Antivirus software is something that can help people be safer and more private on the Internet. But your defenses can cut both ways. Case in point: for four years, AV products from Kaspersky Lab inject a unique identifier into the HTML of each website a user visits, making it possible for sites to identify people even when using incognito mode or when they switch between Chrome, Firefox, or Edge.
Kaspersky stopped sending the identifier in May, after Eikenberg privately reported the behavior to the AV company. Recognition was introduced in the fall (for those on the North Side, anyway) of 2015. That means that for nearly four years, all consumer versions of Kaspersky software for Windows—including the free version, Kaspersky Internet Security, and Kaspersky Total Security — silent exclusive users with a unique identifier.
In other words, any website can read the user’s Kaspersky ID and use it for tracking. If the same Global Unique ID returns or appears on another website of the same operator, they can see that the same computer is being used. If this assumption is correct, Kaspersky has created a dangerous tracking mechanism that makes tracking cookies look old. In that case, websites can track Kaspersky users, even if they switch to another browser. Worse yet, super tracking can even override the browser’s incognito mode.
The behavior remains in the new version of Kaspersky Lab released in June, and the company issued an advisory about risk a month later. The security issue is tracked as CVE-2019-8286.
Before readers get too worked up a lot of lather, let’s review a few things. Even without a unique tracking number, there are many ways for websites to uniquely identify their visitors. IP addresses and cookies are the most obvious methods, but often a specific combination of installed fonts, extensions, and configuration programs is all that is needed to click a specific user, in some cases especially when one uses multiple browsers.
What’s more, Eikenberg told Ars that he tested older Kaspersky products with the Tor browser and found no evidence of the identity being injected. The upside of all this: adding a unique identifier to a security feature seems unnecessary and at least ideal for privacy, but it’s not something to make a federal case about. Finally, it wouldn’t be surprising if other AV products do, or have done in the past, similar things.
In a statement, Kaspersky officials wrote:
Kaspersky has changed the process of scanning websites for malicious activity by removing the use of unique identifiers for GET requests. This change was made after Ronald Eikenberg reported to us that using unique identifiers for GET requests could lead to the disclosure of a user’s personal information.
After our internal research, we have concluded that such scenarios of user privacy agreement are possible in theory but impossible to implement in practice, due to their complexity and low reward for cyber criminals. However, we constantly work on improving our technologies and products, resulting in a change in this process.
We would like to thank Ronald Eikenberg for reporting this to us.
Kaspersky Lab officials also confirmed that the company’s AV products do not interact with TOR traffic.
The big point of all this is that, as noted earlier, AV protection—whether from Kaspersky or anyone else—can be double-edged. Yes, it can save someone who clicks unnecessarily on links or attachments, but it can also increase the attack surface or add behaviors that many security experts argue are unsafe. (Completely not mentioned in the c’t article is the installation of a personal digital certificate that many AV products use to check HTTPS security traffic. That sits wrong with many people who say nothing the application should accept TLS traffic.)
Deciding whether to use AV will depend on the user and the device. For an entrepreneur or government contractor directly targeted by government-sponsored hackers—especially when the target uses a Mac or Linux machine—AV probably offers more risk than benefit, due to Kaspersky Lab’s unique recognition of adding us to the scope of things that can be useful.
An experienced user who has no experience with porn sites on a Windows machine, on the other hand, will arguably be better off using AV, because as Kaspersky’s information notes, identification is not something that hackers are looking for profit in. it is possible to target. One thing is for sure, whatever decision you make, there will be someone on Twitter to tell you that you’re wrong and that your choice is irrational.