Avast caught selling browsing data

Martin Shelton

Principal Researcher

A dumpster on fire with a pink background
Electronic Frontier Foundation (CC BY 4.0)

It’s the Digital Security Training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone has shared this newsletter with you, please subscribe here.

In the news

Aye hearties, gangway — the Avast cor-pirates are walking the plank.

That’s because the company sold user data without consumers’ knowledge, according to the Federal Trade Commission, which ordered U.K.-based Avast Limited to pay $16.5 million and will also bar the antivirus company from selling or licensing browser data for advertisements. 

Using browser extensions and its antivirus software, Avast’s subsidiary, Jumpshot, allegedly gathered “more than eight petabytes of browsing information dating back to 2014.” This potentially sensitive data included location, health information, financial status, and more. 

According to BleepingComputer, a spokesperson says “the company has already reached a settlement with the FTC to resolve the investigation regarding the data shared with the Jumpshot subsidiary that was shut down in January 2020.” Read more.

What you can do

  • The most important practice — the digital equivalent of washing your hands — is just staying on top of your security updates to patch potential vulnerabilities in your apps and operating system. Every time you download your updates, you make an attacker’s life that much harder. Read another excellent guide from my colleague David Huerta about the story behind your software updates.
  • While antivirus software is not necessarily a bad thing, depending on what tools you are downloading, you could be giving it a wide-ranging level of permission, so you really want to be certain that you need it before installing it. If you have a Mac or PC, you already have built-in antivirus software that works quite well. On Windows, you can run a manual scan with the Windows Security "virus & threat protection” feature. On Mac, these protections largely operate behind the scenes. Read David’s blog post, which answers the question, “What about antivirus?
  • If you find yourself in a situation where you keep noticing unexpected behavior (i.e., unprompted ads, which could be a sign of malware), try out the free version of Malwarebytes for a quick scan. While there are no guarantees with this sort of thing, it will look for a lot of classic signs of less-sophisticated malware. If you feel uncomfortable with it, remove it from your computer after you’re done scanning. And if you want a second opinion from an experienced acquaintance, know that because you journalists are such special people, you attract some advanced attention that might not yet be detected by classic anti-malware tools.
  • Note that spyware might not show obvious signs you’re being spied on by an unwanted third party. After all, you can’t really spy very well if you reveal yourself. But at the end of the day, spyware is just one kind of especially awful malware. So, again, installing updates is the best thing you can do to minimize risk.

Updates from my team

We are always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there. Yo-ho-ho!

Best,

Martin

Donate to support press freedom

Your support is more important than ever.

Read more about Digital Security Digest

Apple warns iPhone users of targeted malware

On April 10, Apple sent users in 92 countries warning of mercenary malware attacks targeting the iPhone. The notification did not provide details about the identities of the attackers. According to TechCrunch, Apple warned, “This attack is likely targeting you specifically because of who you are or what you do. Although it’s never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning — please take it seriously.”

Preparing for election-related security issues

Throughout this year, our digital security training team will share our thoughts on navigating security issues during the 2024 election season. Elections around the world experience distinct security issues that may change from year to year, but in the U.S. we look to 2020 for lessons on how to get ahead of likely issues, from surveillance of our sensitive communications to perennial phishing attacks and harassment for political reporting.

Google to delete old Chrome Incognito data

Following a class-action lawsuit over Google’s handling of user data in its Chrome browser’s “Incognito” private browsing mode, the search company will expunge “billions of event-level data records that reflect class members’ private browsing activities” improperly collected before January 2024. It also updated its Incognito landing page to highlight that even Google can discern your activities in private browsing mode. Additionally, the company will be required to delete data that makes users’ private browsing data personally identifiable, such as IP addresses.