14 DAY TRIAL // Bits of Freedom, a Dutch digital rights organization that focuses on privacy and freedom of communications, has sent out a letter to over a dozen antivirus companies to inquire about their policies on the use of software for state surveillance.
IT security solutions providers have been asked if they've ever detected the use of government software for surveillance purposes. They’ve also been asked if any government has approached them to request that they don’t detect specific software.
Bits of Freedom has also asked the organizations to clarify how they would respond to such requests.
At least two companies – Kaspersky and F-Secure – have made public the answers they gave to the digital rights organization.
F-Secure says it has detected government software used for spying, and provided Germany’s R2D2 Trojan as an example.
The Finnish firm claims it hasn’t received any requests from a government that wants its spyware not to be detected by antivirus products.
As far as their policies, F-Secure noted, “If we would be approached by a government asking us not to detect a specific piece of malware, we would not comply with their request. To us, the source of the malware does not come into play when deciding whether to detect malware. If it’s malware, we will protect our customers from it.”
Kaspersky says it has been actively involved in the discovery and disclosure of state-sponsored malware attacks. As an example, they’ve provided Flame, Gauss and surveillance tools such as Gamma’s FinFisher and Hacking Team’s DaVinci.
“In reality, it is very unlikely that any competent and knowledgeable government organization will request an antivirus developer (or developers) to turn a blind eye to specific state-sponsored malware. It is quite easy for the ‘undetected’ malware to fall into the wrong hands and be used against the very same people who created it,” Kaspersky stated.
The antivirus giant says it appreciates Bits of Freedom’s efforts. However, it highlights the fact that there are more important issues that should be dealt with, such as the unregulated trading of zero-day exploits that can be used to attack not only government organizations and financial institutions, but also critical infrastructure.