Security News

When free means “collects your browser history”

Posted on January 31st, 2020 by

Back in September 2018, a number of Mac App Store apps from two different developers were found to have been collecting Web browser history without users’ consent and sending it off to developer-controlled servers. Surprisingly, one of the developers of these shady apps was a company that had been in the antivirus industry for 30 years.

One might imagine that this was a one-time incident, and that other antivirus companies would learn from the errors of their industry peer.

Sadly, a similar situation came to light this week involving yet another 30-year-old antivirus company.

In a joint investigation between Motherboard and PCMag, it was revealed that antivirus software from Avast and AVG (an Avast subsidiary) collects “a stripped and de-identified data set derived from your browsing history”—if the user consents at the time of installation of their software.

Avast screenshot: Mind sharing some data with us?

Avast Free Antivirus screenshot: “Mind sharing some data with us?” Image: PCMag

Avast did offer users the choice whether or not to opt into data collection, in this case. Nevertheless, an argument could be made that the bright, default “I AGREE” button is the most obvious way to begin using the app, and many users will just keep clicking through and not read the fine print on the screen. Even if users read it, they might assume that since Avast is a computer security company, they must be handling data in a way that respects user privacy—and it turns out that the fine print on this screen doesn’t tell the full story anyway.

“De-identifying” or “anonymizing” such data is not an easy task—especially when the clients who want to buy that browser history want as many details as possible. Your browsing history tells a lot more about you than you might realize. As we mentioned in our article about the history-snarfing App Store apps:

Web browsing history can contain very private, personal, or sensitive information. Often it can contain personally identifiable information, or strong clues as to the exact identity of the user. It may reveal things such as home and work addresses (e.g. via Google Maps searches), medical conditions (e.g. via search engine or medical site queries), sexual preferences (e.g. via the types of dating sites visited), and a multitude of other things that should not be freely available to an app developer without obtaining the user’s explicit consent.

There’s a lot more to this story, and for what it’s worth, Avast’s CEO has issued a public apology, and stated that the company’s board of directors has decided to immediately end the collection of browser history data and to “wind down [Avast’s data-sales subsidiary] Jumpshot’s operations.” If you’re interested in additional details, you can refer to PCMag’s coverage and Motherboard’s coverage of the story, and Motherboard’s follow-up.

When companies offer free software or services, think carefully

Avast and AVG both offer “free” (as in money) antivirus software. Whenever software or services are offered for free, it’s a good idea to consider the possible motives of the offerer—especially in the case of commercial entities who give away (what appears to be) their main product. How can a commercial entity pay its employees without a revenue stream? If you cannot easily determine how a company makes money, and they offer something for free, you must consider that you (or rather, your personal data) may in fact be the product.

What about Intego?

An Intego customer (who had presumably read about the Avast story) wrote in and asked us whether we sell any personal information about our users.

We’re proud to say that our software does not collect users’ browser history, and we have no intention of ever doing so.

Furthermore, Intego does not sell or rent customers’ personal information to anyone.

Protecting our users is a core principle for us—as we believe it should be for all companies in the business of endpoint security and privacy.

How can I learn more?

This week on the Intego Mac Podcast, we discussed the Avast story along with other recent examples of “free” things that turn out to have a hidden cost. Be sure to subscribe to make sure you never miss the latest episode!

Also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple, security, and privacy news.

And make sure you’re following Intego on your favorite social and media channels: Facebook, Instagram, Twitter, and YouTube (click the 🔔 to get notified about new videos).

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher and writer. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh's security research has been featured by many fine publications such as CNET, CBS News, ZDNet UK, Lifehacker, CIO, Macworld, The Register, and MacTech Magazine. Look for more of Josh's articles at security.thejoshmeister.com and follow him on Twitter. View all posts by Joshua Long →