A joint report from Motherboard and PCMag uncovers a secretive scheme by Avast and AVG to sell user’s data to third-parties. Leaked documents provided to the publications reveal the activities of Avast subsidiary Jumpshot, which has previously done business with Microsoft, Google, IBM, Unilever, Yelp, and many others.

When installing Avast nowadays, users are asked to agree to its terms of service and privacy policy. They are then asked if they would like to share some additional data with Avast, with the following message:

“If you allow it, we’ll provide our subsidary Jumpshot Inc. with a stripped and de-identified data set derived from your browsing history for the purpose of enabling Jumpshot to analyze markets and business trends and gather other valuable insights,” it reads. “The data is fully de-identified and cannot be used to personally identify or target you. Jumpshot may share aggregated insights with its customers.”

Despite this many customers told the publications they weren’t aware that Avast and AVG were collecting their information. This may be due to its presence right after the terms of service agreement, and due to UI design that directs user’s attention to the ‘I agree’ button. The pop-up itself also doesn’t tell users the data is retained for three years and doesn’t fully explain the situations their data will be used in.

Fully Anonymous Data Is Impossible

Even so, Motherboard says it may be possible to discern a user’s identity through the data provided to third-parties. It saw a data set that included Google searches, lookups of locations and GPS coordinates, LinkedIn pages, YouTube videos, and porn site visits, down to the specific time and search term.

Personal information such as names and email addresses are removed from the data, but that doesn’t mean it’s impossible to discern who they are. A user may visit their personal website or LinkedIn page, has a unique collection of YouTube subscriptions, and probably searches for their house on Google Maps from time to time. Avast does not change the user’s ID unless they completely re-install. Moreover, it can provide a unique timeline for each action, and advertises that it tracks every search, click, and buy on every site.

For its part, Microsoft would not comment on its purchase of products from Jumpshot, or say exactly what they were. However, it did confirm to the publications that it doesn’t currently have a relationship with the company.

For Avast and AVG, the practices are very much at odds with the messaging on the products they sell. Both companies sell VPN and anti-track services which claim to provide “true online privacy” and “stop invasive online tracking”.

“Our anti-tracking software warns you when snoopers try to follow you and stops them,” reads Avast’s Anti-track webpage.

Meanwhile, the company is doing exactly that and doesn’t warn users. In our testing, its anti-track didn’t warn about AVG or Avast collection. Its VPN webpage claims it doesn’t track the apps users use, the websites they visit, or the content they consume. While that may be true of the standalone services, there’s likely to be a significant crossover between its antivirus and VPN. In those cases, users aren’t getting the privacy they thought they paid for.