Avast CEO Downplays Collection Of 400 Million Users' Browsing Data

In an ideal world, companies that profess to be dedicated to protecting users from malware and privacy threats probably shouldn't contribute to the problem. In the world we live in however, that's often not the case--as everybody saw when Facebook tried to sell its users on a "privacy protecting VPN" that actually hoovered up their browsing data, providing insight into user behavior when they aren't using Facebook. Facebook did ultimately shut the project down, but it took a year before they were willing to do so.

Enter antivirus and security firm Avast, which has been taking heat after it was discovered that the company's services are collecting user browsing data. Back in August, Wladimir Palant, the creator behind Adblock Plus, wrote a blog post detailing how Avast Online Security and Avast Secure Browser were covertly collecting the browsing data of the Czech company's 400 million users. In response earlier this month, both Opera and Mozilla pulled Avast extensions from their respective add on markets, though Google has lagged in any comparable response.

Hoping to calm the waters a bit, Avast CEO Ondrej Vlcek this week tells Forbes that there's no actual privacy scandal here, because the data the company collects is anonymized:

"Recently-appointed chief executive Ondrej Vlcek tells Forbes there's no privacy scandal here. All that user information that it sells cannot be traced back to individual users, he asserts. Here's how it works, according to Vlcek: Avast users have their web activity harvested by the company's browser extensions. But before it lands on Avast servers, the data is stripped of anything that might expose an individual's identity, such as a name in the URL as when a Facebook user is logged in. All that data is analysed by Jumpshot, a company that's 65%-owned by Avast, before being sold on as "insights" to customers. Those customers might be investors or brand managers."

There's several problems here. One, it's not up to the CEO of a company collecting user data to dictate what is or isn't a "privacy scandal." I mean sure you don't think a security and privacy company collecting the browsing data of 400 million users isn't a privacy scandal, but it doesn't work that way.

Two, study after study after study have showcased how anonymized data isn't actually anonymous.

Should that data get into the wild (pretty easy to do when it's being shared with an ocean of companies), it's fairly easy to compare it with existing data sets and obtain a real world identity with relatively little work. One study built a machine learning model that was able to correctly re-identify 99.98% of Americans in any anonymised dataset using just 15 characteristics including age, gender and marital status. Another study looking at vehicle data found that 15 minutes' worth of data from just brake pedal use could lead them to choose the right driver, out of 15 options, 90% of the time.

In Avast's case, researchers found their apps collected way more data than was reasonably needed, including whether you'd visited a page in the past, your browser version, your country code, your browsing URLs, the websites you navigated from, etc. If Avast Antivirus was installed even more data was collected and shared, including the OS version of your devices.

No, collecting "clickstream" data isn't the end of the world. Nor is it new. After all, nearly every ISP has been doing something similar for the last twenty years (and routinely lying about it). Still, companies that profess to be protectors of your private data should be held to a slightly higher standard than telecom, even if telecom isn't held to any real standard whatsoever.