Two browsers have yanked Avast and AVG online security extensions from their web stores after a report revealed that they were unnecessarily sucking up a ton of data about users’ browsing history.
Wladimir Palant, the creator behind Adblock Plus, initially surfaced the issue—which extends to Avast Online Security and Avast SafePrice as well as Avast-owned AVG Online Security and AVG SafePrice extensions—in a blog post back in October but this week flagged the issue to the companies themselves. In response, both Mozilla and Opera yanked the extensions from their stores. However, as of Wednesday, the extensions curiously remained in Google’s extensions store.
Using dev tools to examine network traffic, Palant was able to determine that the extensions were collecting an alarming amount of data about users’ browsing history and activity, including URLs, where you navigated from, whether the page was visited in the past, the version of browser you’re using, country code, and, if the Avast Antivirus is installed, the OS version of your device, among other data. Palant argued the data collection far exceeded what was necessary for the extensions to perform their basic jobs.
At the time of Palant’s original post, the company’s privacy policy appeared to include language around this data collection that has now seemingly disappeared from the text. However, according to a version of the page archived in the Wayback Machine on November 4, that language read:
We may collect information about the computer or device you are using, our products and services running on it, and, depending on the type of device it is, what operating systems you are using, device settings, application identifiers (AI), hardware identifiers or universally unique identifiers (UUID), software identifiers, IP Address, location data, cookie IDs, and crash data (through the use of either our own analytical tools or tolls provided by third parties, such as Crashlytics or Firebase). Device and network data is connected to the installation GUID.
We collect device and network data from all users. We collect and retain only the data we need to provide functionality, monitor product and service performance, conduct research, diagnose and repair crashes, detect bugs, and fix vulnerabilities in security or operations (in other words, fulfil [sic] our contract with you to provision the service).
While the company admitted to collecting this data in this iteration of its privacy policy, it did not specify for how long it was stored in either version. A spokesperson for Avast said the policy “was rewritten in August with the goal of condensing what was previously a ~70 page document into the current much shorter version you see on our site.”
“Most of the content was duplicative, so we re-organized it to simplify for our users. This happened prior to Palant publishing his blog post and completely unrelated,” the spokesperson added. Either way, as Palant noted, “Spying on your users is clearly a violation of the terms that both Google and Mozilla make extension developers sign.” Mozilla said as much when reached for comment.
“When Mozilla becomes aware of issues that make extensions non-compliant with its add-on policies, it may remove them from addons.mozilla.org,” a spokesperson told Gizmodo by email. Opera also confirmed the plugins had been removed from its store.
“At Opera we may remove any extensions from our store that might be in breach with our terms of conditions,” a spokesperson for Opera told Gizmodo. “In such cases, we reach out to the developer and encourage them to resolve any identified issues.”
It’s unclear why they remained up in Google’s Chrome extension store as of Wednesday evening, and a spokesperson for Google didn’t immediately respond to a request for comment.
For its part, a spokesperson for Avast told Gizmodo that the company is “working with Mozilla to resolve this issue.”
“We have offered our Avast Online Security and SafePrice browser extensions for many years through the Mozilla store,” the spokesperson said. “Mozilla has recently updated its store policy and we are liaising with them in order to make the necessary adjustments to our extensions to align with new requirements. We have already implemented some of Mozilla’s new requirements and will release further updated versions that are fully compliant in the next few days.”
The spokesperson told Gizmodo by email that it’s “necessary for this service to collect the URL history to deliver its expected functionality,” but that doesn’t cut to the core of why the company at any point collected, for example, location data.
What is clear, however, is that even though there are agreements in place to prevent spyware or otherwise bad extensions from making their way to Chrome or Firefox stores, those safeguards occasionally fail. Ultimately, the responsibility often falls to individual users to keep their data safe.
Added comment from Opera and additional comment from Avast about its privacy policy changes.