. But they are not good enough given the climate of privacy erosion we currently live in.
Those Internet users who want to maximize their chances of staying as private as possible should probably look for a new solution and make sure that they do not engage in the same practice of selling data that can be easily matched to create detailed personal profiles.