Avast is harvesting users’ browser histories on the pretext that the data has been ‘de-identified,’ thus protecting your privacy. But the data, which is being sold to third parties, can be linked back to people’s real identities, exposing every click and search they’ve made.

Avast借用数据已被“去识别”来收集用户的浏览器历史记录，从而保护您的隐私。 但是，出售给第三方的数据可以链接回人们的真实身份，从而暴露他们进行的每次点击和搜索。

By Michael Kan

由 迈克尔·侃

Your antivirus should protect you, but what if it’s handing over your browser history to a major marketing company?

您的防病毒软件可以保护您，但是如果将您的浏览器历史记录移交给主要的营销公司怎么办？

Relax. That’s what Avast told the public after its browser extensions were found harvesting users’ data to supply to marketers. Last month, the antivirus company tried to justify the practice by claiming the collected web histories were stripped of users’ personal details before being handed off.

放松。 这就是Avast在发现其浏览器扩展程序后收集用户数据以提供给营销人员的信息。 上个月，这家反病毒公司试图证明这种做法的合理性，声称所收集的网络历史记录在被移交给用户之前已经被剥夺了用户的个人详细信息。

“The data is fully de-identified and aggregated and cannot be used to personally identify or target you,” Avast told users, who opt in to the data sharing. In return, your privacy is preserved, Avast gets paid, and online marketers get a trove of “aggregate” consumer data to help them sell more products.

选择加入数据共享的Avast告诉用户：“数据已完全取消标识和汇总，不能用于个人识别或定位您。” 作为回报，您的隐私得到保护，Avast得到报酬，在线营销人员获得大量“汇总”的消费者数据，以帮助他们销售更多产品。

There’s just one problem: What should be a giant chunk of anonymized web history data can actually be picked apart and linked back to individual Avast users, according to a joint investigation by PCMag and Motherboard.

仅存在一个问题：根据PCMag和Motherboard的联合调查，实际上可以分离出很大一部分匿名的网络历史记录数据，并将其链接回各个Avast用户。

“取消身份识别”如何失败 (How ‘De-Identification’ Can Fail)

The Avast division charged with selling the data is Jumpshot, a company subsidiary that’s been offering access to user traffic from 100 million devices, including PCs and phones. In return, clients-from big brands to e-commerce providers-can learn what consumers are buying and where, whether it be from a Google or Amazon search, an ad from a news article, or a post on Instagram.

负责销售数据的Avast部门是Jumpshot，这是公司的子公司，一直在提供来自1亿台设备(包括PC和电话)的用户访问权限。 作为回报，从大品牌到电子商务提供商的客户都可以了解消费者购买的商品以及购买地点，无论是通过Google还是Amazon搜索，新闻文章中的广告还是Instagram上的帖子。

The data collected is so granular that clients can view the individual clicks users are making on their browsing sessions, including the time down to the millisecond. And while the collected data is never linked to a person’s name, email or IP address, each user history is nevertheless assigned to an identifier called the device ID, which will persist unless the user uninstalls the Avast antivirus product.

收集的数据非常细致，客户端可以查看用户在其浏览会话中所进行的各个点击，包括时间(以毫秒为单位)。 尽管收集的数据永远不会链接到某人的姓名，电子邮件或IP地址 ，但仍将每个用户历史记录分配给一个称为设备ID的标识符，除非用户卸载Avast防病毒产品，否则该标识符将一直存在。

For instance, a single click can theoretically look like this:

例如，单次点击理论上可以看起来像这样：

At first glance, the click looks harmless. You can’t pin it to an exact user. That is, unless you’re Amazon.com, which could easily figure out which Amazon user bought an iPad Pro at 12:03:05 on Dec. 1, 2019. Suddenly, device ID: 123abcx is a known user. And whatever else Jumpshot has on 123abcx’s activity-from other e-commerce purchases to Google searches-is no longer anonymous.

乍一看，该点击看起来无害。 您无法将其固定到确切的用户。 也就是说，除非您是Amazon.com，否则可以轻松找出哪个Amazon用户在2019年12月1日12:03:05购买了iPad Pro。突然之间，设备ID：123abcx是已知用户。 Jumpshot在123abcx的活动中所具有的其他功能(从其他电子商务购买到Google搜索)都不再是匿名的。

PCMag and Motherboard learned about the details surrounding the data collection from a source familiar with Jumpshot’s products. And privacy experts we spoke to agreed the timestamp information, persistent device IDs, along with the collected URLs could be be analyzed to expose someone’s identity.

PCMag和Motherboard从熟悉Jumpshot产品的来源那里了解了有关数据收集的详细信息。 我们经过交谈的隐私专家都同意，可以对时间戳信息，持久性设备ID以及收集的URL进行分析，以揭示某人的身份。

“Most of the threats posed by de-anonymization-where you are identifying people-comes from the ability to merge the information with other data,” said Gunes Acar, a privacy researcher who studies online tracking.

“在线匿名化带来的大多数威胁(在这种情况下，您正在识别人员)都来自将信息与其他数据合并的能力，”研究在线跟踪的隐私研究人员Gunes Acar说。

He points out that major companies such as Amazon, Google, and branded retailers and marketing firms can amass entire activity logs on their users. With Jumpshot’s data, the companies have another way to trace users’ digital footprints across the internet.

他指出，亚马逊，谷歌等大型公司以及品牌零售商和营销公司可以在其用户上累积整个活动日志。 利用Jumpshot的数据，两家公司可以通过另一种方式来跟踪用户在互联网上的数字足迹。

“Maybe the (Jumpshot) data itself is not identifying people,” Acar said. “Maybe it’s just a list of hashed user IDs and some URLs. But it can always be combined with other data from other marketers, other advertisers, who can basically arrive at the real identity.”

“也许(Jumpshot)数据本身无法识别人，” Acar说。 “也许这只是哈希用户ID和一些URL的列表。 但它始终可以与其他营销商，其他广告商的其他数据结合在一起，他们基本上可以得出真实身份。”

“所有点击Feed” (The ‘All Clicks Feed’)

According to internal documents, Jumpshot offers a variety of products that serve up collected browser data in different ways. For example, one product focuses on searches that people are making, including keywords used and results that were clicked.

根据内部文件，Jumpshot提供了各种产品，这些产品以不同的方式提供收集的浏览器数据。 例如，一种产品专注于人们进行的搜索，包括使用的关键字和被点击的结果。

We viewed a snapshot of the collected data, and saw logs featuring queries on mundane, everyday topics. But there were also sensitive searches for porn-including underage sex-information no one would want tied to them.

我们查看了所收集数据的快照，并看到了日志，其中包含有关日常琐事的查询。 但是对于色情内容也有敏感的搜索，包括未成年人的性信息，没人愿意与它们联系在一起。

Other Jumpshot products are designed to track which videos users are watching on YouTube, Facebook, and Instagram. Another revolves around analyzing a select e-commerce domain to help marketers understand how users are reaching it.

其他Jumpshot产品旨在跟踪用户在YouTube，Facebook和Instagram上观看哪些视频。 另一个围绕分析一个选定的电子商务域来帮助营销人员了解用户如何到达它。

But in regards to one particular client, Jumpshot appears to have offered access to everything. In December 2018, Omnicom Media Group, a major marketing provider, signed a contract to receive what’s called the “All Clicks Feed,” or every click Jumpshot is collecting from Avast users. Normally, the All Clicks Feed is sold without device IDs “to protect against triangulation of PII (Personally Identifiable Information),” says Jumpshot’s product handbook. But when it comes to Omnicom, Jumpshot is delivering the product with device IDs attached to each click, according to the contract.

但是对于一个特定的客户，Jumpshot似乎提供了访问所有内容的权限。 在2018年12月，主要的营销提供商Omnicom Media Group签署了一份合同，以接收所谓的“所有点击提要”，或者Jumpshot从Avast用户那里收集的每次点击。 Jumpshot的产品手册说，通常，All Clicks Feed出售时不带设备ID，“以防止对PII(个人身份信息)进行三角剖分”。 但是，根据合同，在Omnicom上，Jumpshot会交付带有每次点击附加设备ID的产品。

In addition, the contract calls for Jumpshot to supply the URL string to each site visited, the referring URL, the timestamps down to the millisecond, along with the suspected age and gender of the user, which can inferred based on what sites the person is visiting.

此外，合同还要求Jumpshot向访问的每个站点提供URL字符串，引荐URL，时间戳(以毫秒为单位)以及用户的可疑年龄和性别，这可以根据用户所在的站点推断出参观。

It’s unclear why Omnicom wants the data. The company did not respond to our questions. But the contract raises the disturbing prospect Omnicom can unravel Jumpshot’s data to identify individual users.

目前尚不清楚为什么Omnicom需要数据。 该公司没有回答我们的问题。 但是该合同提出了令人不安的前景，Omnicom可以揭露Jumpshot的数据以识别个人用户。

Although Omnicom itself doesn’t own a major internet platform, the Jumpshot data is being sent to a subsidiary called Annalect, which is offering technology solutions to help companies merge their own customer information with third-party data. The three-year contract went into effect in January 2019, and gives Omnicom access to the daily click-stream data on 14 markets, including the US, India, and the UK. In return, Jumpshot gets paid $6.5 million.

尽管Omnicom本身并不拥有主要的互联网平台，但Jumpshot数据仍被发送到名为Annalect的子公司，该子公司提供技术解决方案来帮助公司将自己的客户信息与第三方数据合并。 该为期三年的合同于2019年1月生效，使Omnicom可以访问14个市场的每日点击流数据，包括美国，印度和英国。 作为回报，Jumpshot获得了650万美元的报酬。

Who else might have access to Jumpshot’s data remains unclear. The company’s website says it’s worked with other brands, including IBM, Microsoft, and Google. However, Microsoft said it has no current relationship with Jumpshot. IBM, on the other hand, has “no record” of being a client of either Avast or Jumpshot. Google did not respond to a request for comment.

尚不清楚谁还能访问Jumpshot的数据。 该公司的网站说，它与其他品牌合作，包括IBM，微软和谷歌。 但是，微软表示，它与Jumpshot没有当前关系。 另一方面，IBM没有“成为Avast或Jumpshot客户的记录”。 Google未回应置评请求。

Other clients mentioned in Jumpshot’s marketing cover consumer product companies Unilever, Nestle Purina, and Kimberly-Clark, in addition to TurboTax provider Intuit. Also named are market research and consulting firms McKinsey & Company and GfK, which declined to comment on its partnership with Jumpshot. Attempts to confirm other customer relationships were largely met with no responses. But documents we obtained show the Jumpshot data possibly going to venture capital firms.

Jumpshot营销中提到的其他客户，除了TurboTax提供商Intuit之外，还包括消费品公司联合利华，雀巢普瑞纳和金佰利-克拉克。 市场研究和咨询公司麦肯锡公司(McKinsey＆Company)和GfK也被提名，后者拒绝评论与Jumpshot的合作关系。 确认其他客户关系的尝试在很大程度上没有得到回应。 但是我们获得的文件显示Jumpshot数据可能会流向风险投资公司。

“几乎不可能去识别数据” (‘It’s Almost Impossible to De-Identify Data’)

Wladimir Palant is the security researcher who initially sparked last month’s public scrutiny of Avast’s data-collection policies. In October, he noticed something odd with the antivirus company’s browser extensions: They were logging every website visited alongside a user ID and sending the information to Avast.

安全研究员Wladimir Palant最初引发了上个月对Avast数据收集策略的公开审查。 十月份，他注意到该反病毒公司的浏览器扩展有些奇怪：它们正在记录访问的每个网站以及用户ID，并将信息发送给Avast。

The findings prompted him to call out the extensions as spyware. In response, Google and Mozilla temporarily removed them until Avast implemented new privacy protections. Still, Palant has been trying to understand what Avast means when it says it “de-identifies” and “aggregates” users’ browser histories when the antivirus company has refrained from publicly revealing the exact technical process.

调查结果促使他称这些扩展为间谍软件。 作为响应，Google和Mozilla暂时将其删除，直到Avast实施新的隐私保护。 尽管如此，当防病毒公司不公开披露确切的技术过程时，Palant一直试图理解Avast所说的“去识别”和“汇总”用户浏览器历史的含义。

“Aggregation would normally mean that data of multiple users is combined. If Jumpshot clients can still see data of individual users, that’s really bad,” Palant said in an email interview.

“聚合通常意味着将多个用户的数据合并在一起。 如果Jumpshot客户仍然可以看到单个用户的数据，那真的很糟糕，” Palant在一封电子邮件采访中说。

One safeguard Jumpshot uses to prevent clients from pinpointing the real identities of Avast users is a patented process designed to strip away PII information, such as names and email addresses, from appearing in the collected URLs. But even with the PII stripping, Palant says the data collection is still needlessly exposing Avast users to privacy risks.

Jumpshot用来防止客户端查明Avast用户真实身份的一种保护措施是一项受专利保护的过程，旨在剥夺PII信息(例如名称和电子邮件地址)出现在收集的URL中。 但是，即使剥离了PII，Palant说，数据收集仍然不必要地使Avast用户面临隐私风险。

“It is hard to imagine that any anonymization algorithm will be able to remove all the relevant data. There are simply too many websites out there, and each of them does something different,” he said. For example, Palant points out how visiting the collected URL links for one user could consistently reveal which tweets or videos the person commented on, and thus expose the user’s real identity.

“很难想象任何匿名化算法都将能够删除所有相关数据。 他说，那里的网站太多了，每个网站的功能都不一样。 例如，帕randint(Palant)指出了如何访问一个用户收集的URL链接如何始终显示该人发表了哪些推文或视频，从而暴露了该用户的真实身份。

“It’s almost impossible to de-identify data,” said Eric Goldman, co-director of the High Tech Law Institute at Santa Clara University, who also took issue with an antivirus company monetizing users’ data. “That just sounds like a terrible business practice. They’re supposed to be protecting consumers from threats, rather than exposing them to threats.”

“识别数据几乎是不可能的，”圣塔克拉拉大学高科技法律研究所联合主任埃里克·高德曼(Eric Goldman)说，他也与一家反病毒公司利用用户数据获利的问题有关。 “这听起来像是可怕的商业惯例。 他们应该保护消费者免受威胁，而不是让他们受到威胁。”

“想和我们分享一些数据吗？” (‘Mind Sharing Some Data With Us?’)

We asked Avast more than a dozen questions concerning the extent of the data collected, who it’s being shared with, along with information about the Omnicom contract. It declined to answer most of our questions or provide a contact for Jumpshot, which didn’t respond to our calls or emails. However, Avast did say it stopped collecting user data for marketing purposes via the Avast and AVG browser extensions.

我们就收集的数据的范围，与谁共享数据以及有关Omnicom合同的信息询问了Avast十几个问题。 它拒绝回答我们的大多数问题，也拒绝提供Jumpshot的联系人，而Jumpshot没有响应我们的电话或电子邮件。 但是，Avast确实表示已停止通过Avast和AVG浏览器扩展出于市场营销目的收集用户数据。

“We completely discontinued the practice of using any data from the browser extensions for any other purpose than the core security engine, including sharing with Jumpshot,” the company said in a statement.

该公司在一份声明中说：“我们完全停止了将浏览器扩展中的任何数据用于除核心安全引擎以外的任何其他目的的做法，包括与Jumpshot共享。”

Nevertheless, Avast’s Jumpshot division can still collect your browser histories through Avast’s main antivirus applications on desktop and mobile. This include AVG antivirus, which Avast also owns. The data harvesting occurs through the software’s Web Shield component, which will also scan URLs on your browser to detect malicious or fraudulent websites.

尽管如此，Avast的Jumpshot部门仍可以通过Avast在台式机和移动设备上的主要防病毒应用程序收集浏览器的历史记录。 其中包括Avast也拥有的AVG防病毒软件。 数据收集是通过该软件的Web Shield组件进行的，该组件还将扫描您浏览器上的URL以检测恶意或欺诈性网站。

For this reason, PCMag can no longer recommend Avast Free Antivirus as an Editors’ Choice in the category of free antivirus protection.

因此，PCMag将不再推荐Avast Free Antivirus作为免费防病毒保护类别中的编辑选择。

Whether the company really needs your URLs to protect you is up for debate. Avast says taking the information directly and letting Avast’s cloud servers immediately scan them provides users with “additional layers of security.” But the same approach has its own risks, according to privacy researcher Gunes Acar, who said the safest way to process visited URLs is to never collect them. Google’s Safe Browsing API, for example, sends an updated blacklist of bad websites to your machine’s browser, so the URLs can be checked on your machine rather than over the cloud.

公司是否真的需要您的URL来保护您，尚有争议。 Avast表示，直接获取信息并让Avast的云服务器立即对其进行扫描可以为用户提供“额外的安全层”。 但是，根据隐私研究人员Gunes Acar的说法，同样的方法也有其自身的风险。他说，处理访问的URL的最安全方法是永远不要收集它们。 例如， Google的安全浏览API将更新后的恶意网站黑名单发送到计算机的浏览器，因此可以在计算机上而不是通过云检查URL。

“It can be done in a more private way,” Acar said. “Avast should definitely adopt that. But it seems they’re in the business of making money from the URLs.”

“这可以以更私密的方式完成，”阿卡说。 “ Avast绝对应该采用这种做法。 但是似乎他们正在通过URL赚钱。”

On the flip side, Avast is offering a free antivirus product. The company also points out the browser history collection is optional. You can shut it off on install or within the settings panel.

另一方面，Avast提供了免费的防病毒产品。 该公司还指出，浏览器历史记录集合是可选的。 您可以在安装时或在设置面板中将其关闭。

“Users have always had the ability to opt out of sharing data with Jumpshot. As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV (antivirus), and we are now also prompting our existing free users to make an explicit choice, a process which will be completed in February 2020,” the company said.

“用户一直可以选择不使用Jumpshot共享数据。 截至2019年7月，我们已经开始对所有新下载的AV(防病毒)实施明确的选择加入选择，并且我们现在还敦促现有的免费用户做出明确选择，此过程将在2011年完成该公司表示：“ 2020年2月。

Indeed, when you install the Avast or AVG antivirus on a Windows PC, the product will show you a pop-up that asks: “Mind sharing some data with us?” The pop-up will then proceed to tell you the collected data will be de-identified and aggregated as a way to protect your privacy.

实际上，当您在Windows PC上安装Avast或AVG防病毒软件时，该产品将显示一个弹出窗口，询问您：“介意与我们共享一些数据吗？” 然后，弹出窗口将继续告诉您，收集到的数据将被取消标识并汇总，以保护您的隐私。

However, no mention is made about how the same data can be combined with other information to connect your identity to the collected browser history. Nor does the pop-up mention how Jumpshot can retain access to the data for three years. For that detail, you’ll have to look at the fine print in Avast’s privacy policy.

但是，没有提及如何将相同的数据与其他信息结合起来以将您的身份与收集的浏览器历史联系起来。 弹出窗口也没有提到Jumpshot如何将访问数据保留三年。 有关该细节，您必须查看Avast 隐私政策中的详细信息 。

As a result, users who see the pop-up may assume their data will be protected, and opt in when in reality, the privacy policies around tech products are often deliberately vague and simplified. “You want the consumer to buy or use your product. But you don’t want to scare them either,” said Kim Phan, a partner at legal firm Ballard Spahr, who works in privacy and data security group.

结果，看到弹出窗口的用户可能会认为自己的数据将受到保护，并选择加入，实际上，围绕高科技产品的隐私政策通常是故意含糊不清和简化的。 “您希望消费者购买或使用您的产品。 但是您也不想吓到他们，”隐私和数据安全部门的法律公司Ballard Spahr的合伙人Kim Phan说。

The trade-off is that the policies can become opaque. “It’s harder to figure out what you’re doing,” she added. “People won’t be able to understand the details, or they will think you are trying to hide something.”

权衡是政策可能变得不透明。 她补充说：“要弄清楚你在做什么很难。” “人们将无法理解细节，否则他们会认为您试图隐藏某些东西。”

In Avast’s case, the controversy around the largely unknown data-collection practices prompted enough scrutiny that US Sen. Ron Wyden decided to investigate. “Americans expect cybersecurity and privacy software to protect their data, not sell it to marketers,” he tweeted at the time.

在阿瓦斯特(Avast)的案例中，围绕鲜为人知的数据收集实践的争议引发了足够的审查，美国参议员罗恩·怀登(Ron Wyden) 决定进行调查。 他当时在推特上写道 ：“美国人期望网络安全和隐私软件能够保护其数据，而不是将其出售给营销商。”

In a statement, Wyden said he was encouraged that Avast is ending the data collection through the company’s browser extensions. “However I’m concerned that Avast has not yet committed to deleting user data that was collected and shared without the opt-in consent of its users, or to end the sale of sensitive internet browsing data,” he added. “The only responsible course of action is to be fully transparent with customers going forward, and to purge data that was collected under suspect conditions in the past.”

怀登在一份声明中说，他对Avast通过该公司的浏览器扩展程序结束数据收集感到鼓舞。 他补充说：“但是，我担心Avast尚未承诺删除未经其用户选择同意而收集和共享的用户数据，或终止出售敏感的互联网浏览数据。” “唯一负责任的行动是与客户保持完全透明，并清除过去在可疑情况下收集的数据。”

Originally published at https://www.pcmag.com.

最初发布在 https://www.pcmag.com 。