A few days ago, Howtogeek.com published an article pin pointing a slew of security flaws in Avast antivirus software. According to the blogger, Avast was spying on its users using its browser extension and its SafePrice shopping extension, using gathered information to target adds based on the user’s browsing history, allegations that never sat well with Avast.
Avast’s Chief Operations Officer, Ondrej Vlcek, took jabs at Howtogeek.com for the unfounded “Serious allegations”. In a published statement Vleck refuted claims that Avast browser extension was being used to spy on user saying it only collected URL and other metadata to boost its functionality and improve services such as web security.
“We do transfer the URL the user is visiting, together with additional metadata to the Avast cloud,” says Vlcek. “By scanning URLs in the cloud, Avast is able to detect malicious activity, from viruses and malware, phishing and hacking. You may not realize but collecting URL information for this very purpose is extremely common in the security industry, as this information is essential to providing this kind of service.”
On Avast SafePrice, Vleck said the extension only helped users find the best shopping offers from trustworthy sites. All shopping data collected by SafePrice is stored anonymously as opposed to the allegations that data gathered was being stored under credentials tied to the users email account including information such as Names, Credit card number and mailing addresses.
“Avast SafePrice sends data to our server regarding the products our users are looking for and the URLs they are visiting. All personally identifiable information is stripped in real time, so the shopping data is completely anonymous. Again, I don’t think this can come as a surprise to anyone – I mean, did you expect SafePrice to have all the product IDs and all the offers stored locally? That just doesn’t make sense at all.”
Vleck also addressed concerns that Avast only removed spyware and crapware that competed with its own shopping extension. According to Howtogeek.com writer, Avast uninstalled shopping extension from other vendors or recommended their removal through Avast Browser Clean Up (BCU).
“I have explicitly checked our BCU database of community ratings and found that all the major shopping extensions, including PriceBlink, InvisibleHand, Shoptimate, and Groupon have good ratings and are not recommended for removal by BCU. Only those that our community of users have assessed as poor are so recommended,” said Vleck responding to the allegations.
Vleck clarified that Avast used a user ID to catalogue users on the cloud, as opposed to using personally Identifiable Information (PII) such as reals Names and Addresses as claimed by HTG writer.
“One of the other issues raised by the article was whether the user ID is PII (personally identifiable information) or not, and why it is being transferred. The Avast user ID is a random, machine-generated ID that is created during the installation of the product. So by itself, it is certainly not a piece of PII,” said Vleck. “In the case of SafePrice, we use the user ID just to be able to count our active users.”
“The key is not only what information is collected, but also what is done with the collected information and how the user is informed about the collection process… browsing information will be collected but stripped of personally identifiable information and used to improve services, such as online web security,” concluded Vleck. “Honestly, I don’t know how to make it more explicit than this.”