Recently an open letter from Bits of Freedom, a group comprised of 24 digital rights organizations and academics, including the Electronic Frontier Foundation (EFF) in the US and Netzpolitik.org in Germany, was sent to security software vendors. AVAST did not receive the letter “officially,” although our company was listed among the vendors.
The purpose of the open letter was to request a clarification of our policy on the use of software for the purpose of government-sanctioned surveillance of its citizens. In other words, do we look the other way when governments or law enforcement agencies install malware on private citizens' personal computers to collect data?
It has become very clear that governments will do anything to gain access to as much information as possible,” says Bits of Freedom’s Ton Siedsma. “Requests like these, coming from law enforcement agencies or secret services, lower the general level of protection of all users of antivirus software. The software isn’t just used by suspects, but by all of us. This is something to be very concerned about, so we have asked the antivirus software vendors for transparency on this matter.
AVAST's Chief Technology Officer, Ondřej Vlček, responded to their questions:
1. Have you ever detected the use of software by any government (or state actor) for the purpose of surveillance?
Yes, we have had incidences where it became apparent that software our programs detected was in fact surveillance software. Although it's not always 100% clear who is behind this, in some cases we had reasons to believe that it was distributed by government institutions.
2. Have you ever been approached with a request by a government, requesting that the presence of specific software is not detected, or if detected, not notified to the user of your software? And if so, could you provide information on the legal basis of this request, the specific kind of software you were supposed to allow and the period of time which you were supposed to allow this use?
No. We have never been approached by any government agency, but we also don't think that this realistically would ever happen. It would be very risky for a government agency to ask antivirus companies to ignore and not detect their malware. They can't expect that security companies would keep this information to themselves; this would therefore risk the news about their malware getting leaked to the media faster than they can think.
3. Have you ever granted such a request? If so, could you provide the same information as in the point mentioned above and the considerations which led to the decision to comply with the request from the government?
No, we have never granted such a request.
4. Could you clarify how you would respond to such a request in the future?
The security and privacy of our users has been the core of our business for 25 years. Whenever we detect malware, regardless of its origin or type, we always protect our users. This includes malware from governments and official institutions - if we detect the malware, no matter the origin of the creator, we create a solution to protect our users.