ESET response to Bits of Freedom open letter on detection of government malware

A coalition of digital rights organizations and academics recently published an ‘open letter’ to the Anti-Malware/Anti-Virus industry, and sent copies to individual vendors, including ESET.

The letter asks for clarification on vendor policies as regards cooperation with government agencies and/or law enforcement using state-sponsored Trojans.

Below is our official response. You can also download a PDF version of this response.

BoF Response P1

Bits of Freedom Response Page 1

BoF Response P2

Bits of Freedom Response Page 2

The links referenced in this letter can also be found below:

Finfisher and the Ethics of Detection
German Policeware: Use the Farce…er, Force…Luke
Government, Public Interest and Trojans
Please Police Me (White Paper)

And some other relevant links:
http://www.wilderssecurity.com/showthread.php?t=319731
http://www.wilderssecurity.com/showthread.php?t=5281
http://www.virusbtn.com/virusbulletin/archive/2007/04/vb200704-comment

Author Andrew Lee, ESET

  • Paul

    Glad to know that ESET has ethics and won’t help governments to spy on the people. Good job!

  • Igor

    Sorry, but how should we trust those statements?

    You are located in the US. Companies like Google and Facebook are also located in the US. Both companies denied any government access in public. The international press showed us more than once that this is wrong.
    Also, in the US, when you receive a “security letter”, you are *forced* by law to do whatever they want you to do (you know, terrorists are everywhere and everything is against terrorists…). And you are also not allowed to talk about.
    So why on earth should we trust any statement like that?
    Face it:
    You (and any other antivirus company) are technically able to deliver a ‘special’ (manipulated) virus definition only to those customers you want to. So for example, if I (the government) had a target using your protection, I can force you to deliver something special to just this customer. This *is* technically possible!
    Because you could filter based on license information who will receive these “special” updates, nobody else will ever notice.
    Your letter is wasted time, sorry.
    To be clear: I may trust you (Eset) not to do such things. But if the “law” will force you, you (as a company) will… that’s the world we live in.

    • Stephen Cobb

      Thank you for your comments Igor. Here are some answers to your questions:

      > Sorry, but how should we trust those statements?

      Trust is hard to quantify. Around 100 million people in 180 countries trust ESET to do its very best to protect their information. ESET is dedicated to maintaining that trust.

      It bears remembering that it is not our actions, but the actions of governments that have brought this mistrust of our companies.

      There have been many incidences where we have detected government sponsored malware, and none where we have knowingly not detected it.

      > You are located in the US. Companies like Google and Facebook are also located in the US.

      As we stated, ESET is a global organization, headquartered in the EU, with research organizations in multiple parts of the world, and our virus-detection decisions are not made in the any single jurisdiction.

      > Also, in the US, when you receive a “security letter”, you are *forced* by law to do whatever they want you to do (you know, terrorists are everywhere and everything is against terrorists…). And you are also not allowed to talk about.

      See above. ESET’s headquarters, where any legal challenge would need to be sent, are not in the US. But in any case; all such orders are challengeable via the legal system and in court.

      Again, since we have our offices in many countries of the world including the US, and we have several malware labs in several different countries, as well as update servers in several different countries, it is very unlikely that there is any legal way one particular government can force us not to detect a particular threat.

      > So for example, if I (the government) had a target using your protection, I can force you to deliver something special to just this customer. This *is* technically possible!

      Many things are technically possible but never happen, and are extremely unlikely to happen. As we stated in our letter, ESET has never been asked to do anything like this, it would not make sense anyway, see above.

      > Your letter is wasted time, sorry.

      We’re sorry you feel that way, but I can assure you in ESET offices around the world and in the wider industry, people remain hard at work protecting the data and systems of all of our customers from intruders and bad actors of all kinds and we take the responsibility incredibly seriously.

      We try to operate as transparently as possible, and this is why we wrote the letter in response to the questions asked.

      Andrew Lee

  • Cornel du Preez

    Eset wins. End of story.

Follow Us

Automatically receive new posts via email:

Delivered by FeedBurner

4 articles related to:
Hot Topic
11 Nov 2013
ESET Virus Radar

Archives

Select month
Copyright © 2014 ESET, All Rights Reserved.