Cyber-security firm Avast took a strong stance on its data privacy and security policy Thursday when it terminated its relationship with analytics subsidiary Jumpshot and publicly announced the wind-down of Jumpshot’s operations.
Earlier this week, Avast was accused of harvesting users’ browser histories on the pretext the data had been “de-identified” and then providing that data to Jumpshot, which in turn sold it to third parties, according to multiple media reports. Avast users were outraged, urging other users to remove Avast software (caustically referred to as “malware”) from their devices.
“Gotta love it when antivirus software gets turned toward malicious corporate intent,” one observer tweeted.
Jumpshot, which until recently touted a panel of over 100 million users’ data, analyzed consumers’ online habits by measuring their search, click, and buy patterns and delivering digital intelligence to major brands and agencies for millions of dollars. Some of Jumpshot’s notable clients include McKinsey, Revlon, Home Depot, Yelp, Expedia, Intuit, and Loreal, among many others.
Avast first addressed the reports in a blog Tuesday, justifying its 2015 launch of Jumpshot as follows: “The idea was to create an innovative way to provide marketers with trend analytics and statistics on customer purchasing habits that was de-identified, rather than specific user targeting that has been historically pervasive on the web. We knew it was critical that the browsing data be handled in an ethical way, including de-identifying personal information, and requiring that individuals would not be targeted for marketing and advertising.”
While the road may have been paved with good intentions, it is now clear the “de-identification” of data was—and remains—prone to failure. Because of the granularity of Jumpshot’s data, in many cases the age, gender, and other personally identifiable information could be inferred about “de-identified” users based on individual clicks, precise timestamps, domains, products, and behaviors. When synced up with the data troves of Jumpshot’s clients who purchased the “anonymized” consumer data, it is feasible, if not inevitable, those clients could then personally identify those users and engage in targeted advertising.
“We want to reassure our users that at no time have we sold any personally identifiable information to a third party,” Avast said Tuesday. “We want to give confidence to all our users and partners that they have made the right decision to choose Avast and reassure them that their privacy is secure and their personal data safe.”
The next day, CEO Ondrej Vlcek posted a blog in which he fell on his sword by taking personal responsibility for the scandal, apologizing, and announcing Jumpshot’s imminent dissolvement.
“When I took on the role as CEO of Avast seven months ago, I spent a lot of time re-evaluating every portion of our business,” Vlcek wrote. “During this process, I came to the conclusion that the data collection business is not in line with our privacy priorities as a company in 2020 and beyond.”
While Vlcek expressed public sympathy for the “hundreds of loyal Jumpshot employees” who would lose their jobs, he also made no mention of taking them under Avast’s wing. Jumpshot intends to continue paying its vendors and suppliers in full as necessary during its wind-down, according to Avast.