Mozilla Removes Security Extensions by Avast!, AVG

Mozilla has removed security tools from Avast and AVG from the Firefox extension store. It says the tools are collecting too much personal data about users.

The extensions are third-party tools for the Firefox browser that add extra functionality to web browsing. In this case, the advertised purposes include highlighting and blocking malware that could be downloaded, and warning users when a page may be part of a phishing attack. That's where a user is tricked into typing in personal details into what they think is a legitimate site.

Mozilla acted after online posts by Wladimir Palant, who operates a major ad-blocking service. As part of that work, he pays close attention to how extensions interact with web browsers and user's computers.

Extensions 'Track Online Activity'

Palant says he's spotted problems with extensions from AVG and Avast (which now owns AVG). While anyone can get the extensions, people installing standalone security software from both companies will see a message encouraging them to get the extension.

When a user with the extension visits a new webpage, the extension sends details about the page to Avast's servers, which then respond with security information - for example that the page is known to be linked to phishing. The same happens with any links on the page: the idea being the extension can highlight a security risk before the user clicks the link.

Palant says the problem is that this means Avast effectively receives a complete record of the user's online activity: not just the sites they visit, but also how long they spend on each page, how often they switch between open tabs, and which links on a page they do or don't click on.

According to Palant, this level of detail is more than Avast needs for the extensions to carry out their stated task. He also claims Avast doesn't adequately anonymize the data, and that its privacy policy isn't clear enough about how long Avast keeps the data. (Source: palant.de)

Avast Says Nothing Amiss

Mozilla has now removed the extensions from the store. However, they will continue working for users who have already installed them.

Avast says it's working with Mozilla to comply with its rules. It insists the data collection is needed for the extensions to work.

It also says it "does this without collecting or storing [the] user's identification", though Palant argues this isn't the case as the extension sends a code called "userid" alongside the site addresses and other information. (Source: theregister.co.uk)

What's Your Opinion?

Do you use browser extensions for security tools? Are you concerned by the information the Avast and AVG extensions are collecting and transmitting? Or do you believe it's not a problem, providing it is not kept permanently (and potentially resold for third party advertising)?