FTC对Avast施以1650万美元罚款

The U.S. Federal Trade Commission (FTC) has hit antivirus vendor Avast with a $16.5 million fine over charges that the firm sold users' browsing data to advertisers after claiming its products would block online tracking.

美国联邦贸易委员会（FTC）对杀毒软件供应商 Avast 开出了一项 1650 万美元的罚款，原因是该公司声称其产品将阻止在线跟踪，却将用户的浏览数据出售给广告商。

In addition, the company has been banned from selling or licensing any web browsing data for advertising purposes. It will also have to notify users whose browsing data was sold to third-parties without their consent.

此外，该公司被禁止出售或许可任何网络浏览数据用于广告目的。它还必须通知那些未经同意就将他们的浏览数据出售给第三方的用户。

The FTC, in its complaint, said Avast "unfairly collected consumers' browsing information through the company's browser extensions and antivirus software, stored it indefinitely, and sold it without adequate notice and without consumer consent."

FTC 在其投诉中表示，Avast "不公平地通过公司的浏览器扩展和杀毒软件收集消费者的浏览信息，无限期存储，并在没有充分通知和消费者同意的情况下出售。"

It also accused the U.K.-based company of deceiving users by claiming that the software would block third-party tracking and protect users' privacy, but failing to inform them that it would sell their "detailed, re-identifiable browsing data" to more than 100 third-parties through its Jumpshot subsidiary.

该机构还指责这家总部位于英国的公司欺骗用户，声称该软件将阻止第三方跟踪并保护用户的隐私，但未告知他们将出售他们的"详细、可重新识别的浏览数据"给 Jumpshot 子公司的 100 多个第三方。

What's more, data buyers could associate non-personally identifiable information with Avast users' browsing information, allowing other companies to track and associate users and their browsing histories with other information they already had.

此外，数据购买方可以将非个人身份识别信息与 Avast 用户的浏览信息相关联，从而使其他公司能够跟踪和关联用户及其浏览历史与他们已有的其他信息。

The misleading data privacy practice came to light in January 2020 following a joint investigation by Motherboard and PCMag, calling out Google, Yelp, Microsoft, McKinsey, Pepsi, Home Depot, Condé Nast, and Intuit as some of Jumpshot's "past, present, and potential clients."

这种误导性的数据隐私做法于 2020 年 1 月被 Motherboard 和 PCMag 的联合调查揭露，称 Google、Yelp、Microsoft、McKinsey、Pepsi、Home Depot、Condé Nast 和 Intuit 是 Jumpshot 的"过去、现在和潜在客户"。

A month before, web browsers Google Chrome, Mozilla Firefox, and Opera removed Avast's browser add-ons from their respective stores, with prior research from security researcher Wladimir Palant in October 2019 deeming those extensions as spyware.

一个月前，网络浏览器 Google Chrome、Mozilla Firefox 和 Opera 从各自的商店中移除了 Avast 的浏览器插件，此前在 2019 年 10 月，安全研究员 Wladimir Palant 的研究将这些扩展程序定性为间谍软件。

The data, which includes a user's Google searches, location lookups, and internet footprint, was collected via the Avast antivirus program installed on a person's computer without seeking their informed consent.

这些数据，包括用户的 Google 搜索、位置查找和互联网足迹，是通过未经用户知情同意的情况下通过安装在个人计算机上的 Avast 杀毒程序收集的。

"Browsing data [sold by Jumpshot] included information about users' web searches and the web pages they visited – revealing consumers' religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information," the FTC alleged.

FTC 指控 Jumpshot 出售的"浏览数据包括关于用户的网络搜索和他们访问的网页的信息，揭示了消费者的宗教信仰、健康问题、政治倾向、位置、财务状况、访问儿童定向内容和其他敏感信息。"

Jumpshot described itself as the "only company that unlocks walled garden data," and claimed to have data from as many as 100 million devices as of August 2018. The browsing information is said to have been collected since at least 2014.

Jumpshot 自称是"唯一能解锁围墙花园数据的公司"，并声称截至 2018 年 8 月，已从多达 1 亿台设备中收集了数据。这些浏览信息据说至少从 2014 年开始收集。

The privacy backlash prompted Avast to "terminate the Jumpshot data collection and wind down Jumpshot's operations, with immediate effect."

隐私反弹促使 Avast"立即终止 Jumpshot 的数据收集并停止 Jumpshot 的运营。"

Avast has since merged with another cybersecurity company NortonLifeLock to form a new parent company called Gen Digital, which also includes other products like AVG, Avira, and CCleaner.

此后，Avast 与另一家网络安全公司 NortonLifeLock 合并，成立了一个名为 Gen Digital 的新母公司，该公司还包括其他产品如 AVG、Avira 和 CCleaner。

The development comes nearly a year after the company was fined €13.7 million by the Czech Republic's data regulator for violating E.U. GDPR data protection regulations by collecting and selling internet browsing data.

此举发生在该公司被捷克共和国数据监管机构罚款 1370 万欧元的将近一年之后，罚款原因是违反了欧盟 GDPR 数据保护法规，通过收集和出售互联网浏览数据。

"Avast promised users that its products would protect the privacy of their browsing data but delivered the opposite," said Samuel Levine, director of the FTC's Bureau of Consumer Protection. "Avast's bait-and-switch surveillance tactics compromised consumers' privacy and broke the law."

FTC 消费者保护局局长 Samuel Levine 表示:"Avast 承诺其产品将保护用户的浏览数据隐私，但却做出了相反的行为。"

原文始发于微信公众号（知机安全）：FTC对Avast施以1650万美元罚款