Hidden Content
For years, antivirus software from Kaspersky Lab may have given online marketers a way to track your web browsing habits.
Although the company's products are designed to protect PCs from cyber threats, Kaspersky Lab chose a questionable way to prevent malicious activity on the web pages you visit. The products inject a piece of Javascript code into your internet browser, which can tell you if a website is clean or not.

There's just one problem: The same Javascript code will also tag your machine with a unique identifier that any website you visit can read. For example, the code and the identifier can look like this: "https://gc.kis.v2.scr.kaspersky-labs.com/9344FDA7-AFDF-4BA0-A915-4D7EEB9A6615/main.js."

Ronald Eikenberg, a journalist at German computer magazine c't, noticed the code and realized its privacy ramifications. "Any website can read the user's Kaspersky ID and use it for tracking. If the same Universally Unique Identifier comes back, or appears on another website of the same operator, they can see that the same computer is being used," he wrote on Thursday.

The tech industry calls this "cross-site tracking," and many advertising networks as well as Facebook have used similar approaches involving internet cookies and plugins placed across mainstream web services to follow users from site to site. In Kaspersky's case, the company will generate a different identifier for each machine the antivirus software is installed on, and the identifier will persist, remaining permanent, according to Eikenberg. "Worse yet, the super tracking can even overcome the browser's Incognito mode," he added.

Since fall 2015, the company has been injecting Javascript code via its various products, including Kaspersky Lab Internet Security and Kaspersky Lab Free Anti-Virus. Eikenberg even created a website to test whether he could extract and read the Kaspersky Lab's unique identifier. It turns out he could, which made him wonder: "If I was able to create a website in a short period of time that reads and saves the IDs, why couldn't others have done it at some point in the last four years?"

Kaspersky Lab is downplaying the privacy risks. "After our internal research, we have concluded that such scenarios of [a user data] privacy compromise are theoretically possible but are unlikely to be carried out in practice, due to their complexity and low profitability for cybercriminals," the company said in a statement.

Nevertheless, Kaspersky has changed its process for checking web pages for malicious activity by removing the unique identifier for each machine. According to Eikenberg, the identifiers will remain identical for all machines on which Kaspersky Lab's security software is installed. However, this approach can also be problematic; it can still tip off a website that you're using Kaspersky Lab's security software, which can be valuable information to a hacker.

"They may use that information to distribute malware tailored to the protection software, or to redirect the browser to a suitable scamming page," he added. "Imagine something along the lines of 'Your Kaspersky license has expired. Please enter your credit card number to renew your subscription.'"

If you're worried about the security risks, Kaspersky Lab offers a way for customers to turn off the Javascript injection. That said, online tracking and shady data collection have already become pervasive on the internet through free apps such as Facebook, Gmail, Instagram, and Google's Chrome browser, which can record all the sites you visit. To stay safe, you can consult our guide.