DHS reporting submitted by Kaspersky as part of their court case provides some insight into why the U.S. government was warning against the use of Kaspersky products.
“Based on publicly available information, Kaspersky-branded antivirus software and other Kaspersky-branded products and solutions that contain antivirus functionality appear to present the general antivirus software risks identified above. For example, the default installation of Kaspersky Internet Security scans all encrypted HTTPS connections using the interception technique described above in order to detect malicious activity.
Additionally, Kaspersky customers may participate in the Kaspersky Security Network (KSN). KSN is a cloud-based network to which a wide range of data from customer devices may be transferred for the purpose of additional analysis. A list of such data is available in the KSN Statement, which users must agree to in order to participate. Under the terms of the agreement, the information subject to transfer includes highly sensitive data collected from a user’s device, such as information about the computer’s hardware and software, files downloaded, certain websites visited, running applications, and user account names—essentially the full spectrum of forensic data a device produces. Furthermore, Kaspersky notes in the KSN Statement that it reserves the right to disclose any of the information processed “under confidentiality and licensing agreements with certain third parties which assist [Kaspersky] in developing, operating, and maintaining the Kaspersky Security Network.” These third parties may be trusted partners of Kaspersky, but that does not mean they are subject to the same vetting and rigorous suitability scrutiny as other companies with which the U.S. Government has entrusted its data.”
DHS Kaspersky Ban Letter (PDF Report)
DHS NCCIC Kaspersky Berkley Research Group Independent Assessment (PDF Report)
