UPDATE 2017-04-07: updates moved to bottom.
Obviously, installing software that runs with high privileges always comes at some risk. But Kaspersky Anti-Virus, the option “I agree to participate in Kaspersky Security Network” (KSN) is enabled by default, meaning that there can be no misunderstanding that quite a lot of information is collected by Kaspersky. The KSN Data Collection Statement states:
B. RECEIVED INFORMATION
* Information about your computer hardware and software, including operating system and service packs installed, kernel objects, drivers, services, Internet Explorer extensions, printing extensions, Windows Explorer extensions, downloaded program files, active setup elements, control panel applets, host and registry records, browser types and e-mail clients that are generally not personally identifiable;
[…]
* Information about applications downloaded by the user (URL, attributes, file size, information about process that initiated download);
* Information about applications and their modules run by the user (size, attributes, date created, information about PE headers, region, name, location, and compression utilities used);
[…]
* The Kaspersky Security Network service may process and submit whole files, which might be used by criminals to harm your computer and/or their parts, to Kaspersky Lab for additional examination.
I’m aware that the digital threat landscape in 2013 is different from that in 1993, but this default behavior grinds my gears. Information about software that is running on a system is conducive to cyber attacks and should be considered sensitive. Even if Kaspersky does not voluntarily and proactively share this information with, say, the FSB, it is unwise to assume that governments and security industry would not cooperate at that level or that legal requirements. Distribution of spyware via a software update by original vendors, even if carried out with due care and targeting only a few, specific systems, can be detected and may result in users abandoning that software. The sharing of legitimately (?) collected data, however, will remain undetected, and can be expected to take place.
Collecting information beyond what can be reasonably expected requires explicit, informed consent. If you use Kaspersky Anti-Virus, disable this feature. I don’t know whether other AV-software (McAfee etc.) has similar behavioral defaults.
UPDATES
UPDATE 2022-03-15: amid the Ukraine-Russia conflict, the German Bundesamt für Sicherheit in der Informationstechnik warns over the use of software – especially if it requires high system privileges – from Russia:
“A Russian IT manufacturer can conduct offensive operations itself, be forced to attack target systems against its own will, or be spied on without its knowledge as a victim of a cyber operation, or be used as a tool for attacks against its own customers.”
Obviously this argument works both ways, i.e., Russian organizations might be advised to not run software manufactured in countries that have offensive programs against Russia. (And so on.) The thought of digital balkanization is not appealing, so let’s hope things can be sorted out w/o destroying all that nice developers/builders/etc. have created over decades.
UPDATE 2019-08-15: Kaspersky and Trend Micro get patch bonanza after ID flaw and password manager holes spotted (El Reg)
UPDATE 2017-12-21: Lithuania bans Kaspersky Lab software on sensitive computers (Reuters)
UPDATE 2017-11-10: WikiLeaks drama alert: CIA forged digital certs imitating Kaspersky Lab (El Reg)
UPDATE 2017-10-05: Russian gov’t hackers exploited Kaspersky to steal highly-classified info from an NSA contractor (Shane Harris linking to WSJ piece). Of course a government may seek to leverage all means it has: recall the leaked NSA slide that states “Sniff It All, Collect It All, Know It All, Process It All, Exploit It All”. If not through voluntary or coerced cooperation, then by exercising legal powers against local persons and organizations — including those who deliver digital goods or services to domestic and foreign persons.
UPDATE 2017-09-13: U.S. DHS Statement on the Issuance of Binding Operational Directive (BOD) 17-01. From the text:
“[…] The BOD calls on departments and agencies to identify any use or presence of Kaspersky products on their information systems in the next 30 days, to develop detailed plans to remove and discontinue present and future use of the products in the next 60 days, and at 90 days from the date of this directive, unless directed otherwise by DHS based on new information, to begin to implement the agency plans to discontinue use and remove the products from information systems.
This action is based on the information security risks presented by the use of Kaspersky products on federal information systems. Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems. The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks. The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security. […]”
UPDATE 2017-05-11: Eugene Kaspersky Reddit AMA — good move following a report from ABC News regarding a “secret memorandum sent last month to Director of National Intelligence Dan Coats and Attorney General Jeff Sessions [in which] the Senate Intelligence Committee raised possible red flags about Kaspersky Lab”.
UPDATE 2017-04-06: different problem, same domain (virus scanning): users who wittingly — and possibly as per company policy — upload files, that may contains sensitive business information, to virus scanning services, making those scanning services interesting to attackers.
UPDATE 2017-03-15: Benoit Goas posted the following on [RISKS]: “I just downloaded a set of (obviously personal) medical images from an imaging lab, which allows downloads only as executable zip file (their website runs only with silverlight, but that’s not the main issue). As indicated on https://blog.avast.com/cybercapture-protection-against-zero-second-attacks , since around mid 2016 Avast antivirus has a new function to protect our computers against “zero second attacks”. So it saw my download of an executable file, and sent it to their cloud as it was a “very rare program file” that they “needed to study”. Indeed, my personal medical images are quite unique! But I didn’t expect them to be sent anywhere, especially without asking me. So I now disabled that option, but some problems were:
- letting my computer auto update without knowing what it’s adding (lots of
auto updates are running…) - automatically sending personal files outside of private computers without asking first
- hence “forcing” me to disable that feature that could protect me another day
- making us download executable files to begin with, to just send us a compressed folder
- not giving any option to contact the software provider, as it appears that part of the company no longer exists (and I’m sure the imaging place wouldn’t care, as it’s a nice service they provide, and can’t change the tools) –
[…] Best regards, B. GOAS”
UPDATE 2015-09-19: different story on AV: ‘AVG Proudly Announces It Will Sell Your Browsing History to Online Advertisers‘.
UPDATE 2014-08-29: different story on AV: Kaspersky backpedals on “done nothing wrong, nothing to fear” company article.
UPDATE 2013-12-29: different story on collection of information about software configurations: according to this article in Der Spiegel, the NSA intercepts Microsoft error-reporting messages, using XKeyscore to fish them out of internet traffic:
“When TAO selects a computer somewhere in the world as a target and enters its unique identifiers (an IP address, for example) into the corresponding database, intelligence agents are then automatically notified any time the operating system of that computer crashes and its user receives the prompt to report the problem to Microsoft. An internal presentation suggests it is NSA’s powerful XKeyscore spying tool that is used to fish these crash reports out of the massive sea of Internet traffic.
The automated crash reports are a “neat way” to gain “passive access” to a machine, the presentation continues. Passive access means that, initially, only data the computer sends out into the Internet is captured and saved, but the computer itself is not yet manipulated. Still, even this passive access to error messages provides valuable insights into problems with a targeted person’s computer and, thus, information on security holes that might be exploitable for planting malware or spyware on the unwitting victim’s computer.
Although the method appears to have little importance in practical terms, (…)”
UPDATE 2013-11-24: Microsoft Security Essentials entry on Wikipedia: “(…) by default, MSE reports all suspicious behaviors of monitored programs to Microsoft Active Protection Service (MAPS), a web-based service.” Opt-in to “Basic Membership” is default setting in the installer. MSE is included in Windows 8; I don’t know the default setting there. (source)
UPDATE 2013-08-01: I looked at EULA’s of other vendors. Their relevant paragraphs are too long to include in this post, but the key conclusion is that real-time information networks collecting detailing system configuration information are commonplace in today’s anti-malware habitat; as stated by Kaspersky Lab and in other comments. My concern about information collection remains, but a few important points / nuances were made by commenters:
1) Kosay Hatem states that the benefit of these networks is likely greater than the danger of the information collected. I agree that that will be probably true for most users.
2) An anonymous commenter states that for a system that does “security legal oriented work” (forensics?), one can opt-out. I agree. The comment also states that at the end of the day, you either trust your the AV vendor who’s software you install or totally or not; there is no middle ground. I agree, at least when “trust” is defined as the trustee’s acceptance of possible intentional or non-intentional failure of the trusted party.
UPDATE 2013-07-18: Kaspersky Labs responded in a comment below this post. The take-away: “So in short: This is an industry practice and done in the similar way by all anti-malware vendors. It can be easily checked the same way in their product EULAs.” I will read the EULA’s of other vendors and update this post to reflect my findings.
EOF
Dear Matthijs,
We read your blog with interest. We would like to give you some more information on our Kaspersky Security Network though, which might change your point of view.
Data collected via KSN is completely anonymous and is used to analyze Internet and software usage by Kaspersky Lab customers. It helps us deliver the most efficient and immediate reaction to threats. The technology helps to rapidly detect and block new and unknown threats, it is also used to update Kaspersky Lab’s Whitelisting database. Similar tools are used by other market players. Kaspersky Security Network is not a secret or completely unique tool. Similar tools are used by all anti-malware vendors as they make it possible to react immediately to threats and ensure increased security. The principles of KSN are explained in the end-user license agreement (EULA).
Though the data collected via KSN is completely anonymous, Kaspersky Lab treats it as highly confidential information and takes all due precautions. The processed information is stored on computer servers with limited and controlled access. It is subject to our security procedures and corporate policies regarding the protection and use of confidential information.
Our business model is based on trust, and we take all possible measures to preserve the trust of our clientele. There is nothing in Russian legislation that would oblige Kaspersky Lab to share the information it collects via KSN with the FSB. Kaspersky Lab has never conducted any secret projects for the FSB.
So in short: This is an industry practice and done in the similar way by all anti-malware vendors. It can be easily checked the same way in their product EULAs.
Should you have any remarks or questions, please let us know. We would be happy to give more information.
Best regards,
Kaspersky Lab
Knowledge about software configurations is highly valuable in the preparation of cyber attacks (CNA/CNE), and the Russian government is developing offensive cyber capabilities (just like the U.S., Germany, Netherlands, etc., for that matter). I prefer trust over distrust, but the current state of affairs requires alertness regarding system and network activity. When I learn that my local anti-virus software communicates, without asking consent, the configuration of my system, which applications I downloaded, and which applications I run, then the AV-vendor is trespassing (IMHO).
Eugene Kaspersky was (crypto-)trained at a school co-sponsored by the Russian MoD and KGB, and tenured as a Soviet intelligence officer; also, the Kaspersky company has a remarkable track record of unveiling U.S. cyber espionage operations. That doesn’t imply that the Kaspersky company is involved in any way in Kremlin-led offensive activity, intelligence gathering or information operations, but on the other hand, it’d be absurd to ignore it altogether. (Note to self: I should discuss the latter with a Russia-oriented diplomat-scholar at Clingendael or HCSS Centre for Strategic Studies .)
I’m not an anti-malware developer, but everything you state above seems plausible to me. I will check out EULA’s of other anti-malware vendors. If indeed this is industry practice and done in the similar way by all anti-malware vendors, I guess I woke up late in a new world.
Thanks for taking the effort to respond; it is much appreciated.
Friendly regards,
Matthijs
>>>>I don’t know whether other AV-software (McAfee etc.) has similar behavioral defaults<<<<
Maybe you should have investigated this first before pick one vendor and blog about it… and yes Mcafee does pretty much the same!
Greetz
Thanks, duly noted! I will take a look at other vendor’s EULA and update this post to reflect my findings.
Dear Matthijs,
Regarding your remark that we didn’t ask consent we would like to clarify that participation in KSN is strictly voluntarily and confidentially – the user of one of Kaspersky Lab’s consumer products has to agree to participate in the system. When installing Kaspersky software users clearly see the option to participate in KSN on the main install screen including a link to explain what KSN does and why it helps us to better protect our customers against malware threats.
Regarding your ideas about our involvement with FSB we still state that Kaspersky Lab has never conducted any secret projects for the FSB. As said before our business model is based on trust, and we therefore take all possible measures to preserve the trust of our clientele. If there are other matters that remain unclear for you, please don’t hesitate to share them with us. We would be happy to address them.
Best regards,
Kaspersky Lab
Hi,
Microsoft Security Essentials does the same….
Dear Mr. Mrkoot ,
In fact a lot of AV company like Kaspersky ,Bitdefender ,ESET ,Aira , Avast ….etc has the same network . EVEN I HAVE SOME NOTICES ABOUT SECURITY NETWORKS (all AV company has the same idea in security network) . but in the fact , the benefit of this networks more than the dangerous of the information that collected . in other words the user don’t care about dll files , drivers , installed programs , and other information if the OS is virus clean , and protected from unknown malware . while user has big problem if he has malware and his information about OS is no in the security network .
I have 2 x Windows systems protected by Kasperksy Antivirus 2013, both previously Kaspersky AV 2012. On both occasions I had the option of participation or non-participation in Kaspersky Security Network during installs.
Since one system is used for security legal orientated work, I opted out from participating. I’m not sure if this option is more obscure in other Kaspersky products or not.
This product has served me well and I consider it money well spent, less prone to FP’s than similar other products of whatever nature but extremely fast on picking up real issues. However we have to ask how Kapsersky achieves these remarkable results? Part of the answer is their presence on anti-abuse groups linked to cyber issues where we actually have real reachable people.. Another part of the puzzle if Kaspersky Security Network. Plus possibly other methods.
It is not possible to protect if you do not know what you are protecting against and that is why this is an important mechanism to reach and get feedback from the masses. It works both ways.
At the end of the day, logically you either you trust your selection of AV vendor totally or not – in fact any software vendor. There is no middle ground.
The new update of Avast AV is collecting system data also.
What’s this “you either totally trust your AV vendors or not” B.S.?
PROTECT IS *NOT* COLLECT, folks.
Are ALL companies totally obsessed with user data, even so-called data protectors? No file/info is sacred/private anymore?
I want products that keep my data, be it sensitive or not, MORE PRIVATE/SECURE, not products that get acess bonanza to everything and THEN makes it “private/secure”.
I KNOW I’m not the only user who feels highly uncomfortable with the amount of information taken from my machines (therefore from *me*) from every side.
AV COMPANIES SHOULD *JUST* PROTECT OUR DATA.