Back in October, Wladimir Palant, developer of the popular AdBlock Plus browser extension, published a blog post outlining how extensions from security company Avast/AVG were collecting massive amounts of data from users. In a somewhat-belated response, Google has now removed some of Avast's extensions from the Chrome Web Store.

The original blog post found that the Avast Online Security extension, which is usually installed as part of Avast's anti-virus products, transmits far more data than is necessary to check if a page is 'safe' or not. The extension was recording every page visited, how you got to the page (the referrer), your IP address and locale, and other information — all attached to a unique ID for easy tracking.

Needless to say, this level of tracking is absolutely not necessary for checking if a certain website is safe. Google's own Safe Browsing feature (which Firefox and Safari also rely on) simply downloads a list of malicious websites, so your browser can compare the pages you visit without sending network requests. Palant hypothesized that the extensive data collection was for selling to third parties, based on a section in the Avast privacy policy.

Google has now removed Avast SafePrice, Avast Online Security, and AVG SafePrice from the Chrome Web Store. However, AVG Online Security is still available. Mozilla also removed the extensions from its website (but did not blacklist already-installed copies from running), but Avast Online Security returned after the company complied with Mozilla's requirements, and the other extensions will likely return after changes are made to them.

Anti-virus products often have a reputation for being as invasive as viruses themselves, and even though there wasn't any evidence discovered that Avast's data was personally-identifiable, the data collection was still far over the top. To quote Obi-Wan, "you have become the very thing you swore to destroy."

Avast has provided the following statement to us:

Privacy is our top priority and the discussion about what is best practice in dealing with data is an ongoing one in the tech industry. We have never compromised on the security or privacy of personal data. We are listening to our users and acknowledge that we need to be more transparent with our users about what data is necessary for our security products to work, and to give them a choice in whether they wish to share their data further and for what purpose.

We made changes to our extensions including limiting the use of data and these changes are explained clearly in our Privacy Policy. Our browser extensions Avast Online Security and AVG Online Security are back on the Chrome Store, and on the Mozilla Store (since 12/17). It’s important to us that users understand that we’re listening to concerns about transparency and data use, and striving to do better and lead by example in this area.