> The data obtained by Motherboard and PCMag includes Google searches, lookups of locations and GPS coordinates on Google Maps, people visiting companies' LinkedIn pages, particular YouTube videos, and people visiting porn websites.

> "It's very granular, and it's great data for these companies, because it's down to the device level with a timestamp," the source said, referring to the specificity and sensitivity of the data being sold

> Jumpshot gave Omnicom access to all click feeds[...] The product includes [...] "the entire URL string"

> A set of Jumpshot data obtained by Motherboard and PCMag shows how each visited URL comes with a precise timestamp down to the millisecond, which could allow a company with its own bank of customer data to see one user visiting their own site, and then follow them across other sites in the Jumpshot data.

How can you _possibly_ anonymise that at scale? Maybe someone searches an email address, or searches a unique phrase, such as a nickname, that identifies them. If someone makes multiple searches for directions from/to a particular place, it's probably their home or work. If you are logged in to a company's site, they likely know exactly who you are, and can correlate their logs with the Jumpshot logs (URL+millisecond timestamp could very well be unique) to follow you across other sites. The article notes that some products include "inferred gender" and "inferred age" - what _else_ can you infer from the provided data that may be enough to ID you?

Even if they _aren't_ directly selling it, it's a uncomfortable amount of information for a company to have (at best).

I can see how the data could be anonymised but when Google get it the access time, coupled with the referer (sic.) info could completely de-anonymise some data for Google, eg you arrived there from a Google search.

We regularly call out random browser extensions doing the same thing, it's not sensationalized to call out a top 10 manufacturer in the "security" space on this behaviour. Anonymization of search histories has, time and time again, been shown to be largely ineffective.

https://www.avast.com/eula does not mention Jumpshot and grepping around does not indicate any sensible anonymization and aggregation efforts, just the default legalese whereas the demo video on https://www.jumpshot.com/solutions/industry/retail leads me to believe that while they might not tie histories to a single user, they show statistics like "XX% of users shopping at A, went on to buy at B" which indicates at least some level of unaggregated data / tracking.

If the Vice article is to be believed, that's certainly enough to at least raise an eyebrow. The opt-in the article talks about is likely to be an underspecified mess that's intended to decieve the user, this functionality has simply no place in an AV package. Let's not act like it's hard to get users to press a shiny green button these days. That might be found GDPR compliant in court, it's still not morally right.

You’re correct about the EULA, any idea when it was last changed? I’ll look into this and correct myself but since I know few people working there, I heard stories about the process and how regulated it is.

The top of that page says "Version 1.11 (Revised April 1, 2019)", the history seems to be this (linked at the bottom): https://www.avast.com/eula-legacy

I'll give them the benefit of the doubt but if the Vice report is accurate, the business practice needs changing, not their terms of service.

No way this is GDPR compliant.

Yeah. But courts are relatively slow. It will likely take half a decade before they get to face real consequences?