UPDATE 2017-04-07: updates moved to bottom.
Obviously, installing software that runs with high privileges always comes at some risk. But Kaspersky Anti-Virus, the option “I agree to participate in Kaspersky Security Network” (KSN) is enabled by default, meaning that there can be no misunderstanding that quite a lot of information is collected by Kaspersky. The KSN Data Collection Statement states:
B. RECEIVED INFORMATION
* Information about your computer hardware and software, including operating system and service packs installed, kernel objects, drivers, services, Internet Explorer extensions, printing extensions, Windows Explorer extensions, downloaded program files, active setup elements, control panel applets, host and registry records, browser types and e-mail clients that are generally not personally identifiable;
[…]
* Information about applications downloaded by the user (URL, attributes, file size, information about process that initiated download);
* Information about applications and their modules run by the user (size, attributes, date created, information about PE headers, region, name, location, and compression utilities used);
[…]
* The Kaspersky Security Network service may process and submit whole files, which might be used by criminals to harm your computer and/or their parts, to Kaspersky Lab for additional examination.
I’m aware that the digital threat landscape in 2013 is different from that in 1993, but this default behavior grinds my gears. Information about software that is running on a system is conducive to cyber attacks and should be considered sensitive. Even if Kaspersky does not voluntarily and proactively share this information with, say, the FSB, it is unwise to assume that governments and security industry would not cooperate at that level or that legal requirements. Distribution of spyware via a software update by original vendors, even if carried out with due care and targeting only a few, specific systems, can be detected and may result in users abandoning that software. The sharing of legitimately (?) collected data, however, will remain undetected, and can be expected to take place.
Collecting information beyond what can be reasonably expected requires explicit, informed consent. If you use Kaspersky Anti-Virus, disable this feature. I don’t know whether other AV-software (McAfee etc.) has similar behavioral defaults.
UPDATES
UPDATE 2022-03-15: amid the Ukraine-Russia conflict, the German Bundesamt für Sicherheit in der Informationstechnik warns over the use of software – especially if it requires high system privileges – from Russia:
“A Russian IT manufacturer can conduct offensive operations itself, be forced to attack target systems against its own will, or be spied on without its knowledge as a victim of a cyber operation, or be used as a tool for attacks against its own customers.”
Obviously this argument works both ways, i.e., Russian organizations might be advised to not run software manufactured in countries that have offensive programs against Russia. (And so on.) The thought of digital balkanization is not appealing, so let’s hope things can be sorted out w/o destroying all that nice developers/builders/etc. have created over decades.
UPDATE 2019-08-15: Kaspersky and Trend Micro get patch bonanza after ID flaw and password manager holes spotted (El Reg)
UPDATE 2017-12-21: Lithuania bans Kaspersky Lab software on sensitive computers (Reuters)
UPDATE 2017-11-10: WikiLeaks drama alert: CIA forged digital certs imitating Kaspersky Lab (El Reg)
UPDATE 2017-10-05: Russian gov’t hackers exploited Kaspersky to steal highly-classified info from an NSA contractor (Shane Harris linking to WSJ piece). Of course a government may seek to leverage all means it has: recall the leaked NSA slide that states “Sniff It All, Collect It All, Know It All, Process It All, Exploit It All”. If not through voluntary or coerced cooperation, then by exercising legal powers against local persons and organizations — including those who deliver digital goods or services to domestic and foreign persons.
UPDATE 2017-09-13: U.S. DHS Statement on the Issuance of Binding Operational Directive (BOD) 17-01. From the text:
“[…] The BOD calls on departments and agencies to identify any use or presence of Kaspersky products on their information systems in the next 30 days, to develop detailed plans to remove and discontinue present and future use of the products in the next 60 days, and at 90 days from the date of this directive, unless directed otherwise by DHS based on new information, to begin to implement the agency plans to discontinue use and remove the products from information systems.
This action is based on the information security risks presented by the use of Kaspersky products on federal information systems. Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems. The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks. The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security. […]”
UPDATE 2017-05-11: Eugene Kaspersky Reddit AMA — good move following a report from ABC News regarding a “secret memorandum sent last month to Director of National Intelligence Dan Coats and Attorney General Jeff Sessions [in which] the Senate Intelligence Committee raised possible red flags about Kaspersky Lab”.
UPDATE 2017-04-06: different problem, same domain (virus scanning): users who wittingly — and possibly as per company policy — upload files, that may contains sensitive business information, to virus scanning services, making those scanning services interesting to attackers.
UPDATE 2017-03-15: Benoit Goas posted the following on [RISKS]: “I just downloaded a set of (obviously personal) medical images from an imaging lab, which allows downloads only as executable zip file (their website runs only with silverlight, but that’s not the main issue). As indicated on https://blog.avast.com/cybercapture-protection-against-zero-second-attacks , since around mid 2016 Avast antivirus has a new function to protect our computers against “zero second attacks”. So it saw my download of an executable file, and sent it to their cloud as it was a “very rare program file” that they “needed to study”. Indeed, my personal medical images are quite unique! But I didn’t expect them to be sent anywhere, especially without asking me. So I now disabled that option, but some problems were:
- letting my computer auto update without knowing what it’s adding (lots of
auto updates are running…)
- automatically sending personal files outside of private computers without asking first
- hence “forcing” me to disable that feature that could protect me another day
- making us download executable files to begin with, to just send us a compressed folder
- not giving any option to contact the software provider, as it appears that part of the company no longer exists (and I’m sure the imaging place wouldn’t care, as it’s a nice service they provide, and can’t change the tools) –
[…] Best regards, B. GOAS”
UPDATE 2015-09-19: different story on AV: ‘AVG Proudly Announces It Will Sell Your Browsing History to Online Advertisers‘.
UPDATE 2014-08-29: different story on AV: Kaspersky backpedals on “done nothing wrong, nothing to fear” company article.
UPDATE 2013-12-29: different story on collection of information about software configurations: according to this article in Der Spiegel, the NSA intercepts Microsoft error-reporting messages, using XKeyscore to fish them out of internet traffic:
“When TAO selects a computer somewhere in the world as a target and enters its unique identifiers (an IP address, for example) into the corresponding database, intelligence agents are then automatically notified any time the operating system of that computer crashes and its user receives the prompt to report the problem to Microsoft. An internal presentation suggests it is NSA’s powerful XKeyscore spying tool that is used to fish these crash reports out of the massive sea of Internet traffic.
The automated crash reports are a “neat way” to gain “passive access” to a machine, the presentation continues. Passive access means that, initially, only data the computer sends out into the Internet is captured and saved, but the computer itself is not yet manipulated. Still, even this passive access to error messages provides valuable insights into problems with a targeted person’s computer and, thus, information on security holes that might be exploitable for planting malware or spyware on the unwitting victim’s computer.
Although the method appears to have little importance in practical terms, (…)”
UPDATE 2013-11-24: Microsoft Security Essentials entry on Wikipedia: “(…) by default, MSE reports all suspicious behaviors of monitored programs to Microsoft Active Protection Service (MAPS), a web-based service.” Opt-in to “Basic Membership” is default setting in the installer. MSE is included in Windows 8; I don’t know the default setting there. (source)
UPDATE 2013-08-01: I looked at EULA’s of other vendors. Their relevant paragraphs are too long to include in this post, but the key conclusion is that real-time information networks collecting detailing system configuration information are commonplace in today’s anti-malware habitat; as stated by Kaspersky Lab and in other comments. My concern about information collection remains, but a few important points / nuances were made by commenters:
1) Kosay Hatem states that the benefit of these networks is likely greater than the danger of the information collected. I agree that that will be probably true for most users.
2) An anonymous commenter states that for a system that does “security legal oriented work” (forensics?), one can opt-out. I agree. The comment also states that at the end of the day, you either trust your the AV vendor who’s software you install or totally or not; there is no middle ground. I agree, at least when “trust” is defined as the trustee’s acceptance of possible intentional or non-intentional failure of the trusted party.
UPDATE 2013-07-18: Kaspersky Labs responded in a comment below this post. The take-away: “So in short: This is an industry practice and done in the similar way by all anti-malware vendors. It can be easily checked the same way in their product EULAs.” I will read the EULA’s of other vendors and update this post to reflect my findings.
EOF
