Transparency

Why did Kaspersky Lab decide to give access to its code?

How can one make sure that a social platform, application, or cloud service does not violate user privacy and that private information would not be used to cause harm? Usually, it’s impossible. One option would be to trust the software company and its data security certificates. With this in mind, Kaspersky Lab is setting a new standard for transparency in the IT business, and we’ve decided to provide access to our security solutions and open a data centre in one of the world’s most secure locations — Switzerland. Here’s how this initiative will change our company, the security of our users, and the global IT industry.

Today, our servers are located in data centres around the world, in places like Germany, Canada, China, and Russia. Unfortunately, as our program code and users’ data are stored under different jurisdictions, this increases the chances of us becoming hostage to disagreements between governments. We are relocating the most important parts of our infrastructure — the source code, user data, and software assembler — to Switzerland, a politically neutral country with some of the most stringent data protection legislation in the world.

In Zurich, we opened a Transparency Center, where trusted partners, including government organisations will be able to review the source code of our products and the tools we use in our work.

WHAT IS THE SOURCE CODE REVIEW?

We have opened access to the following:

1 6
1
the source code of all publicly released Kaspersky Lab products, including older versions
2
threat detection
rule databases
3
software
updates
4
the source code of the cloud services responsible
for receiving and storing the data of our customers
5
software tools used to create
products (the build scripts)
6
software development
documentation

In the event that companies, the expert community, governments, or official organisations responsible for information security have doubts or questions about Kaspersky Lab products, they would be able to send experts to our Transparency Center for a review.

We are relocating the equipment used for processing data that products used by our users send to our Kaspersky Security Networkglobal cloud-based threat intelligence platform. Each information request will be logged and monitored by an independent and reliable third-party organisation. Such a process, in turn, will address accusations of unauthorised access to user information.

In addition, we also plan the relocation of the assembly line for Kaspersky Lab products and our threat detection rule databases (AV databases) to Switzerland.

We’ve come up with an idea to create an independent, third-party organisation that can verify any company that works with user data. At the moment, no such organisation exists. Although, obviously, such a company would have been created sooner or later, we are, nevertheless, taking steps to make this happen now, and we are in the process of finding partners. Today, IT corporations work with the data of users from many different countries, with different political systems. A single and fully independent organisation, representing the interests of users, is necessary for the development of the entire IT industry.

What kind of basic responsibilities should this independent organisation have?

1 3
1
check the product code for strict compliance with the declared functions and assess possible vulnerabilities
2
check the conditions of user
data processing and storage
3
сontrol instances of companies and governments
accessing data received from users

To create the data-processing infrastructure, we will need to transfer a few dozen services from Moscow to Zurich. The process of establishing additional infrastructure for processing data from European users is expected to be completed by the end of 2019. Other information, including anonymized threat and usage statistics, will begin to be processed in Zurich as part of the next stage of our Global Transparency Initiative. In the future, we also intend to relocate data processing for our customers from other countries.