The U.S. Federal Trade Commission has found Avast guilty for using its privacy apps to harvest and sell user data. The company is also banned from selling or licensing browsing data for advertising purposes.

This isn't the first time Avast has been caught for such an offense. You may recall a similar issue that happened in 2020. Motherboard (Vice) and PCMag began a joint investigation into claims that Avast had been using its subsidiary company, Jumpshot, to spy on users. The report said that Avast's security products tracked user behavior, clicks and their activity across the web. The user data which was collected through this process was then sold to more than 100 third-party companies including Google, Microsoft, Pepsi, Home Depot, McKinsey. This led to Jumpshot being shut down.

The company, based in the U.K. and Czech Republic, offers various digital products and services. Besides its in-house antivirus, Avast also owns AVG, Avira, and Norton. It also owns CCleaner, a browser called Avast Secure Browser, extensions for Firefox, Chrome. It even has multiple VPN services such as Avast SecureLine VPN, and HMA (formerly HideMyAss!).

FTC accuses Avast for failing to anonymize user data

Avast had claimed that it had anonymized the user data to protect their privacy. But, the FTC has accused the company of failing to do so. It says that Avast had unfairly collected user's browsing data through its browser extensions and antivirus software, and stored it indefinitely (on its servers), aka data harvesting. The FTC also complained that Avast had sold the consumer's data without a notice or consent from the user.

The complaint goes on to explain that Avast had promised to protect users' privacy by blocking third party trackers, but had failed to inform the consumer that it would collect, store, and sell the data to third-parties. The anonymization algorithm used by Avast had failed to remove personally identifiable information, which meant that the data had unique identifiers such as the web browser and the device that they used, websites that they visited, precise timestamps, and the city, state and Country where the user was located. The FTC alleged that the software also tracked a user's web searches including their religious beliefs, health concerns, political leanings, location, financial status, etc.

The FTC has proposed an order which prohibits Avast from selling browsing data to third-parties for advertising purposes. The company will also be required to obtain affirmative express consent from consumers, before it can sell or license the data from non-Avast products to other companies. Avast will also need to delete the web browsing data that was transferred to Jumpshot. It will also need to notify users whose browsing data was sold to third-parties without their permission. The FTC wants Avast to implement a comprehensive privacy program that addresses the issues highlighted in the complaint.

Avast has been fined $16.5 million, but that is not a huge amount, as the cybersecurity firm rakes in a couple of hundred million dollars per year as profit. PR Newswire quotes Avast's operating profit in the first half of 2022 at $172.6m. So the fine is merely a slap on the wrist. You can read the FTC's press release here.

Avast's spokesperson, Jess Monney, released a statement to The Verge saying that " We are committed to our mission of protecting and empowering people’s digital lives. While we disagree with the FTC’s allegations and characterization of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world. "

It's a shame that Avast has fallen so low, what once used to be a stellar antivirus is now little more than a shiny piece of an advertisement that is masquerading as a security software.