The Administrative Court of Cologne has ruled that the Federal Office for Information Security (BSI) may warn against virus protection software from Kaspersky. The Administrative Court of Cologne ruled this today and thus rejected the urgent application of a company from the Kaspersky Group based in Germany.
On March 15, 2022, the Federal Office for Information Security (BSI) published a warning stating that the reliability of the Russian manufacturer Kaspersky was called into question by Russia's current warlike activities, and recommended replacing Kaspersky's virus protection software with alternative products.
Kaspersky is applying for an injunction
On March 21, 2022, Kaspersky Labs GmbH, which sells anti-virus products from the Russian manufacturer, applied for an injunction to cease and desist and revoke this warning. She explained that it was a purely political decision with no relation to the technical quality of the virus protection software.
Warning should have been purely political
There is no security gap in the sense of a known technical vulnerability. There are also no indications that government agencies in Russia are influencing Kaspersky. In addition, various measures have been taken to increase data security and transparency.
The court did not follow that. The legislature has broadly formulated the concept of a security gap that entitles the BSI to issue a warning. Virus protection software basically fulfills all the requirements for such a security gap due to the far-reaching authorizations to access the respective computer system. The fact that their use is nevertheless recommended is based solely on the high degree of trust in the reliability of the manufacturer. Therefore, there is a security gap if the required high level of trust in the manufacturer is not (or no longer) guaranteed.
A lack of trust is seen as a security gap
This is currently the case with Kaspersky. The company is headquartered in Moscow and employs a large number of people there. In view of the Russian war of aggression in Ukraine, which is also being waged as a “cyber war”, it cannot be ruled out with sufficient certainty that Russian developers will exploit the technical possibilities of virus protection software for cyber attacks on German targets either on their own initiative or under pressure from other Russian actors.
Kaspersky could be misused as attack software
Nor can it be assumed that state actors in Russia will adhere to laws in a constitutional manner, according to which Kaspersky is not obliged to pass on information. In addition, the massive restrictions on press freedom in Russia in the course of the war with Ukraine have shown that the corresponding legal basis can be created quickly. The security measures cited by Kaspersky do not offer sufficient protection against state interference.
State influence not excluded
It cannot be ruled out that programmers based in Russia can access the data of European users stored in data centers in Switzerland. On the other hand, permanent monitoring of the source code and updates seems practically impossible due to the amount of data, the complexity of the program code and the necessary frequency of updates.
Those involved can lodge an appeal against the decision, which would be decided by the Higher Administrative Court in Münster. Ref.: 1 L 466/22
More at VG-Koeln.nrw.de