Avast has made a huge business out of selling antivirus protection for computers and mobile devices, but more recently it was revealed that the Czech-based cybersecurity specialist was also cultivating another, more controversial, revenue stream: harvesting and selling on user data, some of which it amassed by way of those security tools.
But as of today, the latter of those businesses is no longer. Avast announced that it would be winding down Jumpshot, its $180 million marketing technology subsidiary that had been in the business of collecting data from across the web, including within walled gardens, analysing it, and then — unknown to users — selling it on to third-party customers that included tech giants like Microsoft and Google and big brands like Pepsi and Home Depot.
The significance of the incident extends beyond Avast and Jumpshot’s practices: it highlights the sometimes-obscure but very real connection between how some security technology runs the risk of stepping over the boundary into violations of privacy; and ultimately how big data is a hot commodity, a fact that potentially clouds that demarcation even more, as it did here:
“We started Jumpshot in 2015 with the idea of extending our data analytics capabilities beyond core security,” writes the CEO Ondrej Vlcek in a blog post in response to Jumpshot news. “This was during a period where it was becoming increasingly apparent that cybersecurity was going to be a big data game. We thought we could leverage our tools and resources to do this more securely than the countless other companies that were collecting data.”
Today’s news comes on the heels of a series of developments and investigations highlighting Jumpshot’s practices, stretching back to December, when Mozilla and Opera removed Avast extensions after reports that they were collecting user data and browsing histories. Avast — which has over 430 million active users — later came clean, only for a follow up investigation to get published earlier this week unveiling yet more details about the practice and the specific link to Jumpshot, which was founded in 2015 and uses data from 100 million devices.
In Avast’s announcement, it said that “plans to terminate provision of data” to Jumpshot but did not give a timeframe when when Jumpshot would completely cease to operate as part of the closure. There is still no announcement on Jumpshot’s own site.
“Jumpshot intends to continue paying its vendors and suppliers in full as necessary and in the ordinary course for products and services provided to Jumpshot during its wind down process,” the company said. “Jumpshot will be promptly notifying its customers in due course about the termination of its data services.”
Avast had a key partner in Jumpshot in the form of Ascential, the business media company that took a $60.8 million, 35% stake in the subsidiary last July, effectively valuing Jumpshot at around $177 million. An internal memo that we obtained from Ascential notes that the company has already sold its stake back to Avast for the same price, incurring no costs in the process.
Avast’s CEO Ondrej Vlcek, who joined the company 7 months ago, apologised in a separate blog post while also somewhat distancing himself from the history of the company and what it did. He noted that he identified the issues during an audit of the company when he joined (although didn’t act to change any of the practices). Perhaps more importantly, he maintained the legality of the situation:
“Jumpshot has operated as an independent company from the very beginning, with its own management and board of directors, building their products and services via the data feed coming from the Avast antivirus products,” he wrote. “During all those years, both Avast and Jumpshot acted fully within legal bounds – and we very much welcomed the introduction of GDPR in the European Union in May 2018, as it was a rigorous legal framework addressing how companies should treat customer data. Both Avast and Jumpshot committed themselves to 100% GDPR compliance.”
We have reached out to the Czech DPA to ask if it is going to be conducting any investigations around the company in relation to Jumpshot and its practices with data.
In the meantime, with the regulatory implications to one side, the incident has been a blow to Avast, which has in the last couple of days seen its shares tumble nearly 11 percent on the London Stock Exchange where it is traded. The company is currently valued around £4 billion (or $5.2 billion at today’s exchange rates).
Comment