An antivirus program used by hundreds of millions of people around the world is selling highly sensitive web browsing data to many of the world’s biggest companies, a joint investigation by Motherboard and PCMag has found. Our report relies on leaked user data, contracts, and other company documents that show the sale of this data is both highly sensitive and is in many cases supposed to remain confidential between the company selling the data and the clients purchasing it.
The documents, from a subsidiary of the antivirus giant Avast called Jumpshot, shine new light on the secretive sale and supply chain of peoples’ internet browsing histories. They show that the Avast antivirus program installed on a person’s computer collects data, and that Jumpshot repackages it into various different products that are then sold to many of the largest companies in the world. Some past, present, and potential clients include Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Condé Nast, Intuit, and many others. Some clients paid millions of dollars for products that include a so-called “All Clicks Feed,” which can track user behavior, clicks, and movement across websites in highly precise detail.
Is anybody really surprised by this? Antivirus companies have been scammers for a long time now, spreading fear and anxiety amongst primarily less knowledgeable users, tricking and scamming them into paying exorbitant amounts of money for tools that are not needed, do not work, slow computers down, and in many cases, actively harm operating systems.
Of course, with these programs running with unparalleled access to many Windows machines, we all knew antivirus companies would resort to selling user data to make an extra buck, sinking even deeper. You don’t need anything more than what your operating system provides, whether you use Windows, Linux, macOS, Android, or iOS.
I recently mentioned in another thread how companies like these are financially motivated to mislead users. They’ll do nearly anything to keep users afraid and subscribing to their “service”/providing access to their computers. This report only shines even more light on that fact. I hope nobody here is surprised. Add this news to the already countless other reasons why you *should * not * trust * any * of * these * companies.
Paranoia is profitable, who’d have think it?
Thom Holwerda,
I find this behavior despicable as well, they deserve our scrutiny, criticism, and possibly punitive damages for not being upfront with users about data collection. However you take it too far by suggesting AV has no use. Every one of us here ought to know that viruses are a non-imaginary threat. Obviously you can improve your odds if you never download anything or open attachments, etc. But for a company/household with lots of employees/family members, then the chances of a successful attack spreading through the network is significantly increased and there have been numerous breaches that demonstrate why AV is not all snakeoil. I’ve seen it first hand even at companies where employees are professional programmers. Viruses are no joke. Sometimes the machines don’t need to be vulnerable to spread the viruses themselves, but without AV they really don’t know any better than to continue to spread the virus unchecked. For example, an email/file/web server without AV can easily spread malware even if it’s isn’t technically vulnerable by itself.
So, yes give avast very harsh criticism, they absolutely deserve it! But there’s no need to exaggerate your point to make them look bad. We need to be clear: they’re bad because they violated user trust and *NOT* because A/V is fundamentally bad or unnecessary.
Viruses only affect windows. No other operating systems need this rubbish.
franko
That’s debatable. Remember that viruses don’t necessarily have to infect the OS itself in order to be dangerous or cause serious damages to user files. For example, I was affected by a PHP virus that exploited an ecommerce package on a linux server. We can argue over semantics of whether non-platform specific vulnerabilities should count against other platforms, but regardless it’s a case where AV can be useful.
Also, although I rarely execute code on my NAS and I consider it a low risk of being attacked by itself, it would be useful to have an AV scanner to detect known malicious programs to minimize the risk of my NAS storing infected software. I regularly mount the NAS from other desktop computers and execute programs that were stored on the NAS – you can see how a linux AV scanner would be useful there.
The primary attack vector these days isn’t actually hacking into the OS but rather tricking users into executing trojans, which is something that can happen on many platforms. It’s easy to blame users when it’s their actions that ultimately install the malicious code, yet when you look at the bigger picture the users actions often are justified by the task at hand, such as installing a piece of software from a source they thought was legitimate. Just because they were wrong doesn’t mean it was obvious. Malicious authors can do a really good job disguising their code as something else, even enough to fool experienced users. This is the reason many publishers started providing SHA sums to verify before running, but very few of us actually check them. While it is not perfect, AV can help.
Lastly, although I consider all platforms including windows to have gotten fairly robust in terms of core OS vulnerabilities, behavior based AV can provide an additional layer of defense for zero day attacks.
SentinelOne vs WanaCrypt0r
http://www.youtube.com/watch?v=GzUulCXl1VY
To be clear, I’m not trying to push AV on anybody, nor do I want to exaggerate the risks of not using AV, which can be fairly low for users with good practices. However nobody should be assuming that it’s just a windows problem.
This is why I use Windows Defender. It’s the only antivirus software I can tolerate. No subscriptions and no pop ups or ads.
–This is why I use Windows Defender. It’s the only antivirus software I can tolerate. No subscriptions and no pop ups or ads.–
https://www.itproportal.com/news/microsoft-wants-to-enable-users-to-sell-their-data/
There is still a problem. Microsoft is wanting to sell the data they have collected on you was well.
Basically sticking to Windows Defender instead of a third party vendor on Windows just removes 1 party who is wanting to the data on you. Please note OS X/Macos does not help you as it collects more data than Windows and Apple is not past selling it either.
So there is lot less software choice once you care about your data. Linux like Debian is it no matter how painful it is.
Thom, you wrote: “ Of course, with these programs running with unparalleled access to many Windows machines, we all knew antivirus companies would resort to selling user data to make an extra buck, sinking even deeper.”
If that’s true, why has nobody been talking about it? I think the truth is we didn’t actually suspect this. Which makes it all the more galling. As you say, virus software gets given a very special pass for complete access to your PC.
Why do you think nobody has been talking about it?
https://www.cbc.ca/news/technology/antivirus-software-1.3668746
https://arstechnica.com/information-technology/2017/01/antivirus-is-bad/
10 seconds of searching, first hits: https://www.google.com/search?q=antivirus+worse+than+virus
avgalen,
These are insightful links, however I feel it’s worth going into what’s actually going on. One the one hand, maybe someone says web filtering goes too far and file system scanning/filtering is enough. That’s a legitimate opinion. But on the other hand web filtering can potentially catch more earlier, which is also a legitimate opinion.
If you have the later opinion, there’s nothing fundamentally insecure about web filtering in principal and there can be merit with this approach. The problem for AV is that browser makers have been giving extension APIs significantly less access to the point where AV products are forced to rely on new methods to achieve web filtering in front of the browser, and this is where the SSL man in the middle vulnerabilities creep in. It IS a problem, but objectively some of the fault for this problem lies with the browser makers who eliminated the safe APIs for scanning web content.
For their part, browser makers may argue web filtering isn’t useful for AV purposes, but that’s their opinion and not strictly a fact. Secondly browser makers may argue that shutting down filtering APIs makes the browser safer from malicious extensions, which is true but it overlooks the fact that eliminating filtering APIs entirely for AV providers actually makes TLS filtering significantly less secure.
So there’s the rub, the technical solution is clearly that AV should use a safe filtering API, but the conundrum for AV providers is what to do when browser makers refuse to play nice? Maybe they should give up on web filtering rather than pursue it without cooperation from browser makers, but for anyone who finds value in realtime web scanning, the browser makers deserve some of the blame for it not being secure. Browser makers can retort that cooperating with AV products is not their problem, but alas this attitude forces all web filtering to be done outside the browser using a less secure method.
So although there’s been a PR campaign to villainize AV the truth is actually a lot more subtle.
…after having said all of this though, avast really are the villain for handling personal data in bad faith. Any trust is rightfully gone, shame on you guys!
PS. We shouldn’t let these other companies on the demand side off the hook either for their role in funding these black markets for personal information: Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Condé Nast, Intuit, and many others. It boils my blood when “reputable” companies pull this shit over and over again with our data without any consent. As unforgivable as it is though, it just keeps happening and they keep getting away with it.
https://www.bloomberg.com/news/articles/2018-08-30/google-and-mastercard-cut-a-secret-ad-deal-to-track-retail-sales
What I find most frustrating is that while these tech giants are using our personal data in secret to rake in billions, they’re absolutely destroying competitors who want to behave ethically. It’s coming to the point where businesses increasingly have to resort to selling user data just to remain competitive or risk going out of business 🙁 It’s why I believe regulation is the only way to fix the incentives and level the playing field.
https://www.youtube.com/watch?v=bKgf5PaBzyg
> You don’t need anything more than what your operating system provides, whether you use Windows, Linux, macOS, Android, or iOS.
Windows Defender is not exactly a perfect AV.
Sometimes you need to download applications from the net.
Relying on MS Defender alone is not safe.
Downloading malware doesn’t activate malware. You can have a whole fileserver full of malware without having any problems. Of course it would be better to have a scan/block during download (which every browser and Windows Defender has). The problems start when malware gets executed. At that moment Windows Defender (or any other scanner) will scan again and should block.
“Relying on MS Defender alone is not safe.”
I know a lot of people who only rely on just Microsoft Defender and haven’t had any problems at all. It performs as well as anything else. No av is “perfect”, user behavior is a major influence of how at-risk a system is. Even the best av software, if there is such a thing, isn’t going to provide total safety for reckless users, or against the endless game of cat & mouse.
I agree with Thom on his point that whatever your OS provides is likely suitable for most people.
Microsoft Defender with good computer habits is mostly enough to get out of trouble. If there’s zero day exploits, you’re out of luck anyway, so… Get some good generalized common sense from this :
https://www.youtube.com/watch?v=Nd6suQWQntg&t=1m56s
https://www.youtube.com/watch?v=A-wbzgAxaKQ&t=43s
Using Windows 7 (or any other OS for that matter) past its support deadline is extremely insecure because it’s not about virii or bad files from the internet.
The OS also has 1) Network services like file sharing 2) It parses various files 3) It renders web fonts and other types of images or video 3) It contains thousands of API calls 4) It has a kernel which manages RAM allocations, multi-threading and a lot of other system stuff (Google for Operating System functions) 5) a Lot more.
No AV on earth will ever protect you if any of the things listed above become exploitable.
OSNews comments: “we’re spewing some shat and parroting Thom and we’re not ashamed”.
Considering how many people’s PCs I’ve had to clean up after your perfectly sufficient built-in AV, ya’ll are talking BS with a straight face.
Windows Defender updates its signatures only once per 24 hours.
There are over new 8 000 viruses each day, which means you’re trailing the shat on the Internet by a whole universe of new virii.
Also, Windows Defender does not properly protect you against vulnerabilities in JPEG, PDF, MP3, doc, xls, ppt, video files which all can contain exploits for your software.
Again you must be insane if you trust Windows Defender alone and you still browse the web and download files from it. Oh, wait, nowadays most people get hacked through “bad” attachments which they receive via email/desktop versions of WhatsApp/Telegram/etc and open without thinking twice.
I’m sure as hell none of you have ever dealt with rootkits and Chrome add-ons which you can’t uninstall no matter how hard you try. I’m sure as hell none of you have ever dealt with viruses whose removal breaks Windows boot enough it becomes unbootable unless reinstalled from scratch.
God, if you don’t work in infosec, why are you giving your valuable opinion on the topic? I do understand when Thom does that because he believes he can opine about pretty much everything but maybe you should check your background before arguing with more knowledgeable people.
I personally don’t trust any AV vendor and use SandBoxie or a VM to run new untested code.
But you guys are of course Gods of infosec and Windows Defender is sufficient for everyone.
What a lot of complete and utter bullcrap on an IT website related to Operating Systems.
Luckily ya’ll are hiding behind random nondescript nicknames as a saving grace. Good for ya.
infosec? No. Have I encountered and resolved the exact same issues that you have written? Yes. Although, I’m not a fan of WInDefender, it’s the lesser o f all those evils IMO. I don’t have to give you my extensive resume, but it’s far from what you’ve portrayed the majority of OSNEWS posters. I can say this however, “Judging by your above comment, I ‘ve been in this business before you became sackjuice son.”
Uhm, my name is Arnaud van Galen. Is your name birdie?
Actually it updates it’s definitions every hour if you have a system administrator that thinks that is worth it:
To set the frequency Windows Defender updates definitions, run the command: Set-MpPreference -SignatureUpdateInterval
Where :
Specifies the interval, in hours, at which to check for definition updates. The acceptable values for this parameter are: integers from 1 through 24. If you do not specify a value for this parameter, Windows Defender checks at the default interval, which is 24 (every 24 hours)
You are correct. Chrome add-ons run as a user and can really easily be uninstalled. rootkits and other viruses that break Windows boot would not only need to run as admin, but actually as system to conquer secureboot. It would also need to remove backups and restore points. That indeed never happens to me or any of the pc’s I have been the admin on since roughly Windows 98
avgalen,
And all this time I thought you were Alen from AVG.
🙂
birdie,
Umm, you realize that most of the threats you mentioned require negligence on the part of the user, right? You understand that all of those threats can be avoided using a simple set of common sense `rules`, right? A user can protect themselves with a simple change in behavior, no fancy AV software required. Btw, how do you explain the millions of users who do just rely on Microsoft Defender and their own good habits, and don’t have problems? You must think they’re all either really super lucky or possess magical powers of protection.
While I’m sure many of us don’t work in infosec, I’m also sure that just as many of us do have experience cleaning systems, be them our own, a relatives, a friends, or whoever. It wouldn’t surprise me if most of us non-infosec workers have fixed most of your list of doom. But since `we` don’t work in infosec, none of that experience counts, right?
Btw, it’s mildly funny that “birdie” is whining about people “hiding behind random nondescript nicknames as a saving grace”. Hiding from who and saving grace from what is anyones guess.
One last thing, … There are idiots who work in all fields. You can usually identify them as being someone who thinks they have superior knowledge even though they demonstrate the opposite. They also tend to be dismissive of anyone who disagrees with their opinions. Due to insecurity they’re likely to lash out at those they think pose a threat to their self-image.
Over 95% of people out there do not understand what websites are, where they can safely enter their passwords and where they mustn’t, which programs are safe to run, whether email attachments can be malicious or not, they don’t know what even a web browser is, they do no not what or who to trust, if they visit a website and see “Your computer is infected, DOWNLOAD THIS AV IMMEDIATELY” they’ll most likely do it. They do not understand attack vendors, etc. All they know is a search bar or/and pinned websites.
And then organizations run by well-staffed/well-paid IT departments get owned all the time despite all the training because you know … TARGETED attacks which in most cases are near impossible to prevent because e.g. your SUPER DUPER AV doesn’t even know about new exploits which target kernel32.dll.
God damn it. You’re thinking too much of yourselves guys. You know just enough to keep yourself safe, yet you’ve never been personally targeted by bad actors, you follow a very strict set of rules not to get infected, you install browser add-ons which disable JS, and use various AdBlocking/bad sites blocking solutions, some of you even go as far as to run your web browser in a VM on a … remote server.
Do you really believe for a second that’s what the average Joe is even capable of?
Again, Windows Defender alone does not protect you from anything other than most obvious malware.
https://www.theregister.co.uk/2020/01/29/un_covered_up_hack/
And someone earlier in this discussion has offered a task scheduler job to update Defender definitions hourly. Are you out of your mind? How many people on Earth will inconvenience themselves with this crap?
Just stop. What Thom said was pure crap. Don’t defend him. Android and iOS are safe OS’es out of the box. Windows is NOT unless you’re an IT specialist and you have NOT been personally targeted in which case you’re f-ed regardless. Do you hear me? You’re f-ed regardless. You may have forgotten there’s a gray market for unknown vulnerabilities which are sold at up to a million USD a piece because they allow you to own a user without him even realizing that. High profile intrusions happen daily in this world. Jeff Bezos phone was recently hacked in and out by a sheikh using a simple freaking message in WhatsApp!
Security, my buttocks. There’s no security for you in this world if you’re valuable enough.
Avast :
https://www.youtube.com/watch?v=km4aKjA2T_c
Defender :
https://www.youtube.com/watch?v=VXtTgP8JkSk
Avast is baked into Huawei mobiles (under the guise of Huawei Optimiser). Should we assume our data is also being sold?
Without knowing anything about this specific “system” app: Yes, that is what you should assume. If you care you should read all the licenses that you agreed to, or contact Huawei, Avast and your seller
These 3rd free party Antivirus vendors are cancers. AVast betrayed over 400 million users’s trust. Them and AVG. If there is no justifiable business model for free software owned by a company and the need to grant access to the low level of your machine, more often than not, it’s spyware.
The price of “free”, eh?
People complaining about Avast selling information but they continue using Google, Facebook, Windows 10, Instagram, Twitter, … every day! lol 😀