Antivirus vendors have your data. Can they handle GDPR?
See what you need to check, because both of you will face the consequences of GDPR non-compliance
Just like your organization, antivirus vendors will have to meet the requirements for GPDR. Because they have access to your files and other data, their non-compliance is your responsibility and you face the fines in case something goes amiss.
Do you know what antivirus vendors do with your data (a process called telemetry) and what control and responsibility you have over it?
Telemetry is essential to antivirus and it’s how the antivirus vendors offer protection for your endpoints. On the other hand, it’s also critical information about your enterprise, from what hardware specifications your endpoints have to your employees’ data.
To put it bluntly: if your antivirus vendor is hacked and your customers’ data is exposed, the brunt of the blame and the fines will be on both your shoulders.
“24 – the measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data and to demonstrate compliance.
32 – the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”
On May 25, 2018, all organizations in non-compliance with the EU General Data Protection Regulation (GDPR) will face heavy fines. But who watches the watchmen?
You have to, because the Kaspersky-NSA case has troubling, far-reaching ramifications.
Here is an abbreviated timeline of what went down with reputable antivirus vendor Kaspersky Lab. With the arrival of the EU General Data Protection Regulation, it’s an alarm bell. As responsibility spreads and shifts, Kaspersky’s troubles could become yours.
Kaspersky Lab media coverage insinuates the antivirus vendor has ties to the Russian Mafia and shares 400,000,000 users’ data with the criminals.
The company defends itself vigorously.
Due to suspicions of ties to the Russian Government, The Department of Homeland Security Bans use of Kaspersky products in the U.S. Federal Government.
The Wall Street Journal alleges that in 2015, hackers working for the Russian Government used the Kaspersky antivirus to steal classified information from the home computer of an NSA agent.
Kaspersky reveals that the NSA agent in question disabled his antivirus to install a pirated copy of Microsoft Office. He did not know that the keygen program he used to pirate Office had created backdoor infections on his computer.
After that, he turned the antivirus on, which sent his files to Kaspersky as a malware sample to be inspected and vetted.
A Kaspersky employee realized that the data was not malware but highly classified NSA information and presented it to Eugene Kaspersky, who ordered the destruction of that data.
Kaspersky offered the source code for its antivirus to be analyzed by the government, a move to ensure transparency that went nowhere because the government did not reply.
The company now fights an uphill battle to protect its reputation as a trusted antivirus vendor, creating a general sense of paranoia and mistrust in antivirus products.
This is good.
Wait, it’s not because of your initial assumption.
We’re not encouraging paranoia for paranoia’s sake.
The cybersecurity industry is based on cooperation and exchange of information to fulfill its core tenets: data protection against exfiltration and manipulation attempts.
Essential data for specific cases is gathered by multiple vendors to contribute to malware-analysis services like VirusTotal. Even more importantly, data sharing helps fight the large-scale cybercriminal groups.
This is the means through which we and other companies cooperated to support law enforcement agencies in cases like the famous Operation Tovar. By joining forces, we took down Gameover ZeuS botnet responsible for distributing the CryptoLocker ransomware.
So no, this old urban myth has no anchor in reality:
No, antivirus vendors do not write viruses themselves to keep profiting from their software. That’s actually the type of paranoia that requires tin-foil hats. We’ll also eat our tin-foil hats if there is ever a consistent amount of proof on such an allegation.
The infosec or the cybersecurity industry, whatever you want to call it, relies on transparency to function.
It’s the same transparency your organization has to demand from your cybersecurity vendors because of GDPR.
Getting back to the sense of “paranoia”. The discussion started with Kaspersky’s troubles will be beneficial, because the EU GDPR affects antivirus vendors as well.
Companies big and small are forced to finally understand what an antivirus does. Also, it shines a light on what telemetry is: an automated communications process by which data is collected and transmitted for monitoring purposes to specialized equipment. It’s how your antivirus software gathers information in order to better protect you.
“Users of Kaspersky Lab products can reduce the amount of data processed from their protected devices to the absolute minimum. All data processed and/or transferred is robustly secured through encryption, digital certificates, segregated storage and strict data access policies.
Yes, users have control over the amount of data being shared, because participation in Kaspersky Security Network is voluntary and can be disabled at any time. If users disable KSN, a small amount of data will be shared that is essential for the product to function properly,” says Kaspersky as part of their Transparency Initiative.
Your reply as a business who handles consumers’ data should be: What is that small amount of data? What kind of encryption do you have?
If before businesses simply relied on the tool without much awareness of its functions and processes, now they need to investigate it. Just like you, because they provide a service, antivirus vendors have to be compliant with the General Data Protection Regulation. And you need to contact them as soon as possible and find out what they do with your data and where they send it.
What happens with telemetry?
“Every month millions of devices in over 150 countries send security telemetry to the Lookout Security Cloud, ensuring that Lookout can track evolving threat actors and continue to lead the industry in novel threat discoveries such as the Pegasus spyware,” says Lookout, another respected vendor.
Whose millions of devices? Are some of those yours?
Don’t get scared but do know what telemetry is, because the law will require you to do so. In the event of a hack where your customers’ data is exposed, the onus will be on you. It’s not on the security vendors because you are responsible for your organization’s tools.
“The question then is how well the security provider is taking security into account in the implementation of that system — and the same thing, by the way, applied to antivirus solutions, how much information does your antivirus solution upstream and how transparent is the vendor about what they do with the data?”
This is what Jarno Niemelä from F-Secure told The Register at the IAPP’s Europe Data Protection Intensive 2017.
We couldn’t agree more.
Moreso, look at what Chris Wysopal, CTO of Veracode, underlined in a Wired piece discussing the security gaps in antivirus software.
“Security vendors should be held to a higher standard than the makers of other software. Yet aside from Ormandy, few security researchers have examined these systems for vulnerabilities.
They’ve focused instead on finding vulnerabilities in operating system software and applications while ignoring the software that purports to keep us secure.”
Unfortunately, it’s the nature of the beast. No product can offer 100% security, not even the security products themselves. But that’s not the issue here. What is important is for you and your organization to get ready for GDPR. In doing so, do not forget to explore your security vendors’ efforts towards transparency and their preparedness for the EU General Data Protection Act.
After all, you’re both responsible for your customers’ data.
In the eyes of the law, you are both liable for heavy fines.
Mathew J. Schwartz contacted 17 security firms to clarify their telemetry process: data sharing practices and privacy measures. It’s a good way to start your investigation on your antivirus vendors’ GDPR plan. However, we still strongly encourage you to talk to your cybersecurity vendor as soon as possible and adopt a multi-layered approach for your data protection.
Disclaimer: We name mostly Kaspersky as an antivirus vendor due to the amount of news related to them as an organization and for the sake of examples. We are impartial. As always, we recommend users perform in-depth investigations on security features and policies before choosing the product they will use.