Should You Buy Kaspersky Security Products?
Is Russian security software company Kaspersky in Putin’s pocket? Rumors abound, but there’s still no real evidence of these claims. We will continue to rate Kaspersky products based on their performance and value like we do for every other company we evaluate.
2017 wasn’t a great year for global security company Kaspersky. Rumors were flying. Kaspersky reports to the Russian government. Kaspersky steals private data. Kaspersky spies on its customers. Kaspersky cheats at solitaire. At the time, we looked closely at all the available information, consulted with a number of experts, and concluded that there was no actual evidence to back those rumors.
Little has changed since then. The rumors still exist; the evidence still does not. US government agencies are still enjoined from using Kaspersky software. But other than putting its products on the no-buy list, the US government hasn’t punished Kaspersky, while it has come down like a ton of bricks on other foreign companies. The difference is worth consideration. Let’s compare a few cases.
The Unfortunate NSA Incident
There is evidence of one security incident involving Kaspersky, something that came to light not long after the government ban. The media-hysteria version of the story is that Kaspersky stole hacking software from the NSA. What happened was much more mundane.
Like most antivirus software, Kaspersky Anti-Virus keeps an eye out for programs that exhibit suspicious behaviors but don’t match any known malware signatures. Such a program might be a brand-new malware strain, often called a zero-day attack. With the user’s permission (typically granted at installation) it uploads suspicious never-before-seen programs to its research team for analysis. That automated behavior is what caused the incident.
An NSA consultant broke protocol and copied some NSA hacking tools to his Kaspersky-protected laptop. The security software detected the tools as dangerous unknowns and sent them to Kaspersky HQ for analysis. When the company’s researchers realized what they had received, they immediately deleted it . End of story. Neither the NSA nor any other US agency took action, because it’s not against the law to obtain classified data by accident.
The Avast Embarrassment
Robert Heinlein popularized the acronym TANSTAAFL in his novel, The Moon is a Harsh Mistress. It stands for “There ain’t no such thing as a free lunch.” A more modern take might be, “If you’re not paying, you are the product.” That became clear earlier this year in a fiasco involving the very popular Avast Free Antivirus.
An Avast subsidiary, Jumpshot, was gathering clicks and other data from users of the free antivirus, allegedly stripping out anything that could identify the individual user. Research proved that Jumpshot could (and did) compromise the personal information of Avast users. This was no rumor; this was fact.
Reaction was swift. Avast shut down Jumpshot completely and ceased the problematic data gathering. What happened is still an embarrassment for Avast, but the company is working hard to regain the trust of its users. Here again, there was evidence of a problem. This time it was the company’s own fault, but the executive team quickly implemented a solution, and the government didn’t get involved at all.
Crime, Punishment, and TikTok
Kaspersky picked up NSA tools due to a consultant’s error. Avast tried to depersonalize data shared with third parties but failed to do so completely. Both companies worked quickly to put things right. What happens when a company actively steals personal information?
In May of 2020, privacy watchdogs accused the popular short-form video app TikTok of putting children at risk. They claimed that TikTok continued to misuse children’s data in ways that previously earned the company a $5.7 million dollar fine. But FTC fines and COPPA violations were just the beginning.
More recently, US government agencies determined that TikTok deliberately captures information about American citizens and supplies it to the Chinese government. Our government’s reaction was swift and draconian. An executive order aims to “cripple…TikTok by prohibiting US app stores, credit card companies, and software providers from working with it.” The order also applies to WeChat, an extremely popular messaging, social media, and payment app. It’s big in China, but also important for US citizens who have family in China.
Unless something big changes, like Microsoft buying TikTok, the order effectively means the end of TikTok and WeChat in the US. Not only that, since the order applies to app stores, iPhone users in China won’t be able to get the apps.
Wrist Slap Versus Defenestration
The situation with TikTok and WeChat illustrates what kind of action the US government takes when it has evidence that a foreign company is endangering our security. The proposed ban affects everyone in the US as well as US companies around the world. It’s a hard blow to the foreign company in question.
In September of 2019, the Federal Acquisition Regulation Council formalized its policy forbidding federal agencies to purchase Kaspersky products, but that’s the extent of government involvement. You or I can buy Kaspersky products on Amazon, or Walmart, or any store that carries them. Some outlets, like Best Buy, choose not to carry these products, but that’s their right. By comparison with the WeChat ban, Kaspersky’s punishment is a politically motivated wrist slap. Why? Because there’s no evidence.
Trust the Experts
There is, of course, another possible explanation for the government’s wildly different reactions. Maybe the current administration loves Russia and hates China, maybe that’s all it is. But even if you don’t trust the government to act in your best interests, there’s no doubt that other security companies look to their own interests.
Keeping a security product viable requires a research team, to stay ahead of the malware coders. In addition to looking for new trends in malicious software, these teams put legitimate software and hardware to the test. If Kaspersky’s antivirus software included any backdoors or illicit behaviors, the competition wouldn’t hesitate to shine a light on it.
Independent testing labs also put security products through rigorous analysis. Some labs, like Google’s Project Zero, are devoted entirely to finding security flaws in products of all kinds. Scrutiny by security experts all over the world hasn’t turned up evidence of inappropriate behavior by Kaspersky. If you don’t trust the government, trust the experts.
Kaspersky Responds
While it originated in Russia, Kaspersky is a global company, with sales and locations around the world. A ban on purchases by the US government doesn’t put a big hurt on Kaspersky’s bottom line. Still, nobody likes being accused of illicit behavior. Kaspersky has a lot to say about just why there’s no problem:
Kaspersky’s Global Transparency Initiative is aimed at reaffirming the company’s commitment to earning and maintaining the trust of its customers and partners. The initiative, launched in 2017, engages the IT security community in validating and verifying the trustworthiness of its products, internal processes and business operations.
In 2018 the company started moving US and Canada customer data to its processing center in Switzerland. It also commissioned audits of its system security and the security of its data centers. European agencies have certified its protocols:
These actions demonstrate Kaspersky’s continued willingness to go above and beyond to protect its customers, and will enhance the company’s already proven, global leadership in cybersecurity products and solutions.
Kaspersky Is Not Stupid
Kaspersky’s eponymous CEO is no dummy, nor are the Kaspersky researchers I’ve met.
Kaspersky Lab has the biggest market share of security vendors in Europe. Globally, it’s the fifth-largest antivirus company by revenue, and more than 80 percent of that come from outside Russia. Collaborating with the Russian government would put that global success at risk. It would be an act of corporate suicide. And this is not a stupid group.
There’s no doubt that Eugene Kaspersky has met Vladimir Putin, nor that Elon Musk has met Donald Trump. When your company is big enough, you move in government circles. I don’t see any real evidence of illicit activities on Kaspersky’s part, and I don’t see a government reaction commensurate with the existence of such evidence. Unless things change, we’ll continue to recommend products such as Kaspersky Anti-Virus based on their merits.
Originally published at https://www.pcmag.com.
