If something is free—especially if it’s a complicated something, or something you’d probably have to pay for otherwise—the familiar saying is often true: You’re the product. It’s one of the reasons you’re always being advertised to across the web. Search engines, email services, messaging platforms, or other apps and services you fancy cost money, and companies have to recoup that somehow (and profit).
This is why I think you should reconsider using Avast’s free antivirus product. As a collaborative report from Motherboard and PCMag recently found, an Avast subsidiary, Jumpshot, scoops up data from Avast antivirus users and sells it to advertisers, who can then combine it with other data they have on your activities to track you in great detail. According to Motherboard’s article:
“Avast collects data from users that opt-in and then provides that to Jumpshot, but multiple Avast users told Motherboard they were not aware Avast sold browsing data, raising questions about how informed that consent is.
The data obtained by Motherboard and PCMag includes Google searches, lookups of locations and GPS coordinates on Google Maps, people visiting companies’ LinkedIn pages, particular YouTube videos, and people visiting porn websites. It is possible to determine from the collected data what date and time the anonymised user visited YouPorn and PornHub, and in some cases what search term they entered into the porn site and which specific video they watched.
Although the data does not include personal information such as users’ names, it still contains a wealth of specific browsing data, and experts say it could be possible to deanonymize certain users.”
Avast got nailed last year after security researcher Wladimir Palant found that the company’s browser extensions were sending your browser’s web history straight to Avast. As a result, Google, Mozilla, and Opera all removed a number of Avast’s extensions from their add-on directories until Avast cut out the offending behaviour. As Avast recently told PCMag:
“We completely discontinued the practice of using any data from the browser extensions for any other purpose than the core security engine, including sharing with Jumpshot.”
To Avast’s (slight) credit, the company does provide users a pretty obvious splash screen when asking users to share their data. However, as PCMag correctly notes, this screen doesn’t detail that companies could combine this data with other information they have about you to create a pretty accurate profile of who you are and what you do. Nor are users given any instructions on how to delete any data you’ve already shared with Avast/Jumpshot (if that’s even possible).
“Browser Cleanup is a module inside Antivirus for Desktop (Windows) which inspects the browser extensions of most browsers, tries to identify malicious extensions and offers to remove them. Browser Cleanup is on by default. You may opt-in for processing of cookie data (internal identifier (GUID), product version, time information, source browser, cookie domain, cookie name, cookie value) for trend analytics purposes, Avast consequently provides this data set from a free version of this product to enable Jumpshot to build products and services. For more information please see our Consent Policy.”
“Web Shield scans data that is transferred when you browse the internet in real-time to prevent malware from being downloaded and run on your computer. By default, Web Shield is configured to provide optimal protection when switched on. If Web Shield function is active and you opt-in for processing of data (internal identifier (GUID), product version, time information, stripped URLs (unless cached), carefully selected aspects of certain pages without identifiers, selected requests) for trend analytics purposes, Avast consequently provides this data set in a stripped and de-identified form from a free version of this product to enable Jumpshot to build products and services. For more information please see our Consent Policy.”
I’ve already installed Avast. Now what?
If you do nothing else, I recommend pulling up Avast’s settings (via Menu > Settings) and visiting the “Personal Privacy” section. Within there, uncheck every option Avast offers:
Honestly, I’d go ahead and uninstall Avast entirely, because you don’t really need a third-party virus scanner on your desktop or laptop—at least, not on Windows 10. The free antivirus app baked into your operating system, Windows Defender, is plenty potent and isn’t packaging up data on everything you do to and selling that to third-party companies.
Otherwise, you can also check out an open-source virus and malware scanner like ClamAV. I can make no promises about its privacy, but as an open-source project, it’s at least more transparent about what it’s doing than other third-party apps.
As for Mac users, the common convention is to shrug your shoulders and smile at your Windows brethren—Macs don’t get viruses, after all. Right? Not quite. Macs can get hit with viruses and malware; it’s just rarer. Less rare, possibly, if you have no common sense whatsoever and click on or download anything and everything you see on the web.
If you’re reasonable and don’t try to install things that sound strange, or grant system permissions to everything that asks for it out of the blue, you should be fine. Keep your system updated with the latest security patches, grab Malwarebytes, and run a strong ad blocker in your browser. Fire up Malwarebytes it every now and then to give yourself a quick check-up against malware and other crap, but you probably don’t need a more comprehensive virus-scanning setup than that.