Back in October, Wladimir Palant, developer of the popular AdBlock Plus browser extension, published a blog post outlining how extensions from security company Avast/AVG were collecting massive amounts of data from users. In a somewhat-belated response, Google has now removed some of Avast's extensions from the Chrome Web Store.
The original blog post found that the Avast Online Security extension, which is usually installed as part of Avast's anti-virus products, transmits far more data than is necessary to check if a page is 'safe' or not. The extension was recording every page visited, how you got to the page (the referrer), your IP address and locale, and other information — all attached to a unique ID for easy tracking.
Google has now removed Avast SafePrice, Avast Online Security, and AVG SafePrice from the Chrome Web Store. However, AVG Online Security is still available. Mozilla also removed the extensions from its website (but did not blacklist already-installed copies from running), but Avast Online Security returned after the company complied with Mozilla's requirements, and the other extensions will likely return after changes are made to them.
(2 of 2) The Avast Online Security extension is a security tool that protects users online. Avast does this without collecting or storing a user's identification. Fully compliant and transparent versions will be available in the Mozilla store in the near future.
— Avast (@avast_antivirus) December 11, 2019
Anti-virus products often have a reputation for being as invasive as viruses themselves, and even though there wasn't any evidence discovered that Avast's data was personally-identifiable, the data collection was still far over the top. To quote Obi-Wan, "you have become the very thing you swore to destroy."
Avast has provided the following statement to us:
Privacy is our top priority and the discussion about what is best practice in dealing with data is an ongoing one in the tech industry. We have never compromised on the security or privacy of personal data. We are listening to our users and acknowledge that we need to be more transparent with our users about what data is necessary for our security products to work, and to give them a choice in whether they wish to share their data further and for what purpose.