Avast Antivirus Was Spying On You with Adware (Until This Week)!

[hayc59]

We warned you at the beginning of the year that many of your browser extensions are spying on you, tracking what you are visiting, and even inserting ads into pages. These aren’t just no-name developers either: even Avast, one of the most trusted antivirus vendors was in on the game.

Before we go even one step further, it’s important to note that they recently disabled the spying “shopping” feature in their browser extension. So if you are running the latest Chrome with extensions updated, you are fine. For now.

So Avast has stopped integrating the spying extension, but this is about the principle: you should be able to trust your antivirus provider. Why are they adding a feature that spies on your browsing, inserts ads… and all without properly notifying you?

 

http://www.howtogeek.com/199829/avast-antivirus-was-spying-on-you-with-adware-until-this-week/

[VegaV]

I wasn't big fan of Avast anyway. MSE or Bitdefender Free Edition + Malwarebytes products is all what I need.

 

Maybe MSE isn't that powerful, but I feel like MBAM completes it.

 

Avast is just a bloatware slowing down computer. (If you have a slow computer, you'll see it yourself). MSE + MBAM + MBAE and I don't see any slow down. Avast alone, and huge slow down.

 

And I don't care about that stupid and paid AV tests.

[VegaV]

I believe Anti-Virus, Anti-Malware and all kind of security softwares should be lightweight as possible.

[hayc59]

VLK official statement

https://forum.avast.com/?topic=157693.msg1140066#msg1140066

A couple of days ago, howtogeek.com published an article about Avast and accused us of spying on our users. Given that the article contains a number of inaccuracies I feel it is necessary to react. As these are some pretty serious allegations, I also hope that we will be given some room on their site to defend ourselves. We requested the opportunity to discuss the author’s findings, but he declined to do so.

The article basically says that Avast used the SafePrice browser extension to spy on its users. That the SafePrice extension (which they first call “adware”) collects all URLs that the user visits, and then sends them to the cloud, together with a user ID. To demonstrate the problem, they used Fiddler (a free browser monitoring tool) to dissect the requests being generated by SafePrice and found the user ID in some of the requests, concluding that the product is “spying”. Finally, they say that all of this was true up until last week when we made SafePrice a standalone extension (removed it from the main Avast Online Security extension).

Let me start by saying that Avast’s browser extensions, together with some other modules inside Avast, rely heavily on cloud functionality. That is, in the particular case of URL scanning, we do transfer the URL the user is visiting, together with additional metadata to the Avast cloud, which then does the necessary processing and synchronously returns the answer. By scanning URLs in the cloud, Avast is able to detect malicious activity, from viruses and malware, phishing and hacking. You may not realize but collecting URL information for this very purpose is extremely common in the security industry, as this information is essential to providing this kind of service.

Now, regarding Avast SafePrice. SafePrice searches the web and offers its users the best price possible when shopping online from sites we trust, safeguarding users from possible online scams. While formerly the user had to do research and visit price comparison portals, SafePrice now offers automated help to find the best and trustworthy offerings. Avast SafePrice sends data to our server regarding the products our users are looking for and the URLs they are visiting. All personally identifiable information is stripped in real time, so the shopping data is completely anonymous. Again, I don’t think this can come as a surprise to anyone – I mean, did you expect SafePrice to have all the product IDs and all the offers stored locally? That just doesn’t make sense at all.

Originally, SafePrice was indeed part of the main Avast browser extension (as the article suggests). However, as most of the people in this forum know, in July 2014 we changed the strategy and moved it to a separate extension. The installation of this extension is now completely voluntary (on an opt-in basis) and its presence doesn’t influence Avast’s efficiency to block malicious sites. Since we have made this change, SafePrice accumulated almost 3 million installs just from the Chrome Web Store alone and became the most popular shopping extension for Chrome.

By the way, the other allegation was that Avast pushes SafePrice while recommending that users remove other similar browser extensions via Avast Browser Cleanup (BCU). I have explicitly checked our BCU database of community ratings and found that all the major shopping extensions, including PriceBlink, InvisibleHand, Shoptimate, and Groupon have good ratings and are not recommended for removal by BCU. Only those that our community of users have assessed as poor are so recommended.

One of the other issues raised by the article was whether the user ID is PII (personally identifiable information) or not, and why it is being transferred. The Avast user ID is a random, machine-generated ID that is created during the installation of the product. So by itself, it is certainly not a piece of PII. And the reason we include it in the request is because context is very important. The efficacy of a security product is severely limited if requests are done without a context, i.e., if it is not possible to tie them together into a “stream”. And in the case of SafePrice, we use the user ID just to be able to count our active users. In general, we really don’t see anything bad in doing this, in fact, if we were, we would have probably tried to hide what we’re doing in some way – while, as the author of the article uncovered quite easily using Fiddler, the user ID is there just as a regular json field. Which makes me even more frustrated, as it is very likely that if we actually made the field less noticeable, the article probably wouldn’t have been written. We’re not trying to hide anything.

Now, the key is not only what information is collected, but also what is done with the collected information and how the user is informed about the collection process. Avast is committed to protecting its customers on all fronts, which is why we inform our users, even beyond our EULA and Privacy policy, that their browsing information will be collected but stripped of personally identifiable information and used to improve services, such as online web security. We actually tried to make this very, very explicit, and that’s why we have the screen (attached) in the Avast installer.

As you can see, the title of the screen says “Please Don’t Skip This – Read it Carefully”. Honestly, I don’t know how to make it more explicit than this.

If you have any additional questions, I’d be happy to answer them.

Thanks,

Vlk

[AdvancedSetup]

I cannot speak for the millions of other users (many of which probably do install the extension on purpose) but I for one do not want or need them researching safe sites for me. But I suppose for many it is a good idea that someone does. As to not being personally identifiable - come on .... what do you call a unique fingerprint code. They may not know your real name or email address but Google has proven (after first denying) that given enough research that "non identifiable" information can in fact eventually provide your real name and other information. More than likely Avast themselves does not have the resources to do so but it is certainly possible to do and unfortunately is just the way of the Web these days.

[oneeye]

Anytime you use a free product,you become the products. That's the Google way and everyone else too. If Avast wants to help direct you to safe sites to shop,then why not let them. They probably should have been a little more transparent in the beginning,but were quick to make it more apparent what was going on,which is a lot better than most software companies these days. I say,forgive them and move on,wittth or without,but that would be your loss,without.

Avast is one of the very few security venders who pay large bug bounties to help keep us safe,where does that money come from?? Monetization of course,and products for sale. And if you think you can browse the web in complete Privacy,you better think again. I for one am heading over to the site that started this to put in my two cents worth,and too chastise them for not alllowing Avast to respond!