Another day, another company abusing customer privacy. A joint investigation by PCMag and Motherboard has discovered that antivirus maker Avast, who also owns AVG, has been selling extremely detailed information about customer browsing histories to marketers.

The company division responsible is Jumpshot, and it has “been offering access to user traffic from 100 million devices.” In a tweet the company sent last month to attract new clients, it promised to deliver “‘Every search. Every click. Every buy. On every site’ [emphasis Jumpshot’s,]” according to Motherboard.

In fact, the level of detail the data provides is astounding, allowing clients to “view the individual clicks users are making on their browsing sessions, including the time down to the millisecond. And while the collected data is never linked to a person’s name, email or IP address, each user history is nevertheless assigned to an identifier called the device ID, which will persist unless the user uninstalls the Avast antivirus product.”

The data is anonymized so that, in theory, it can’t be tied to an individual user. However, the device ID is where the trouble comes in. For example, all a retailer would need to do is compare the time stamp that correlates to a specific purchase against their records to identify the customer. It would then be a simple matter to use that device ID to build a complete—and completely identifiable—profile of that person. With their entire browsing history, the retailer would know everything about what sites they visit, their habits, what their interests are and who their friends are.

According to PCMag, Jumpstart even offered different products tailored to delivering different subsets of information. For example, one product focused on search results, both the terms searched for and the results visited. Another product focused on tracking what videos people are watching on Facebook, Instagram and YouTube.

The granularity is particularly disturbing in relation to a contract Jumpstart had with marketing provider Omnicom Media Group, to provide them the “All Clicks Feed.” The service provides “the URL string to each site visited, the referring URL, the timestamps down to the millisecond, along with the suspected age and gender of the user, which can inferred based on what sites the person is visiting.” While the device ID was stripped from the data for most companies that signed up for the All Clicks Feed, Omnicom Media Group was the exception, receiving the data with device IDs intact.

Much of the collection occurred through the antivirus software’s browser extensions, and Avast has since stopped sharing the data it collects through those extensions. However, the company has not committed to delete the data it has already collected. The company can also still collect browsing history through its Avast and AVG antivirus software, on both desktop and mobile.

That ambiguity has not gone over well with Senator Ron Wyden, a staunch privacy advocate. According to both PCMag and Motherboard, Wyden said in a statement that “It is encouraging that Avast has ended some of its most troubling practices after engaging constructively with my office. However I’m concerned that Avast has not yet committed to deleting user data that was collected and shared without the opt-in consent of its users, or to end the sale of sensitive internet browsing data. The only responsible course of action is to be fully transparent with customers going forward, and to purge data that was collected under suspect conditions in the past.”

The full read at either PCMag or Motherboard is fascinating and is another good reminder that nothing in life is free. Companies that offer a ‘free service’ are making their money somewhere—often at the expense of the customer.