With information technologies inseparable from modern society, the importance of cybersecurity is growing, and therefore, trust has never been more important. Clients and partners of companies working in the field of information security need to understand who is involved in protecting their confidential data, what information they are sharing with whom, their guiding principles, and more. To answer those questions, we announced our Global Transparency Initiative a few years ago.
Today, the initiative is getting a major update: As a pioneer in the cybersecurity market, we are publishing a transparency report to publicly share information about the requests we received during 2020–2021 from law enforcement and government organizations worldwide, as well as from our end users. In addition, we’d like to take this opportunity to share more about how we process such requests, including what information we provide.
We want our users to be safe, protected, and confident in the cyberworld — a world whose very existence rampant cybercrime threatens. As part of our contribution to fighting transnational cybercrime, we regularly cooperate with law enforcement agencies around the globe, providing technical analyses of malicious programs to support cybercrime investigations. These organizations sometimes send requests to Kaspersky to provide technical expertise or nonpersonal technical information, as well as requests for user data provided to Kaspersky.
As a cybersecurity company we do not process and do not have the content data (data that users create or communicate) that law enforcement agencies sometimes want for electronic evidence. The limited amount of user data we collect (such as, for example, license details or operating system version) is what’s required for our product to work properly. Nevertheless, we want our users to understand our approach to ensuring users’ data security and privacy and how we respond to requests from law enforcement. That is why we’re publishing our Law Enforcement and Government Requests Report and sharing our core principles for responding to law enforcement and government requests.
Our approach in responding to requests
First and foremost, Kaspersky never provides any enforcement or government organizations with access to user data or the company’s infrastructure. We do provide information about such data on request, but no outside party can directly or indirectly access our infrastructure or data, and Kaspersky employees validate and process all requests.
Second, in recognition of the important roles national, regional, and international law enforcement agencies play in ensuring our users and technology remain safe, we do share technical expertise and technical, nonpersonal information. Our elite cybersecurity researchers and experts consider sharing knowledge, expertise, and skills with others fighting cybercriminals part of their duty.
Third, every request we receive goes through legal verification to ensure our compliance with applicable laws and procedures. Our multistage process, outlined below, guides our decision-making in approving, rejecting, or appealing incoming requests.
Finally, we always decline requests for encryption keys or for introducing undeclared capabilities. We work hard to guarantee the quality and integrity of our products, as independent evaluations of our engineering practices and data security systems confirm and as regulators, partners, and others can verify through our Transparency Centers.
We believe publishing these principles and data on requests is an important part of building and sustaining trust. Following IT industry best practices, today we are publishing data on such requests for the year 2020 and the first six months of 2021, and we will continue updating the numbers every six months. We want our users to remain confident in their data privacy and for our partners in fighting cybercrime to remain confident in our commitment to supporting them.
Today we disclose information about all law enforcement and government requests. In addition, the report presents data about requests received from users for multiple purposes: for removal of their PII, for information about which and where user’s data is stored, as well as requests to provide this information for users. You can find the full text of our first transparency report here.