California Consumer Privacy Act, CCPA, Compliance, Data Privacy, Data Vendor, GDPR, Investigation, Personally Identifiable Information, PII, Privacy Policy, Terms of Use, Third-party Obligations, Web Browsing

News: “Leaked Documents Expose the Secretive Market for Your Web Browsing Data”

On January 27, 2020, Vice Motherboard reported that Avast’s data-selling subsidiary, branded as Jumpshot, has been collecting and selling the browsing habits/data of millions of users through the world’s largest free antivirus programs. Jumpshot described its business as “the only company that unlocks walled garden data… to provide marketers with unparalleled visibility, analytical insights and a more comprehensive understanding of the online customer journey that delivers a highly competitive advantage.

PCMag and Vice Motherboard obtained leaked documents showing exactly what kind of data Jumpshot had access to. This included things like: Google searches, GPS locations and Google Maps coordinates, people visiting LinkedIn pages, YouTube videos, etc. The data itself did not contain PII like names, email addresses or IP addresses but was linked to specific device IDs. The specific device IDs allowed Jumpshot clients to tie the information back to individual users. Jumpshot claimed to have housed data from as many as 100 million devices. It’s clients, Google, Yelp, Pepsi, hedge funds, received data feeds which showed user clicks on individual domains. These clients pay upwards of a $1M for the deliverable.

On the end-user side, when installing the Avast or AVG antivirus program, a pop up asks “Mind sharing some data with us?”. That message then informs the end-user that the collected data will be de-identified and aggregated to protect a user’s privacy. There is no mention about how that data may be combined with other data to connect an individual’s identity to the collected browser history from the antivirus program.

This leaves us asking, what about the CCPA requirements? Or GDPR? How was Jumpshot ensuring compliance with these regulations? What role is the FTC playing in all of this currently and moving forward?

PC Mag even provided a great hypothetical (user coded as abc123x, adding a rose-gold iPad to an Amazon cart at a specific time) to demonstrate how the connection back to a specific user may occur:

Device ID: abc123x Date: 2019/12/01 Hour Minute Second: 12:03:05 Domain: Product: Apple iPad Pro 10.5 – 2017 Model – 256GB, Rose Gold Behavior: Add to Cart

At first glance, the click looks harmless. You can’t pin it to an exact user. That is, unless you’re, which could easily figure out which Amazon user bought an iPad Pro at 12:03:05 on Dec. 1, 2019. Suddenly, device ID: 123abcx is a known user. And whatever else Jumpshot has on 123abcx’s activity—from other e-commerce purchases to Google searches—is no longer anonymous.

An interesting item that was uncovered during PC Mag’s investigation is that one particular Jumpshot client, Omnicom Media Group, received access to the vendor’s ‘All Clicks Feed’ aka every single click Jumpshot collected from Avast users. That’s every click, every purchase, on every site, from all users. Omnicom also received the product with device IDs attached to each click; normally the data is intended for resale without device IDs or hashed device IDs. The contract reportedly called for Jumpshot to deliver URL strings to each site visited with timestamps, as well as inferred age and gender of the user.


Share this:

Leave a Reply