The New York Times sues the FCC to investigate Russian interference in Net Neutrality decision

The ongoing saga over the FCC’s handling of public comments to its net neutrality proposal continues after The New York Times sued the organization for withholding of information that it believes could prove there was Russian interference.

The Times has filed multiple Freedom of Information Act requests for data on the comments since July 2017, and now, after reducing the scope of its requests significantly was rejected, it is taking the FCC to court in a bid to get the information.

The FCC’s comment system keeled over in May 2017 over during the public feedback period as more than 22 million comments were posted. Plenty of those were suspected of using repeated phrases, fake email addresses and even the names of deceased New Yorkers. The FCC initially falsely claimed the outage was because it was hacked — it wasn’t and it has only just made that clear — it seems instead that its system was unable to handle the volume of comments, with a John Oliver sketch thought to have accounted for a surge in interest.

The New York Times, meanwhile, has been looking into whether Russia was involved. An op-ed in the Washington Post from FCC member Jessica Rosenworcel published earlier this year suggested that as many as 500,000 comments came from Russian email addresses, with an estimated eight million comments sent by throw-away email accounts created via FakeMailGenerator.com. In addition, a report found links between emails mentioned in the Mueller Report and those used to provide comment on net neutrality.

Since the actual events are unclear — for more than a year the FCC allowed people to incorrectly believe it was hacked — an FOIA request could provide a clearer insight into whether there was overseas interference.

Problem: the FCC itself won’t budge, as the suit (which you can find here) explains:

The request at issue in this litigation involves records that will shed light on the extent to which Russian nationals and agents of the Russian government have interfered with the agency notice-and-comment process about a topic of extensive public interest: the government’s decision to abandon “net neutrality.” Release of these records will help broaden the public’s understanding of the scope of Russian interference in the American democratic system.

Despite the clear public importance of the requested records, the FCC has thrown up a series of roadblocks, preventing The Times from obtaining the documents.

Repeatedly, The Times has narrowed its request in the hopes of expediting release of the records so it could explore whether the FCC and the American public had been the victim of orchestrated campaign by the Russians to corrupt the notice-and-comment process and undermine an important step in the democratic process of rule-making.

The original FOIA request lodged in June 2017 from the Times requested “IP addresses, timestamps, and comments, among other data” which included web server data. The FCC initially bulked and declined on the basis that doing so would compromise its IT systems and security (that sounds familiar!), while it also cited privacy concerns for the commenters.

Over the proceeding months, which included dialogue between both parties, the Times pared back the scope of its request considerably. By 31 August 2018, it was only seeking a list of originating IP addresses and timestamps for comments, and a list of user-agent headers (which show a user’s browser type and other diagnostic details) and timestamps. The requested lists were separated to address security concerns.

However, the FCC declined again, and now the Times believes it has “exhausted all administrative remedies.”

“The FCC has no lawful basis for declining to release the records requested,” it added.

Not so, according to the FCC, which released a statement to Ars Technica.

“We are disappointed that The New York Times has filed suit to collect the Commission’s internal Web server logs, logs whose disclosure would put at jeopardy the Commission’s IT security practices for its Electronic Comment Filing System,” a spokesperson said.

The organization cited a District of Columbia case earlier this month which it claimed found that “the FCC need not turn over these same web server logs under the Freedom of Information Act.”

But that is a simplistic read on the case. While the judge did rule against turning over server logs, he ordered the FCC to provide email addresses for those that had provided comment via its .CSV file template, and the files themselves. That’s a decent precedent for the New York Times, which has a far narrow scope with its request.

Trump’s new cyber strategy eases rules on use of government cyberweapons

The Trump administration’s new cyber strategy out this week isn’t much more than a stringing together of previously considered ideas.

In the 40-page document, the government set out its plans to improve cybersecurity, incentivizing change, and reforming computer hacking laws. Election security about a quarter of a page, second only to “space cybersecurity.”

The difference was the tone. Although the document had no mention of “offensive” action against actors and states that attack the US, the imposition of “consequences” was repeated.

“Our presidential directive effectively reversed those restraints, effectively enabling offensive cyber-operations through the relevant departments,” said John Bolton, national security advisor, to reporters.

“Our hands are not tied as they were in the Obama administration,” said Bolton, throwing shade on the previous government.

The big change, beyond the rehashing of old policies and principles, was the tearing up of an Obama-era presidential directive, known as PPD-20, which put restrictions on the government’s cyberweapons. Those classified rules were removed a month ago, the Wall Street Journal reported, described at the time as an “offensive step forward” by an administration official briefed on the plan.

In other words, it’ll give the government greater authority to hit back at targets seen as active cyberattackers — like Russia, North Korea, and Iran — all of which have been implicated in cyberattacks against the US in the recent past.

Any rhetoric that ramps up the threat of military action or considers use of force — whether in the real world or in cyberspace — is all too often is met with criticism, amid concerns of rising tensions. This time, not everyone hated it. Even ardent critics like Sen. Mark Warner of the Trump administration said the new cyber strategy contained “important and well-established cyber priorities.”

The Obama administration was long criticized for being too slow and timid after recent threats — like North Korea’s use of the WannaCry and Russian disinformation campaigns. Some former officials pushed back, saying the obstacle to responding aggressively to a foreign cyberattack was not the policy, but the inability of agencies to deliver a forceful response.

Kate Charlet, a former government cyber policy chief, said that policy’s “chest-thumping” rhetoric is forgivable so long as it doesn’t mark an escalation in tactics.

“I felt keenly the Department’s frustration over the challenges in taking even reasonable actions to defend itself and the United States in cyberspace,” she said. “I have since worried that the pendulum would swing too far in the other direction, increasing the risk of ill-considered operations, borne more of frustration than sensibility.”

Trump’s new cyber strategy, although a change in tone, ratchets up the rhetoric but doesn’t mean the government will suddenly become trigger-happy overnight. While the government now has greater powers to strike back, it may not have to if the policy serves as the deterrent it’s meant to be.

Alibaba goes big on Russia with joint venture focused on gaming, shopping and more

Alibaba is doubling down on Russia after the Chinese e-commerce giant launched a joint venture with one of the country’s leading internet companies.

Russia is said to have over 70 million internet users, around half of its population, with countless more attracted from Russian-speaking neighboring countries. The numbers are projected to rise as, like in many parts of the world, the growth of smartphones brings more people online. Now Alibaba is moving in to ensure it is well placed to take advantage.

Mail.ru, the Russia firm that offers a range of internet services including social media, email and food delivery to 100 million registered users, has teamed up with Alibaba to launch AliExpress Russia, a JV that they hope will function as a “one-stop destination” for communication, social media, shopping and games. Mail.ru backer MegaFon, a telecom firm, and the country’s sovereign wealth fund RDIF (Russian Direct Investment Fund) have also invested undisclosed amounts into the newly-formed organization.

To recap: Alibaba — which launched its AliExpress service in Russia some years ago — will hold 48 percent of the business, with 24 percent for MegaFon, 15 percent for Mail.ru and the remaining 13 percent take by RDIF. In addition, MegaFon has agreed to trade its 10 percent stake in Mail.ru to Alibaba in a transaction that (alone) is likely to be worth north of $500 million.

That figure doesn’t include other investments in the venture.

“The parties will inject capital, strategic assets, leadership, resources and expertise into a joint venture that leverages AliExpress’ existing businesses in Russia,” Alibaba explained on its Alizila blog.

Alibaba looks to have picked its horse in Russia’s internet race: Mail.ru [Image via KIRILL KUDRYAVTSEV/AFP/Getty Images]

The strategy, it seems, is to pair Mail.ru’s consumer services with AliExpress, Alibaba’s international e-commerce marketplace. That’ll allow Russian consumers to buy from AliExpress merchants in China, but also overseas markets like Southeast Asia, India, Turkey (where Alibaba recently backed an e-commerce firm) and other parts of Europe where it has a presence. Likewise, Russian online sellers will gain access to consumers in those markets. Alibaba’s ‘branded mall’ — TMall — is also a part of the AliExpress Russia offering.

This deal suggests that Alibaba has picked its ‘horse’ in Russia’s internet race, much the same way that it has repeatedly backed Paytm — the company offering payments, e-commerce and digital banking — in India with funding and integrations.

Already, Alibaba said that Russia has been a “vital market for the growth” for its Alipay mobile payment service. It didn’t provide any raw figures to back that up, but you can bet that it will be pushing Alipay hard as it runs AliExpress Russia, alongside Mail.ru’s own offering, which is called Money.Mail.Ru.

“Most Russian consumers are already our users, and this partnership will enable us to significantly increase the access to various segments of the e-commerce offering, including both cross-border and local merchants. The combination of our ecosystems allows us to leverage our distribution through our merchant base and goods as well as product integrations,” said Mail.Ru Group CEO Boris Dobrodeev in a statement.

This is the second strategic alliance that MegaFon has struck this year. It formed a joint venture with Gazprombank in May through a deal that saw it offload five percent of its stake in Mail.ru. MegaFon acquired 15.2 percent of Mail.ru for $740 million in February 2017.

The Russia deal comes a day after Alibaba co-founder and executive chairman Jack Ma — the public face of the company — announced plans to step down over the next year. Current CEO Daniel Zhang will replace him as chairman, meaning that the company will also need to appoint a new CEO.

Russian arms manufacturer Kalashnikov unveils its answer to Tesla

The Russian weapons manufacturer Kalahsnikov, best known for making the AK-47 machine gun, has unveiled a fleet of electric and hybrid cars, buggies and motorcycles this week — including an electric vehicle that the company says will rival Tesla.

While it’s a noble goal to take competitive aim at the world’s most famous electric vehicle brand, the retro-styled concept car, dubbed the CV-1, bears a closer resemblance to another, more infamous car from the Soviet era… the Trabant.

That’s a vehicle, by the way, whose Fahrvergnügen is best illustrated by the Conan O’Brien’s demonstration below.

The CV-1 is based on the retro-IZH-21252 model known as the “Combi” and is a test bed for Kalashnikov’s electric drive train, which the company said was developed in-house. The Combi has a cruising range of 350 kilometers and can go from 0 to 100 kilometers in roughly 6 seconds, so says the company.

Batteries for the new electric vehicle from Kalashnikov have a capacity of 90 kilowatts per hour.

At the same gun show where the new EV was unveiled, Kalashnikov also showed off a hybrid buggy and an electric motorcycle to complete its hattrick.

The four-seat buggy can purportedly achieve speeds of up to 100 kilometers per hour and has separate electric engines for its front and rear wheels, along with hydraulic shock absorbers. According to Russian news agency RT, the vehicles are a relatively recent addition to the Russian military’s mobility arsenal.

Kalashnikov’s new electric motorcycle for police units

Kalashnikov may have Tesla in its sights, but the car company likely has more to fear from U.S. regulators than it does from a Russian competitor. At this point, the weapons manufacturer might find more of a market for another machine it debuted at the Russian military trade show — its golden, metal-plated killer robot (!!).

Here’s a selection of images below, courtesy of Kalashnikov, of the new electric vehicle.

[gallery ids="1698553,1698555,1698556,1698557,1698558,1698559,1698554"]

With assistance from Jon Russell

Facebook and Twitter remove hundreds of accounts linked to Iranian and Russian political meddling

Facebook has removed hundreds of accounts and pages for what it calls “coordinated inauthentic behavior,” generally networks of ostensibly independent outlets that were in fact controlled centrally by Russia and Iran. Some of these accounts were identified as much as a year ago.

In a post by the company’s head of cybersecurity policy, Nathaniel Gleicher, the company described three major operations that it had monitored and eventually rolled up with the help of security firm FireEye. The latter provided its own initial analysis, with more to come.

Notably, few or none of these were focused on manipulating the 2018 midterm elections here in the states, but rather had a variety of topics and apparent goals. The common theme is certainly attempting to sway political opinion — just not in Ohio.

For instance a page may purport to be an organization trying to raise awareness about violence perpetrated by immigrants, but is in fact operated by a larger shadowy group attempting to steer public opinion on the topic. The networks seem to originate in Iran, and were promoting narratives including “anti-Saudi, anti-Israeli, and pro-Palestinian themes, as well as support for specific U.S. policies favorable to Iran,” as FireEye describes them.

The first network Facebook describes, “Liberty Front Press,” comprised 74 pages, 70 accounts, and 3 groups on Facebook, and 76 accounts on Instagram. Some 155,000 people followed at least one piece of the Facebook network and they had 48,000 Instagram followers. They were generally promoting political views in the Middle East and only recently expanded to the States; they spent $6,000 on ads beginning in January 2015 up until this month.

A related network to this one also engaged in cyberattacks and hacking attempts. Its 12 pages and 66 accounts, plus 9 on Instagram, were posing as news organizations.

A third network had accounts going back to 2011; it was sharing content in the Middle East as well, about local, U.S., and U.K. political issues. With 168 pages and 140 Facebook accounts and 31 Instagram accounts, this was a big one. As you’ll recall, the big takedown of Russia’s IRA accounts only amounted to 135. (The full operation was of course much larger than that.)

This network had 813,000 accounts following it on Facebook and 10,000 on Instagram, and had also spent about $6,000 on ads between 2012 and April of this year. Notably that means that Facebook was taking ad dollars from a network it was investigating for “coordinated inauthentic behavior.” I’ve asked Facebook to explain this — perhaps it was done so as not to tip off the network that it was under investigation.

Interestingly this network also hosted 25 events, meaning it was not just a bunch of people in dark rooms posting under multiple pseudonyms and fake accounts. People attended real-life events for these pages, suggesting the accounts supported real communities despite being sockpuppets for some other organization.

Twitter, almost immediately after Facebook’s post, announced that it had banned 284 of accounts for “coordinated manipulation” originating in Iran.

The Iranian networks were not alleged to be necessarily the product of state-backed operations, but of course the implication is there and not at all unreasonable. But Facebook also announced that it was removing pages and accounts “linked to sources the U.S. government has previously identified as Russian military intelligence services.”

The number and nature of these accounts is not gone into in detail, except to say that their activity was focused more on Syrian and Ukrainian political issues. “To date, we have not found activity by the accounts targeting the U.S.,” the post reads. But at least the origin is relatively clear: Russian state actors.

This should be a warning that it isn’t just the U.S. that is the target of coordinated disinformation campaigns online — wherever one country has something to gain by promoting a certain viewpoint or narrative, you will find propaganda and other efforts underway via whatever platforms are available.

Senator Mark Warner (D-VA) issued a brief I-told-you-so following the news.

“I’ve been saying for months that there’s no way the problem of social media manipulation is limited to a single troll farm in St. Petersburg, and that fact is now beyond a doubt,” he said in a statement. “We also learned today that the Iranians are now following the Kremlin’s playbook from 2016. While I’m encouraged to see Facebook taking steps to rid their platforms of these bad actors, there’s clearly more work to be done.”

He said he plans to bring this up at the Senate Intelligence Committee’s grilling of Facebook, Twitter, and Google leadership on September 5th.

BlaBlaCar acquires carpool rival BeepCar from Russia’s Mail.Ru

Another acquisition for French carpooling platform BlaBlaCar: It’s picked up Russian Internet giant Mail.Ru’s relatively recent rival offering, BeepCar, in what’s being billed as both an acquisition and a partnership.

BlaBlaCar says the move is aimed at consolidating its international growth.

“Through this acquisition, we are doubling down our commitment to develop carpooling in Russia, and to address growing Russian demand for a convenient and reliable long-distance mobility solution,” said co-founder and CEO Nicolas Brusson in a statement.

Russia, a market which BlaBlaCar launched into via acquisition back in 2014 is now its largest market (with 15M users out of its global user base on 65M+). Whereas BeepCar, which only started in 2017, is reported to have passed five million downloads for its app as of Q2 this year.

But close competition from a well-resourced, local Internet giant in a core strategic market where BlaBlaCar has focused for growth likely meant this acquisition was probably only a matter of time.

Financial terms have not been disclosed but it includes a marketing partnership — with BlaBlaCar committing to further promote carpooling through Mail.Ru Group platforms (so it’ll presumably be buying ads).

While, from this fall, BeepCar traffic will be redirected to BlaBlaCar — thereby “driving” advertising revenue for Mail.Ru Group, as they put it (ho-ho).

A spokeswoman for BlaBlaCar confirmed the BeepCar brand and platform will be going away as the service is being consolidated into BlaBlaCar’s platform.

This April the French startup also acquired a Paris-based rival, called Less. While, back in 2015, it bagged its then biggest European rival, Carpooling.com, to dominate its home region.

For its part, the Mail.Ru Group said it will focus on developing its larger verticals: Food delivery, classifieds, cross-border trade, and taxi ride-hailing services.

Russian hackers already targeted a Missouri senator up for reelection in 2018

A Democratic senator seeking reelection this fall appears to be the first identifiable target of Russian hacking in the 2018 midterm race. In a new story on the Daily Beast, Andrew Desiderio and Kevin Poulsen reported that Democratic Missouri Senator Claire McCaskill was targeted in a campaign-related phishing attack. That clears up one unspecified target from last week’s statement by Microsoft’s Tom Burt that three midterm election candidates had been targeted by Russian phishing campaigns.

Russian Election Interference

The report cites its own forensic research in determining the attacker is likely Fancy Bear, a hacking group believed to be affiliated with Russian military intelligence.

“We did discover that a fake Microsoft domain had been established as the landing page for phishing attacks, and we saw metadata that suggested those phishing attacks were being directed at three candidates who are all standing for elections in the midterm elections,” Burt said during the Aspen Security Forum. Microsoft removed the domain and noted that the attack was unsuccessful.

Sen. McCaskill confirmed in a press release that she was targeted by the attack, which appears to have taken place in August 2017:

Russia continues to engage in cyber warfare against our democracy. I will continue to speak out and press to hold them accountable. While this attack was not successful, it is outrageous that they think they can get away with this. I will not be intimidated. I’ve said it before and I will say it again, Putin is a thug and a bully.

TechCrunch has reached out to Sen. McCaskill’s office for additional details on the incident. McCaskill, a vocal Russia critic, will likely face Republican frontrunner and Trump pick Josh Hawley this fall.

Department of Justice indicts 12 Russian intelligence officers for Clinton email hacks

Just days before President Trump is set to meet with Russian President Vladimir Putin, the Department of Justice has leveled new charges against 12 Russian intelligence officers who allegedly hacked the Democratic National Committee and the presidential campaign of Hillary Clinton .

The charges were released by Rod J. Rosenstein, the deputy attorney general who’s leading the investigation into Russian election tampering because of the recusal of Attorney General Jeff Sessions from the investigation.

In January of last year, the intelligence community issued a joint statement affirming that Russia had indeed tampered with the U.S. presidential elections in 2016.

Russian Election Interference

Now the investigation is beginning to release indictments. Three former campaign aides for the president’s campaign have already pleaded guilty, and the president himself is under investigation by Special Investigator Robert Mueller for potential obstruction of justice.

According to the indictment, the Russians used spearphishing attacks to gain access to the network of the Democratic National Committee and the Democratic Congressional Campaign Committee.

Rosenstein also said that Russia’s military intelligence service was behind the leaks that distributed the information online under the aliases Guccifer 2.0 and DCLeaks.

Read the full indictment below.

 

Naspers is in talks to invest in Southeast Asia’s Carousell

Naspers, the South Africa-based firm that famously backed Chinese giant Tencent in its infancy, is in talks to invest in Singapore-based startup Carousell, according to two sources with knowledge of discussions.

Carousell offers a mobile app that combines listings with peer-to-peer selling across Southeast Asia, Taiwan and Hong Kong. That makes it well-aligned with Naspers’ portfolio, which features some of the world’s largest classifieds services including OLX, which covers 45 countries, Letgo in the U.S. and Avito in Russia.

TechCrunch understands that Naspers is pursuing a deal with Carousell with a view to making it the firm’s key play in Southeast Asia and other parts of the APAC region.

Discussions are at a relatively early stage so it isn’t clear what percentage of the company that Naspers is seeking to acquire, although it would be a minority investment that values the Carousell business at over $500 million. The deal could be a first step towards Naspers acquiring a controlling interest in the business further down the line, one source said.

Carousell declined to respond when asked for comment.

“It is our company’s policy to neither acknowledge nor deny our involvement in any merger, acquisition or divestiture activity, nor to comment on market rumors,” Naspers told TechCrunch in a statement.

Timing of the discussions is notable since Carousell announced a $85 million investment round in May. (TechCrunch broke news of the round the previous October.) That deal — the startup’s Series C — took it to $126 million from investors to date and added big names to the Carousell cap table. EDBI, the corporate investment arm of Singapore’s Economic Development Board, and Singapore’s DBS, Southeast Asia’s largest bank, took part in the Series C, which also included existing backers Rakuten Ventures, the VC linked to Japanese e-commerce giant Rakuten, Golden Gate Ventures, Sequoia India and 500 Startups.

Earlier this month, Carousell CEO and co-founder Siu Rui Quek told Bloomberg that the company had turned down acquisition offers in the past.

Carousell is highly-regarded in Singapore for being one of the first home-grown startups to show promise — its three founding members each graduated the National University of Singapore, NUS.

Aside from raising significant investor capital, it has scaled regionally it is battle against larger and better-funded e-commerce rivals Alibaba -owned Lazada and Shopee, a business from NYSE-listed Sea. In May, Quek told TechCrunch that Carousell has helped sell over 50 million items between users and it currently has over 144 million listings.

Naspers, meanwhile, has upped its focus on Southeast Asia in recent times, although its sole deal is a $5 million investment in crypto startup Coins.ph.

The firm remains best known for its Tencent deal, which is legendary in investment circles. Back in 2001, it bought 46.5 percent of Tencent for $32 million. Over time that was diluted to 33 percent, but it grew significantly in size as Tencent’s business took off, going on to become Asia’s first $500 billion company last November. Naspers resisted the urge to sell until March 2018 when it parted with two percent of the firm in exchange for around $9.8 billion.

Another of Nasper’s big wins this year was Flipkart’s sale to Walmart which earned it $2.2 billion in returns.

Kaspersky to move some core infrastructure out of Russia to fight for trust

Russian cybersecurity software maker Kaspersky Labs has announced it will be moving core infrastructure processes to Zurich, Switzerland, as part of a shift announced last year to try to win back customer trust.

It also said it’s arranging for the process to be independently supervised by a Switzerland-based third party qualified to conduct technical software reviews.

“By the end of 2019, Kaspersky Lab will have established a data center in Zurich and in this facility will store and process all information for users in Europe, North America, Singapore, Australia, Japan and South Korea, with more countries to follow,” it writes in a press release.

“Kaspersky Lab will relocate to Zurich its ‘software build conveyer’ — a set of programming tools used to assemble ready to use software out of source code. Before the end of 2018, Kaspersky Lab products and threat detection rule databases (AV databases) will start to be assembled and signed with a digital signature in Switzerland, before being distributed to the endpoints of customers worldwide.

“The relocation will ensure that all newly assembled software can be verified by an independent organization, and show that software builds and updates received by customers match the source code provided for audit.”

In October the company unveiled what it dubbed a “comprehensive transparency initiative” as it battled suspicion that its antivirus software had been hacked or penetrated by the Russian government and used as a route for scooping up US intelligence.

Since then Kaspersky has closed its Washington D.C. office — after a ban on its products for U.S. government use which was signed into law by president Trump in December.

Being a trusted global cybersecurity firm and operating core processes out of Russia where authorities might be able to lean on your company for access has essentially become untenable as geopolitical concern over the Kremlin’s online activities has spiked in recent years.

Yesterday the Dutch government became the latest public sector customer to announce a move away from Kaspersky products (via Reuters) — saying it was doing so as a “precautionary measure”, and advising companies operating vital services to do the same.

Responding to the Dutch government’s decision, Kaspersky described it as “very disappointing”, saying its transparency initiative is “designed precisely to address any fears that people or organisations may have”.

“We are implementing these measures first and foremost in response to the evolving, ultra-connected global landscape and the challenges the cyber-world is currently facing,” the company adds in a detailed Q&A about the measures. “This is not exclusive to Kaspersky Lab, and we believe other organizations will in future also choose to adapt to these trends. Having said that, the overall aim of these measures is transparency, verified and proven, which means that anyone with concerns will now be able to see the integrity and trustworthiness of our solutions.”

The core processes that Kaspersky will move from Russia to Switzerland over this year and next — include customer data storage and processing (for “most regions”); and software assembly, including threat detection updates.

As a result of the shift it says it will be setting up “hundreds” of servers in Switzerland and establishing a new data center there, as well as drawing on facilities of a number of local data center providers.

Kaspersky is not exiting Russia entirely, though, and products for the Russian market will continue to be developed and distributed out of Moscow.

“In Switzerland we will be creating the ‘worldwide’ (ww) version of our products and AV bases. All modules for the ww-version will be compiled there. We will continue to use the current software build conveyer in Moscow for creating products and AV bases for the Russian market,” it writes, claiming it is retaining a software build conveyor in Russia to “simplify local certification”.

Data of customers from Latin American and Asia (with the exception of Japan, South Korea and Singapore) will also continue to be stored and processed in Russia — but Kaspersky says the list of countries for which data will be processed and stored in Switzerland will be “further extended, adding: “The current list is an initial one… and we are also considering the relocation of further data processing to other planned Transparency Centers, when these are opened.”

Whether retaining a presence and infrastructure in Russia will work against Kaspersky’s wider efforts to win back trust globally remains to be seen.

In the Q&A it claims: “There will be no difference between Switzerland and Russia in terms of data processing. In both regions we will adhere to our fundamental principle of respecting and protecting people’s privacy, and we will use a uniform approach to processing users’ data, with strict policies applied.”

However other pre-emptive responses in the document underline the trust challenge it is likely to face — such as a question asking what kind of data stored in Switzerland that will be sent or available to staff in its Moscow HQ.

On this it writes: “All data processed by Kaspersky Lab products located in regions excluding Russia, CIS, Latin America, Asian and African countries, will be stored in Switzerland. By default only aggregated statistics data will be sent to R&D in Moscow. However, Kaspersky Lab experts from HQ and other locations around the world will be able to access data stored in the Transparency Center. Each information request will be logged and monitored by the independent Swiss-based organization.”

Clearly the robustness of the third party oversight provisions will be essential to its Global Transparency Initiative winning trust.

Kaspersky’s activity in Switzerland will be overseen by an (as yet unnamed) independent third party which the company says will have “all access necessary to verify the trustworthiness of our products and business processes”, including: “Supervising and logging instances of Kaspersky Lab employees accessing product meta data received through KSN [Kaspersky Security Network] and stored in the Swiss data center; and organizing and conducting a source code review, plus other tasks aimed at assessing and verifying the trustworthiness of its products.

Switzerland will also host one of the dedicated Transparency Centers the company said last year that it would be opening as part of the wider program aimed at securing customer trust.

It expects the Swiss center to open this year, although the shifting of core infrastructure processes won’t be completed until Q4 2019. (It says on account of the complexity of redesigning infrastructure that’s been operating for ~20 years — estimating the cost of the project to be $12M.)

Within the Transparency Center, which Kaspersky will operate itself, the source code of its products and software updates will be available for review by “responsible stakeholders” — from the public and private sector.

It adds that the details of review processes — including how governments will be able to review code — are “currently under discussion” and will be made public “as soon as they are available”.

And providing government review in a way that does not risk further undermining customer trust may also provide a tricky balancing act for Kaspersky, given multi-directional geopolitical sensibilities, so the devil will be in the policy detail vis-a-vis “trusted” partners and whether the processes it deploys can reassure all of its customers all of the time.

“Trusted partners will have access to the company’s code, software updates and threat detection rules, among other things,” it writes, saying the Center will provide these third parties with: “Access to secure software development documentation; Access to the source code of any publicly released product; Access to threat detection rule databases; Access to the source code of cloud services responsible for receiving and storing the data of customers based in Europe, North America, Australia, Japan, South Korea and Singapore; Access to software tools used for the creation of a product (the build scripts), threat detection rule databases and cloud services”; along with “technical consultations on code and technologies”.

It is still intending to open two additional centers, one in North America and one in Asia, but precise locations have not yet been announced.

On supervision and review Kaspersky also says that it’s hoping to work with partners to establish an independent, non-profit organization for the purpose of producing professional technical reviews of the trustworthiness of the security products of multiple members — including but not limited to Kaspersky Lab itself.

Which would certainly go further to bolster trust. Though it has nothing firm to share about this plan as yet.

“Since transparency and trust are becoming universal requirements across the cybersecurity industry, Kaspersky Lab supports the creation of a new, non-profit organization to take on this responsibility, not just for the company, but for other partners and members who wish to join,” it writes on this.

Next month it’s also hosting an online summit to discuss “the growing need for transparency, collaboration and trust” within the cybersecurity industry.

Commenting in a statement, CEO Eugene Kaspersky, added: In a rapidly changing industry such as ours we have to adapt to the evolving needs of our clients, stakeholders and partners. Transparency is one such need, and that is why we’ve decided to redesign our infrastructure and move our data processing facilities to Switzerland. We believe such action will become a global trend for cybersecurity, and that a policy of trust will catch on across the industry as a key basic requirement.”