Kaspersky Lab’s Policy on the Use of Software for the Purpose of State Surveillance

06 Nov 2013

In light of the recent stories on the cooperation between government agencies and tech companies, and in response to an open letter from an international coalition of digital rights organizations-- https://www.bof.nl/live/wp-content/uploads/Letter-to-antivirus-companies-.pdf -- Kaspersky Lab shares its policy on the use of software for the purpose of state surveillance.

We have a very simple and straightforward policy as it relates to the detection of malware: We detect and remediate any malware attack, regardless of its origin or purpose. There is no such thing as “right” or “wrong” malware for us.

Our research team has been actively involved in the discovery and disclosure of several malware attacks with links to governments and nation-states. In 2012, we published our thorough research about Flame and Gauss, two of the biggest nation-state mass-surveillance operations known to date. We have also issued public warnings about the risks of so-called “legal” surveillance tools such as HackingTeam’s DaVinci and Gamma’s FinFisher. It’s imperative that these surveillance tools do not fall into the wrong hands, and that’s why the IT security industry can make no exceptions when it comes to detecting malware.

In reality, it is very unlikely that any competent and knowledgeable government organization will request an antivirus developer (or developers) to turn a blind eye to specific state-sponsored malware. It is quite easy for the “undetected” malware to fall into the wrong hands and be used against the very same people who created it.

While we appreciate the passion of the international coalition to promote civil liberties and privacy rights, we believe there are many other important issues at the moment that require urgent attention. We encourage thought leaders to pay attention to the flourishing, unregulated marketplace where zero-day exploits are traded among agencies with unlimited budgets. Where, anyone with a large bank account can acquire weaponized documents that can be used to attack anyone, from government organizations to banks to critical infrastructures.

Failure to discuss these issues will result in a fully militarized Internet where the users become nothing more than collateral victims in the massive cyberwar operations between superpowers.