Avast: The Data Selling Scandal and the Jumpshot Betrayal
Key Takeaway
In 2020, a joint investigation by Motherboard and PCMag exposed that Avast, the world’s leading free antivirus software, was secretly harvesting and selling the detailed browsing histories of its 435 million users. Through its subsidiary Jumpshot, Avast sold "All-Click" data—including specific searches for porn, medical conditions, and financial transactions—to giants like Google, Microsoft, and McKinsey. While Avast claimed the data was "anonymous," forensic researchers proved that such granular history is easily re-identifiable. This report dissects the Jumpshot API mechanics, the $16.5 Million FTC fine (2024), and the ultimate betrayal of the security industry’s core promise.
TL;DR: In 2020, a joint investigation by Motherboard and PCMag exposed that Avast, the world’s leading free antivirus software, was secretly harvesting and selling the detailed browsing histories of its 435 million users. Through its subsidiary Jumpshot, Avast sold "All-Click" data—including specific searches for porn, medical conditions, and financial transactions—to giants like Google, Microsoft, and McKinsey. While Avast claimed the data was "anonymous," forensic researchers proved that such granular history is easily re-identifiable. This report dissects the Jumpshot API mechanics, the $16.5 Million FTC fine (2024), and the ultimate betrayal of the security industry’s core promise.
📂 Intelligence Snapshot: Case File Reference
| Data Point | Official Record |
|---|---|
| Primary Entity | Avast (via Jumpshot, Inc.) |
| The Violation | Deceptive Data Harvesting / Privacy Breach / Consumer Misleading |
| The Data Set | "Every Click" history from 100 Million+ devices |
| Key Clients | Google, Microsoft, Pepsi, McKinsey, Home Depot |
| FTC Fine (2024) | $16,500,000 USD (Proposed Settlement) |
| Outcome | Shutdown of Jumpshot; Mandatory data destruction |
Introduction: The Anti-Privacy Antivirus
For nearly a decade, Avast marketed its software as a shield against hackers and data trackers. By 2019, it was installed on one in ten computers globally. However, forensic analysis of its business model revealed that the antivirus software was actually a massive "dragnet" (capture net) designed to feed a secondary, highly profitable data-mining business.
While users thought they were installing protection, they were actually installing a "Digital Spy." Avast’s software tracked every URL visited, every product searched on Amazon, and every video watched on YouTube, transmitting this data to servers in the Czech Republic where it was packaged for sale.
The Forensic Mechanics: The Jumpshot "All-Click" Data
The scandal centered on Jumpshot, a subsidiary Avast acquired and rebranded as a "marketing analytics" firm.
- The Harvesting: The Avast antivirus client and browser extensions collected data at the system level. This bypassed standard "Incognito" mode protections, as the tracking happened within the computer's OS before encryption took place.
- The Granularity: Forensic analysts who reviewed the Jumpshot sales brochures found that the company was selling "All-Click" data. This meant a buyer could see exactly when a specific user visited a specific site, what they clicked on, and how long they stayed.
- The De-Anonymization Fraud: Avast claimed the data was "de-identified." However, forensic privacy researchers proved that by cross-referencing "anonymous" browsing history with other public data (like a user's Amazon order confirmation or a social media post), it is possible to "re-identify" a specific individual with 99% accuracy.
The 2024 FTC Hammer: "Unfair and Deceptive"
In February 2024, the U.S. Federal Trade Commission (FTC) announced a landmark settlement with Avast.
- The Charges: The FTC alleged that Avast "lied" to its users by promising that its software would block tracking, while simultaneously conducting the most extensive tracking operation in the industry.
- The Fine: Avast was fined $16.5 Million and prohibited from selling or licensing any web browsing data from its antivirus products to third parties for advertising purposes.
- The Data Destruction: As part of the forensic cleanup, the FTC ordered Avast to notify all affected users and destroy any remaining data harvested through the Jumpshot network.
🔍 Forensic Indicators: Signals of 'Data Harvesting' Malpractice
The Avast case provides a definitive checklist for identifying "Security-to-Spyware" transitions:
- Unexplained Sub-Processor Growth: If a security firm acquires or launches an "Analytics" subsidiary (like Jumpshot) that suddenly generates more revenue than the core product, it is a forensic indicator of Data Monetization.
- System-Level Network Activity: Forensic network monitors look for "Outbound Data Surges." If an antivirus program is sending megabytes of encrypted data to a non-update server every hour, it is a signal of Telemetry Harvesting.
- Ambiguous Privacy Toggles: When a "Privacy" setting is buried under 4 sub-menus or uses "Double Negatives" (e.g., "Do not disable the non-tracking option"), it is a forensic indicator of Deceptive Design (Dark Patterns).
Frequently Asked Questions (FAQ)
Did Avast sell my browsing history?
If you used the free version of Avast (or their browser extension) between 2014 and 2020, it is highly likely that your data was harvested and sold through Jumpshot to companies like Google and Microsoft.
What kind of data was sold?
Almost everything: Google searches, locations from Google Maps, YouTube videos watched, and even clicks on adult websites. It was called "All-Click feed" because it tracked every single action you took online.
Why did the FTC fine them only in 2024?
The investigation into data privacy cases takes years. The FTC had to prove that Avast's actions were "unfair and deceptive" and that the "anonymous" data could actually be used to identify people.
Is Avast still safe to use today?
Avast shut down Jumpshot in 2020 and says it no longer sells user data for advertising. However, the 2024 FTC fine proves that for years, the company could not be trusted with user privacy. Many security experts now recommend using built-in tools like Windows Defender instead.
What happened to the data that was already sold?
Unfortunately, once data is sold to third parties, it is almost impossible to retrieve. While Avast was ordered to stop selling data, the billions of data points already in the hands of marketing firms and tech giants remain part of the global "digital profile" of users.
Conclusion: The Death of the 'Free' Security Model
The Avast scandal proved the old adage of the internet: "If you aren't paying for the product, you are the product." It proved that in the era of surveillance capitalism, even your "protector" can be your "predator."
For the cybersecurity world, the legacy of Jumpshot is the End of Blind Trust in Free Tools. The $16.5 million fine was a drop in the bucket for a multi-billion dollar firm, but the forensic trail of the "All-Click Feed" remains a permanent reminder: If your antivirus is watching your browser more than your files, it isn't protecting you—it is selling you. As privacy regulations like GDPR and CCPA tighten, the ghost of Jumpshot remains the definitive warning that in the digital age, a broken promise of privacy is a terminal blow to a brand's authority.
Next in The Vault: Aveeno: The 'Natural' Marketing Fraud Scandal - Forensic Analysis of 'Greenwashing' and Synthetic Ingredients
Keywords: Avast data selling scandal, Jumpshot privacy breach, Avast browser history leak, FTC fine Avast 2024, antivirus data mining forensic, Avast privacy betrayal.
Part of the SEC Enforcement Pillar
Every major SEC enforcement action documented — insider trading, accounting fraud, FCPA violations, and securities manipulation.
Explore the Full Pillar Archive →