Kaspersky plans to move user data from Russia to Switzerland

Kaspersky announced earlier today plans to move the user data of most of its customers to a "Transparency Center" in Switzerland, along with its "software assembly line."

The Transparency Center will be located in Zurich and will house servers that store data on Kaspersky customers across Europe, North America, Australia, Japan, South Korea, and Singapore.

The transparency center will also host the company's "build infrastructure" that Kaspersky uses to assemble and manage its products. More precisely, the Zurich Transparency Center will host:

◬  The source code of any publicly released product (including old versions),
◬  Threat detection rule databases,
◬  The source code of cloud services responsible for receiving and storing the data of customers based in Europe, North America, Australia, Japan, South Korea and Singapore,
◬  Software tools used for the creation of a product (the build scripts), databases, and cloud services,
◬  Secure software development documentation.

The move of the software assembly line is set to complete by the end of 2018, while moving servers tasked with storing user data will finish by the end of 2019.

Kaspersky said more transparency centers are set to open in North America and Asia by 2020, but the company is not yet ready to disclose more details.

Kaspersky's fight to clear its name

The creation of the Zurich Transparency Center is part of a larger plan announced by the company in October 2017, called the Global Transparency Initiative.

Kaspersky created these centers so trusted partners and government stakeholders could review its products' source code before deploying it on critical networks.

The Russian antivirus vendor embarked on this initiative after the US government has accused the company of working closely with Russian intelligence agencies.

The US government later banned Kaspersky products from government networks. The UK government followed suit, also warning companies from using Kaspersky products on systems that store sensitive data.

The bans affected Kaspersky's reputation in the private sector. Best Buy and Office Depot pulled Kaspersky products off their stores' shelves, and Twitter banned the company from advertising on its network.

Dutch govt announces plans to phase out Kaspersky products

Today's announcement of the Kaspersky Zurich Transparency Center also comes a day after the Dutch government announced plans to phase out the usage of Kasperksy products on government systems as "as a precautionary measure," also advising private companies to do the same.

For its part, the Russian antivirus vendor is doing all it can to keep its name clean. As part of this transparency center, Kaspersky said that a third-party organization will be allowed to independently review both processes —of how it stores user data and how it builds its software products.

First, our build systems — or “assembly line” — which work on the compilation and creation of Kaspersky Lab products and threat detection rule updates, will now be located in Zurich. That way, our software will be compiled and signed in Switzerland under the supervision of a third-party organization before being distributed to customers.
[...]
The same goes for the data processed by Kaspersky Security Network: Storing it in Switzerland under the supervision of an independent organization means that any access to this data is meticulously logged — and the logs can be reviewed at any moment should any concerns arise.

Kaspersky has not yet announced the third-party responsible for supervising this process, but said it would be open for the creation of a "nonprofit organization to take on this responsibility."

Related Articles:

New executive order bans mass sale of personal data to China, Russia

Hackers hijack antivirus updates to drop GuptiMiner malware

Russian Sandworm hackers targeted 20 critical orgs in Ukraine

Russian Sandworm hackers pose as hacktivists in water utility breaches

Cerebral to pay $7 million settlement in Facebook pixel data leak case