Avast: the tracker-blocker that sold the tracking

In 2024 the US Federal Trade Commission ordered Avast to pay 16.5 million dollars and banned it from selling or licensing web browsing data for advertising. Avast is the Prague-founded maker of antivirus and privacy software. The finding was that from 2014 to 2020 it collected the web-browsing data of its own users and sold it, through a subsidiary called Jumpshot, to more than a hundred other companies.

The product was the cover

Avast sold software marketed as protection against online tracking. Behind that promise it was running one of the larger tracking operations of its kind, amassing what the FTC put at more than eight petabytes of browsing history from the people who had installed it to be safer. The feature a person chose was privacy; the business behind it was the opposite.

Anonymous in name

Avast described the data it sold as de-identified. The FTC found that the browsing histories were detailed enough to be traced back to individuals, and that Avast had not adequately stripped or aggregated them. A list of the pages a person visits, timestamped and continuous, is close to a signature, which is what makes a continuous behavioural stream worth paying for in the first place. That de-identification fails on contact with detail is the finding the deanonymisation model gathers across three decades; the FTC’s version came with an order behind it.

The pattern

This is collection dressed as a feature: a tool whose stated job is to keep watchers out, quietly monetising what it saw from the inside. The betrayal is not incidental to the model. Trust in the product is what put the collector on the device.

Last reviewed: 2026-07-17.