Among the various products and services out there, we often find social media companies in trouble for collecting our data beyond necessity.
However, recently we’ve come to find that the products supposed to protect us – anti-virus software – are also doing the very same.
In this specific case, it was Avast & AVG Security whose two browser extensions each have been found spying on users, namely Avast Online Security, Avast Safeprice, AVG Online Security and AVG SafePrice.
This astonishing revelation came when cybersecurity researcher Wladimir Palant who is also the creator of the Adblock Plus extension published a blog post on 28 October detailing how Avast’s Online Security extension was collecting data about the websites one was visiting allowing them to build up records of your browsing history and behavior.
Since Avast acquired its arch-rival AVG not so long ago for $1.3 Billion, the latter also had identical extensions conveniently doing the same.
In fact, we also saw a connection being drawn between one of Avast’s child company, Jumpstart and the data Avast collects from its extensions.
Thomas Brewster from Forbes published an article on 9 December elaborating on this stating:
“Avast users have their Web activity harvested by the company’s browser extensions. But before it lands on Avast servers, the data is stripped of anything that might expose an individual’s identity, such as a name in the URL, as when a Facebook user is logged in. All that data is analyzed by Jumpshot, a company that’s 65%-owned by Avast, before being sold on as “insights” to customers.”
With this, on 2nd December, Wladimir reported this scenario to both Mozilla & Google. As a result, Mozilla immediately disabled all extension listings but did not blacklist them stating that they were talking to Avast about this.
Then on 4th December, Wladimir also made a report to Opera receiving a response 16 hours later stating that they had also unpublished the extensions.
Google, on the other hand, didn’t respond though but on 18th December – 16 days later – they finally removed three of these extensions leaving AVG’s online security extension which is still doing fine on their web store.
What this entire episode teaches us is to start believing in the classical old adage of “trusting no one,” not even your friendly neighborhood Avast. Perhaps, we could be kinder if their CEO Ondrej Vlcek didn’t downplay the threat here by terming it as harmless since all the data is anonymized.
We need companies to start accepting responsibility for their actions and conforming to the number of consent users have actually given consciously, not those shrouded under TOS agreements.
You can read more about Palant’s overall findings here, but here’s a snippet of his findings:
“When Avast Online Security extension is active, it will request information about your visited websites from an Avast server. In the process, it will transmit data that allows reconstructing your entire web browsing history and much of your browsing behavior. The amount of data being sent goes far beyond what’s necessary for the extension to function, especially if you compare to competing solutions such as Google Safe Browsing.
What to do about these extensions in the meantime
If you’ve installed any of those four extensions in any browser you use, uninstall them. You probably don’t even need extensions to vet websites you’re visiting, because this can all be done with a little common sense.
If you still feel like you need an extension to tell you whether websites are legitimate or not, you can try using something like Windows Defender Browser Protection (for Chrome) or the slightly more complicated Application Guard Extension (for Chrome or Firefox), which dumps untrusted websites into an isolated instance of Microsoft Edge. (You’ll also have to install Edge on your system for this to work.)
As for the price-watching extensions, I can’t tell you the last time one actually saved me money on anything.
Though, were I you, I’d just do a little searching to find the best deals.