Feb 23, 2024NewsroomPrivacy / Regulatory Compliance

The U.S. Federal Trade Commission (FTC) has hit antivirus vendor Avast with a $16.5 million fine over charges that the firm sold users’ browsing data to advertisers after claiming its products would block online tracking.

In addition, the company has been banned from selling or licensing any web browsing data for advertising purposes. It will also have to notify users whose browsing data was sold to third parties without their consent.

The FTC, in its complaint, said Avast “unfairly collected consumers’ browsing information through the company’s browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and without consumer consent.”

It also accused the U.K.-based company of deceiving users by claiming that the software would block third-party tracking and protect users’ privacy, but failing to inform them that it would sell their “detailed, re-identifiable browsing data” to more than 100 third-parties through its Jumpshot subsidiary.

What’s more, data buyers could associate non-personally identifiable information with Avast users’ browsing information, allowing other companies to track and associate users and their browsing histories with other information they already had.

The misleading data privacy practice came to light in January 2020 following a joint investigation by Motherboard and PCMag, calling out Google, Yelp, Microsoft, McKinsey, Pepsi, Home Depot, Condé Nast, and Intuit as some of Jumpshot’s “past, present, and potential clients.”

A month before, web browsers Google Chrome, Mozilla Firefox, and Opera removed Avast’s browser add-ons from their respective stores, with prior research from security researcher Wladimir Palant in October 2019 deeming those extensions as spyware.

The data, which includes a user’s Google searches, location lookups, and internet footprint, was collected via the Avast antivirus program installed on a person’s computer without seeking their informed consent.

“Browsing data [sold by Jumpshot] included information about users’ web searches and the web pages they visited – revealing consumers’ religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information,” the FTC alleged.

Jumpshot described itself as the “only company that unlocks walled garden data,” and claimed to have data from as many as 100 million devices as of August 2018. The browsing information is said to have been collected since at least 2014.

The privacy backlash prompted Avast to “terminate the Jumpshot data collection and wind down Jumpshot’s operations, with immediate effect.”

Avast has since merged with another cybersecurity company NortonLifeLock to form a new parent company called Gen Digital, which also includes other products like AVG, Avira, and CCleaner.

“Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “Avast’s bait-and-switch surveillance tactics compromised consumers’ privacy and broke the law.”

Jan 03, 2024NewsroomVoIP Service / Regulatory Compliance

The U.S. Department of Justice (DoJ) on Tuesday said it reached a settlement with VoIP service provider XCast over allegations that it facilitated illegal telemarketing campaigns since at least January 2018, in contravention of the Telemarketing Sales Rule (TSR).

In addition to prohibiting the company from violating the law, the stipulated order requires it to meet other compliance measures, including establishing a process for screening its customers and calling for potential illegal telemarketing. The order, which also imposes a $10 million civil penalty judgment, has been suspended due to XCast’s inability to pay.

“XCast provided VoIP services that transmitted billions of illegal robocalls to American consumers, including scam calls fraudulently claiming to be from government agencies,” the DoJ said in a press release.

These calls delivered prerecorded marketing messages, most of which were sent to numbers listed on the National Do Not Call Registry. To make matters worse, a majority of the calls falsely claimed to be affiliated with government entities or contained outright false or misleading information in an attempt to deceive victims into making purchases.

For instance, some of the calls claimed to be from the Social Security Administration and threatened to cut off a recipient’s utility service unless immediate payments were made. In other cases, consumers were urged to act promptly to reverse bogus credit card charges.

As part of the proposed settlement, XCast has been ordered to cut ties with firms that do not adhere to the U.S. telemarketing laws.

The U.S. Federal Trade Commission (FTC), in a statement, said the Los Angeles-based company did nothing despite being warned several times that illegal robocallers were using its services.

“The order permanently bars XCast Labs from providing VoIP services to any company with which it does not have an automated procedure to block calls that display invalid Caller ID phone numbers or that are not authenticated through the FCC’s STIR/SHAKEN Authentication Framework,” the FTC said.

The development comes as the FTC announced a ban on Response Tree from making or assisting anyone else in making robocalls or calls to phone numbers on the Do Not Call Registry.

The complaint accused the Californian company of operating more than 50 websites, such as PatriotRefi[.]com, AbodeDefense[.]com, and TheRetailRewards[.]com, which used manipulative dark patterns to “trick consumers into providing their personal information for supposed mortgage refinancing loans and other services.”

The defendants then allegedly sold the collected information of hundreds of thousands of consumers to telemarketers who used them to make millions of illegal telemarketing calls, including robocalls, to consumers across the country.