In a sensational revelation, an investigation on Monday claimed that the popular Avast antivirus -- installed on nearly 435 million Windows, Mac and mobile devices globally -- harvested users' data via browser plugins and then sold it to third parties, including Microsoft and Google.
The joint investigation by Motherboard and PCMag that relied on leaked user data and other company documents found that "the sale of this data is both highly sensitive and is, in many cases, supposed to remain confidential between the company selling the data and the clients purchasing it".
The leaked documents accessed for the investigation were from a subsidiary of the antivirus giant Avast, called Jumpshot.
The Avast antivirus programme was installed on a person's computer which collected the data, and Jumpshot repackaged it into various different products which were sold to big companies.
"Potential clients include Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Conde Nast, Intuit, and many others," the report claimed.
In a statement, Avast said it has stopped providing browsing data collected by the extensions to Jumpshot.
Some clients even paid millions of dollars for products that include a so-called "All Clicks Feed", which can track user behaviour, clicks, and movement across websites in detail.
In copies of contracts with Jumpshot clients, one marketing firm paid over $2 million for data access last year.
Avast offers a selection of free and paid-for antivirus and security tools, in both free and in paid-for formats.
According to the investigation, Avast also recorded "porn site visits that are anonymized, offered the date and time the user visited the sites, as well as search terms and viewed videos in some instances".
Multiple Avast users told Motherboard they were not aware that Avast sold browsing data, raising questions about how informed that consent is.
The investigation also that Avast is still harvesting the data, but via the anti-virus software itself, rather than the browser plugins.