Avast was recently caught selling user's web browsing data. Sensitive data like website destinations, search terms, and even what videos customers watched were collected by Avast software residing on customers' computers. The data was repackaged and then sold by their Jumpshot subsidiary. When the investigative reporting story became public, users were instantly outraged.
Just a couple of days after the CEO made an apology and announced they were ceasing the Jumpshot data collection activities and winding down company operations.
Trust is earned in drips and lost in buckets. The Avast organization is at a pivotal point; it can either start earning back its goodwill or simply fade away. Trust is the currency of security. You cannot be successful in the security industry if you aren't trusted.
As this whole event unfolded, it got me thinking. Avast is a freemium product. It has tiered solutions with the base level being free to use and strives to get customers to opt for the more feature-rich paid versions. Many software and digital services leverage this strategy, but it is a tough model to make money or even survive as a business. I can understand how selling customer data would bring in more revenue, potentially necessary to keep a business running. If Avast is doing this, should we expect all freemium based companies to be doing the same sneaky activities that undermine their customers' privacy?
As the saying goes, nothing is free. In the case of 'free' social media, search engine, and other sites, the users themselves are the product. We have seen so many cases where data is being harvested, analyzed, repackaged, and then sold with very little insight or approval by end-users. Facebook and Google have been penalized for such actions in the past.
I think the cybersecurity and privacy industry should organize formal inspections of such products and services to showcase both reputable organizations as well as those who are acting in gray areas.
I also believe users should be given an obvious and easy path to having their data removed, be informed how the data is being used, if it has been breached, opt-out of it being sold, and the option to correct inaccuracies. The European Union (EU) General Data Protection Regulation (GDPR) and the new California Consumer Privacy Act (CCPA) goes a long way towards those ends, but the coverage is limited. Everyone in the United States and more broadly across the globe, should have Privacy as a right and benefit from basic data protection regulations.
Finally, regulators should move to mandate that companies must inform citizens when they obtain or possess their private data so people can see the whole picture of who has their private information and how that network grows. This is crucial for transparency and awareness.
This will allow consumers to reward companies that are acting responsibly with their patronage and drive economic disincentives towards those organizations that are acting in untrustworthy ways. That is the only way to create necessary market forces to sustainably encourage good behaviors that respect and protect people’s privacy.