Avast and AVG collect and sell your browsing history: What you need to know
The two antivirus makers have done it for years
If you're getting something valuable for free, you're often the product. This applies to antivirus software as much as to anything else.
We've known for a few years that Avast Free Antivirus and AVG AntiVirus Free collect your browsing data and share it with third parties. That's true whether or not you installed Avast and AVG's browser extensions or secure browsers, and we have made that clear in our reviews of the products.
Avast and AVG have recently added a clearer user opt-out to prevent such data collection, although it was always possible to do so from the antivirus software's settings. If this type of data collection troubles you, please check out our roundup of the best free antivirus software.
Paying for something that's free
This is in the news due to a joint investigation by PC Magazine and Vice Motherboard, which dug into the process by which Avast Software collects and monetizes aggregated user data and posted the results today (Jan. 27).
The two stories imply that Avast and AVG's browser-history collection is secret. In fact, Avast has been fairly transparent that it collects this kind of data. Its then-CEO went so far as to detail Avast's collection software, Jumpshot, in a 2015 blog post.
Here's a screenshot from Avast Free Antivirus, collected in mid-2018, that informs the user of data collection, although it doesn't specify browsing data.
To get the details of what was collected, included browsing history, you had to go to Avast and AVG's Privacy Policy, and to opt out, you had to go into the settings.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!
This convoluted process has been replaced by a better, clearer message that looks like this.
"If you allow it, we'll provide our subsidiary Jumpshot Inc. with a stripped and de-identified data set derived from your browsing history for the purposes of enabling Jumpshot to analyze markets and business trends and gather other valuable insights," the dialogue box states.
We ran both the Avast Free Antivirus and AVG AntiVirus Free installers and were presented with that dialogue box either during or shortly after installation.
(We had earlier unchecked two lines on the main installer that had been checked by default: "Yes, install Avast [or AVG] Secure Browser" and "Make AVG [or Avast] Secure Browser my default browser". You should do the same.)
The risks of de-anonymization
Vice and PC Mag also found that the collected data can be fairly easily de-anonymized in some instances. They implied that enough information was transmitted to the end recipient of the data to be able to figure out, for example, who had bought a specific item on Amazon at a given time.
Unfortunately, that is a fairly commonplace occurrence with such data, no matter who collects it. For example, it's neither hard nor expensive to track individuals by collecting geolocation data from mobile ads. Still, it's another reason to opt out of Avast and AVG's data collection.
In an earlier email responding to Tom's Guide's questions, an Avast spokeswoman told us that the dialogue box first began to appear for new users in July 2019, and that it will begin to appear for existing users in February 2020.
We're glad to see that Avast and AVG are being more transparent about what's going on when you install their free antivirus software. We've asked an Avast spokesperson if there's any other kind of user data that's collected and passed on to third parties and will update this story once we receive a reply.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.