The Non-Financial Ledger

There is a unique kind of betrayal that occurs when the entity you hired to protect you becomes the source of your greatest violation. People install antivirus software for peace of mind. It is a digital guard dog, a lock on the door, a promise that someone is watching out for the predators lurking online. Avast sold this promise. For millions of people, many of whom paid a premium for this security, Avast positioned itself as the shield against a hostile internet. They used the language of protection, privacy, and safety to gain access to the most intimate corners of our digital lives.

This access was then weaponized. The trust you placed in their product was systematically converted into a revenue stream. Every search for a medical symptom, every application for financial aid, every private message, every guilty pleasure, every moment of vulnerability expressed through a search bar was logged, packaged, and sold. The shield was a two-way mirror. The guard dog was not just letting thieves into the house; it was leading them to the valuables, providing a detailed inventory of everything you owned and everything you feared losing. The anxiety that led you to seek protection was the very thing they monetized.

This is not a simple data breach. This was the business model. The harm is deeper than financial loss. It is the corrosion of trust in the very tools meant to empower us. It creates a chilling effect where a person must now second-guess their own protector. Is this antivirus program securing my machine, or is it cataloging my keystrokes? Is this browser extension blocking trackers, or is it the most sophisticated tracker of them all? Avast’s actions poison the well for everyone, fostering a deep, rational paranoia that makes the digital world a more hostile and isolating place.

The human cost is measured in dignity. Consider the person researching symptoms of breast cancer, as noted in the FTC’s findings. That search represents a moment of profound fear and uncertainty. Avast captured that moment and sold it. Think of the student filling out a FAFSA application, a process fraught with stress about their family’s financial future. Avast captured that, too, and sold it. They transformed human struggle into a data feed for marketing firms and investment companies. There is no line item on a balance sheet for this kind of violation, no financial penalty that can fully account for the gross indecency of turning a person’s private reality into a corporate asset.

The ultimate damage is the calculated destruction of agency. Users were given a choice between being spied on by anonymous hackers or being spied on by the company they paid to stop the hackers. In reality, there was no choice. The pop-ups and privacy policies, when they existed at all, were a masterclass in deception, using terms like “anonymous” and “aggregate” to describe data that was anything but. The system was designed to exploit trust and obscure the truth. The injury is the realization that your digital shadow—a perfect record of your thoughts and behaviors—was sold to the highest bidder by the one company that swore it would keep you safe.

Legal Receipts

The Federal Trade Commission’s complaint lays out the evidence in stark, unambiguous terms. Below are direct excerpts from the official filing, Docket No. 2023033. These are not our words; they are the government’s findings.

On Avast’s False Promises: “Respondents have claimed their software would ‘[b]lock[] annoying tracking cookies that collect data on your browsing activities’ and ‘[p]rotect your privacy by preventing . . . web services from tracking your online activity.’ In fact, from 2014 through January 2020, Respondents sold the browsing information that they purported to protect…”

On The Scale of Data Collection: “Respondents used the Avast Extensions, the Avast Secure Browser, Avast Mobile Software, and Avast Desktop Software … to collect browsing information from users of these products, including: uniform resource locators (URLs) of webpages visited; the URLs of background resources … consumers’ search queries; and the value of cookies placed on consumers’ computers by third parties.”

On Selling Your Data via Jumpshot: “From 2014 through January 2020, Jumpshot sold browsing information that Avast collected to a variety of clients, including consulting firms, investment companies, advertising companies, marketing data analytics companies, individual brands, search engine optimization firms, and data brokers.”

On The Lie of Anonymization: “Most of the data feeds included a unique and persistent device identifier associated with each particular browser (‘Jumpshot GUID’), allowing Jumpshot and the third-party buyer to trace individuals across multiple domains over time.”

On Contracts Allowing Re-Identification: “One agreement between LiveRamp and Jumpshot stated that Jumpshot would use two services: first, ‘ID Syncing Services,’ in which ‘LiveRamp and [Jumpshot] will engage in a synchronization and matching of identifiers,’ and second, ‘Data Distribution Services,’ in which ‘LiveRamp will ingest online Client Data and facilitate the distribution of Client’s Data… to third-party platforms for the purpose of performing ad targeting and measurement.'”

On The Omnicom Deal: “The contract between Jumpshot and Omnicom stated that Jumpshot would provide Omnicom with an ‘All Clicks Feed’ for 50% of its customers in the United States, United Kingdom, Mexico, Australia, Canada, and Germany. … Omnicom was ‘allowed to map out/translate Jumpshot GUIDs into [data broker Neustar’s] Neustar IDs. Customer can also match with LiveRamp.’ … The production fee schedule stated in the first work order to the contract was approximately $2 million per year.”

On The Sensitivity of The Data: “…a sample of just 100 entries out of trillions retained by Respondents showed visits by consumers to the following pages: an academic paper on a study of symptoms of breast cancer; Sen. Elizabeth Warren’s presidential candidacy announcement; a CLE course on tax exemptions; government jobs in Fort Meade, Maryland with a salary greater than $100,000; a link… to the mid-point of a FAFSA (financial aid) application; directions on Google Maps from one location to another; a Spanish-language children’s YouTube video; a link to a French dating website, including a unique member ID; and cosplay erotica.”

On Indefinite Data Hoarding: “Through the entire period that Jumpshot received browsing information from Avast, Jumpshot never deleted any of the data. By January 2020, Jumpshot had more than eight petabytes of browsing information dating back to 2014.”

Societal Impact Mapping

Environmental Degradation

The digital world has a physical cost. The eight petabytes of browsing data Avast and Jumpshot hoarded is not an abstraction floating in a cloud. It is a massive physical library stored on power-hungry servers in climate-controlled data centers that run 24/7. A petabyte is one million gigabytes. Storing this quantity of information requires an immense and continuous supply of electricity, a significant portion of which is still generated from fossil fuels. It also demands vast quantities of water for cooling systems to prevent the server racks from overheating.

This business model of perpetual surveillance and indefinite data retention is fundamentally unsustainable. Every click, every search, every URL collected from over 100 million people was added to this ever-growing digital landfill. The “tens of millions” in revenue Jumpshot generated came at a direct environmental price, externalizing the cost of their data hoarding onto a planet already straining under resource depletion and a warming climate. This is the hidden ecological tax of the surveillance economy: our private lives are not only commodified but their storage contributes to the material degradation of our shared environment.

Public Health

The collection and sale of health-related searches represents a profound threat to public health. The FTC complaint explicitly cites a user viewing a paper on “symptoms of breast cancer.” When such a sensitive search can be logged, tied to a persistent identifier, and sold to data brokers, it introduces a dangerous chilling effect. People may hesitate to research their own health conditions or those of their loved ones for fear of that information being used against them. This fear is not irrational. Such data can be used to build profiles for predatory advertising of unproven treatments, or worse, could potentially be used by insurance companies or employers to make discriminatory decisions.

A functional public health system relies on the free and private flow of information. People need to feel safe seeking knowledge about their bodies and their health. Avast’s model actively undermines this safety. By turning a user’s health concerns into a product, they discourage the very act of self-education that can lead to early detection and better health outcomes. The privacy they promised was most critical in these moments of vulnerability. Its violation threatens not only the individual user but the collective health of a society that becomes afraid to ask questions.

Economic Inequality

This scheme is a textbook example of how surveillance capitalism exacerbates economic inequality. It functions as a direct wealth transfer from ordinary people to a handful of corporations. First, many users paid Avast directly for a product that actively worked against their interests. Then, the digital byproduct of their entire lives—their consumer habits, their financial needs (like searching for financial aid via FAFSA), their career aspirations—was sold for tens of millions of dollars. That revenue represents value extracted directly from the lives of Avast’s user base, with zero compensation.

This data was then sold to clients like Omnicom, a global advertising behemoth, and data brokers like LiveRamp. These companies use the information to create hyper-targeted advertising and marketing campaigns, making their efforts to separate people from their money more ruthlessly efficient. Your own browsing history, including your financial anxieties and purchasing intentions, is weaponized and sold back to you in the form of manipulative ads. It is a closed loop of exploitation where the data generated by the populace is used to sharpen the tools that extract further wealth from them, widening the gap between the data-haves and the data-have-nots.

What Now?

While Avast shut down Jumpshot’s operations in January 2020 following public outcry and regulatory pressure, the framework of abuse remains. The executives who presided over this model for six years must be held accountable. The data, stored for years, created an indelible record of millions of lives.

Corporate Entities and Roles

• Avast Limited (United Kingdom, Parent Company)
• Avast Software s.r.o. (Czech Republic, Subsidiary)
• Jumpshot, Inc. (Delaware, The Data-Selling Arm, now defunct)
• The CEO and Board of Directors (During the 2014-2020 period)

Regulatory Watchlist

These are the agencies with the power to investigate and penalize these actions. Their work is critical.

• Federal Trade Commission (FTC)
• Department of Justice (DOJ)
• International Data Protection Authorities (e.g., UK’s ICO, EU’s EDPB)

Take Action

Relying on corporate ethics is a losing game. The only path forward is to build and support alternatives while demanding systemic change.

• Demand Robust Federal Privacy Legislation: Your data should not be a commodity. Contact your representatives and demand laws that give you ownership of your data and create harsh penalties for companies that exploit it.
• Support Open-Source, Non-Profit Tech: Investigate and use software built by community-driven, transparent organizations that are not beholden to venture capital or quarterly profit reports. Signal for messaging, Firefox for browsing, and local community networks are starting points.
• Engage in Mutual Aid: Share knowledge with your friends and family. Help less tech-savvy people in your community install and use privacy-respecting tools. Collective digital defense is our best weapon against corporate surveillance.