Antivirus (AV) software giant Avast has announced that it will wind down one of its subsidiary businesses just days after leaked documents revealed the extent to which the Czech company was selling users’ browsing data to third parties.

On Monday, Vice and PCMag published details of how Avast had been collating browsing data covering web properties such as Google Maps and Search, LinkedIn, and YouTube and then repackaging it for sale under a subsidiary called Jumpshot, which has claimed clients such as Google, Microsoft, Yelp, Pepsi, Home Depot, and Condé Nast. Although the data was not thought to contain any personally identifiable information, it is often possible  to “de-anonymize” data by combining and aligning it with different data sets to unearth shared patterns.

Jumpshot was founded back in 2010 but officially launched from a Kickstarter-funded project in 2012. In its original guise, Jumpshot offered PC-based software that promised to rid machines of viruses, spyware, and the like, but the company was eventually bought by Avast.

According to the latest report, some Jumpshot clients paid millions of dollars for various products, including something called an “all clicks feed” that was apparently able to track user behavior such as clicks and movements between websites. For a company like Google — which has so far declined to comment on the report — this can significantly improve and measure targeted advertisements.

Avast has now said that it plans to “terminate its provision of data” to Jumpshot and will eventually pull the plug on the product altogether. This won’t impact Avast’s core products, but it will seemingly diminish a significant revenue-generating stream for the company.

VB TRansform 2020: The AI event for business leaders. San Francisco July 15 - 16

Above: Jumpshot “consumer intelligence”

Transparency

Data harvesting has played an increasingly prominent role in the online privacy debate, with the Facebook and Cambridge Analytica fiasco highlighting how digital data can be leveraged by political or commercial entities without the explicit knowledge of the users involved.

With more than 400 million users, Avast is among the top five antivirus providers globally and remains one of the industry’s best known brands. By shuttering Jumpshot, Avast is essentially trying to protect its core AV software business, particularly since the company has public shareholders to answer to following its 2018 IPO. Avast’s shares had risen by around 90% year-on-year up until this week, but in the days following Vice’s report, the company’s stock fell by 25%.

In truth, Jumpshot had made no secret of the fact that it leveraged Avast data and had previously revealed that it uses data from 100 million devices, including PCs, smartphones, and tablets. But this latest report not only highlights the extent to which the data was used, it also raises questions over how much consent users actually gave. It turns out transparency may be the bigger issue.

According to Avast, users had to opt out of the program until last year, which means that many people would not have been fully aware that they were sharing data. The company said it had “begun implementing” an opt-in choice for all new downloads from July 2019 and added that it’s also now starting to prompt existing “free” users to choose whether to share their data with Jumpshot.

Anyone installing Avast now will see this opt-in box during setup — and it does mention that it “may share” aggregated insights with its customers. Avast also told Vice that it complies with privacy regulations such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) in Europe; however that is really up for debate.

Above: Avast opt-in during setup

Indeed, GDPR specifically forbids pre-ticked opt-in boxes, and the fact that Avast chooses to highlight the “I Agree” button could be construed as an attempt to influence the user’s selection. This is what is known as “dark pattern design,” and many technology companies — including Facebook — employ similar tactics to encourage users to cede to their whims. Last year, two U.S. senators introduced a new bill that would prevent social media firms from using dark pattern interface designs.

Ultimately, the fact Avast and Jumpshot had been working together to sell user data was not a closely guarded secret, but it’s fairly clear Avast was not entirely transparent with its users.

Transparency in the tech industry is an issue that has reared its head time and time again. The underlying problem is often not so much the data-sharing practice itself, but a lack of clear disclosure. Last year, Apple and Google were forced to temporarily halt human reviews of their digital assistants’ voice data following a major privacy backlash. Here again the core issue was the companies’ failure to inform users that employees and contractors were listening in on private conversations.

Given that Avast is built around its security and privacy offerings — spanning antivirus software and VPNs, among other tools — the fact that it was sharing data with third parties is not a great look. But the lack of transparency makes the whole thing worse.

“Avast’s core mission is to keep its users safe online and to give users control over their privacy,” Acast CEO Ondrej Vlcek said. “The bottom line is that any practices that jeopardize user trust are unacceptable to Avast. We are vigilant about our users’ privacy, and we took quick action to begin winding down Jumpshot’s operations after it became evident that some users questioned the alignment of data provision to Jumpshot with our mission and principles that define us as a company.”