Kaspersky Labs co-founder Eugene Kaspersky has backed Australian plans to mandate retention of user telco and internet subscriber data for two years, while cautioning against the introduction of mandatory data breach disclosure laws.
Kaspersky has at times called for users to shed pretensions of anonymity on the internet and adopt a quasi-licensing scheme to remove unnecesary, and largely ineffective, levels of security online.
However, the Russian billionaire and security expert tempered his previous arguments during a wide-ranging interview with SC Magazine, defending some governments' plans to introduce or bolster data retention regimes.
"It's a good idea," he told SC at the AusCERT 2012 conference on the Gold Coast this week. "If governments want to trace someone, they will do it; it's just a technical issue."
The federal Attorney-General's Department has held closed-door discussions with service providers for at least two years on the issue, largely revolving around the retention of internet subscriber data and some information on the contents where possible for a period of up to two years.
That discussion is set to gain public recognition as part of a parliamentary consultation on the matter to be held later this year.
Though generally supportive of the notion, Kaspersky qualified his defence with opposition to a similar data retention proposal in the UK, aimed at providing equal access to user telco data without requiring court orders.
"They're going to introduce all this data collection and police will have access to this data whenever they want. I think that's wrong," he said.
"We were at point zero, and there's a point ten; total control. The right area is maybe point three to five but governments are going to point seven. Governments aren't thinking about privacy."
The move towards data retention proposals globally have been somewhat spurred by international treaties, a measure Kaspersky said was indicative of growing cooperation between countries on cybercrime issues.
Interpol and the International Telecommunications Union (ITU) have moved to establish a global taskforce to coordinate action against online criminal networks from both a network and physical point of view.
"I've been talking about cybercriminals for many years because I understood that it was a very serious problem, that it was becoming more serious year by years and I was knocking on the wall," he said.
"Finally we see that governments are taking it seriously and talking about international cooperation against cybercrime."
Interpol will establish a global cybercrime centre in Singapore by September 2014, while the ITU has already begun global investigations into malware networks with the help of Kaspersky.
One recent investigation traced proxy servers distributing malware to its home in Ukraine, which Kaspersky now dubbed the new hacker's "paradise".
However, he urged governments not to go "too far".
"In the past, I've talked about governments introducing more regulation on the internet to fight cybercrime. Now I'm saying 'ok guys, it's good use but don't go too far'."
Data breach laws
Kaspersky cautioned against the potential introduction of mandatory data breach disclosure legislation that would require Australian companies to report user privacy leaks.
Such requirements have been baked into revised privacy principles to be introduced in Australia later this year but further progress on a mandatory notification rule is not expected before the release of the Government's long-awaited Cyber White Paper.
Kaspersky said that while data breach disclosures made sense on an honesty prerogative, disclosing data breaches could potentially sway criminal investigations into the matter or provide attackers with the knowledge necessary to improve future attempts.
"It's very difficult to find a balance between these two," he said.
"Maybe I'm wrong, but I think everything has to be done to prevent the next incident, to stop the guys behind it. We can let the bad guys do it again and again.
"If we expose everything, the bad guys will learn from that and the next time they'll do it better, they'll become more professional."
The growing number of user privacy breaches in Australia and globally has led to the information on thousands of credit cards and user identities leaking online.
The Australian Privacy Commissioner has largely backed mandatory notifications but conceded some work needed to be done to determine the scope of such a scheme.
"To fix the reason is more important that to fix the problem. I'm looking forward to paying more attention to the reason for that and not the result," Kaspersky said.