Even without an Internet ‘nuclear option,’ Russian intelligence has been using an existing law to try to access RuNet user data for months. Here's how.
What happened?
The Federation Council has approved a new bill allowing for the isolation of the Russian sector of the Internet. Now, the bill awaits Vladimir Putin’s signature. The last law of this caliber to regulate Internet use in Russia was called “Yarovaya’s Package.” It was introduced into the State Duma three years ago and approved. The measure was supposed to take full effect on July 1, 2018 — almost a year ago.
What did Yarovaya’s Package have to do with the Internet?
Internet operators and so-called “organizers of the spread of information,” an ad hoc group of communications companies from Telegram to Yandex, are obligated under the law to save all of their user data and metadata for Russian intelligence services for six months. That includes all Internet traffic along with all data concerning when they were sent, to whom, and by whom. The law also mandates that companies give Russia’s Federal Security Service (FSB) the ability to access any encrypted data.
Is any of that actually working?
Nope. None of it works:
- Internet providers aren’t saving all of their users’ traffic.
- The keys companies have given to the FSB have not enabled the agency to unencrypt all the data it wants.
- Large Western companies have not complied with the law.
Let’s deal with these one at a time. Why aren’t operators saving user traffic?
They just don’t have anywhere to store it. There are special legal requirements for the equipment companies use to store data for searches and other special operations, and those requirements apply to the servers Yarovaya’s Package requires companies to use to store user traffic. All those requirements were established by Russia’s Communications Ministry in collaboration with the FSB, but that only happened in December 2018, two and a half years after the laws that mandated the servers’ existence. The certification process for this complex equipment can take up to six months, and getting the servers up and running can take a year or more, experts say. According to some estimates, the first certified equipment to comply with Yarovaya’s Package could appear only in the last quarter of 2019.
Why can’t the FSB unencrypt all these companies’ files?
Yarovaya’s Package doesn’t take contemporary message encoding technology into account. Many messengers use protocols with end-to-end encryption: keys are generated on users’ devices, and the messenger’s operator doesn’t have access to them. Users can also check whether anyone has executed a “man-in-the-middle attack” and gained access to the conversation without their knowledge. FSB Director Alexander Bortnikov recently complained once again about the effectiveness of encryption technologies in mobile apps and called on the international community to help, thereby admitting that Russian laws alone will be unable to change the situation.
How have Western companies reacted to Yarovaya’s Package?
It’s unclear, but to this day, the companies that are notably absent from the Russian censorship agency Roskomnadzor’s list of organizers of the spread of information include Google, Facebook, Twitter, Apple, and Microsoft.
On one hand, Roskomnadzor officials consider the list to be a formality; they believe that Internet companies are obligated to cooperate with Russian intelligence services whether they are on it or not. “The obligations of an organizer of the spread of information arise due to the power of the law, not because of their presence on the registry. If your service falls under the definition of an organizer of the spread of information, you are already obligated to do what the law tells you to do,” the agency’s deputy director said in 2017.
On the other hand, it is a known fact that Roskomnadzor spent a long time stubbornly persuading the owners of Zello and Telegram to join the registry voluntarily by threatening to block both communications services.
So Yarovaya’s Package isn’t operational at all?
We don’t know. It’s possible that “organizers of the spread of information” are cooperating with the FSB within the law’s framework, but they are prohibited from publicly communicating that fact. In January of 2018, they were banned from publicizing any information about “cooperation with authorized agencies” after Telegram founder Pavel Durov published letters the company had received from the FSB.
However, the kinds of data Russian special services want to receive from Internet companies is publicly known:
- Username
- Full name
- Date of birth
- Exact address
- Passport number
- List of relatives
- Social circles
- Contact information
- List of languages spoken by the user
- The date and time the account was registered
- The dates and times the service was used
- The texts of the account’s messages
- Audio or video recordings of conversations
- Files transferred
- Payments made
- Location
- IP address
- Telephone number
- Email address
- Program used (browser, messenger, etc.)
- Accounts in other systems
Every item in that list is within the FSB’s requirements for information to be transferred to it for the purpose of search operations. The Communications Ministry published a similar order in December of 2018, but whether the equipment accounted for in that order will also require a lengthy certification process is unknown.
Will there be a delay before the Internet isolation law takes effect too?
Yes. It will take effect on November 1, 2019, and a few sections will follow much later, on January 1, 2021. However, the law requires the Russian government and Roskomnadzor to produce a number of new acts within the law itself, some of which will require FSB approval.
Even when all those documents will be prepared, the Russian government will have to purchase threat reduction and cyber defense technology and integrate that technology into Internet operators’ existing networks. That process will require both substantial funds and a substantial amount of time.
Translation by Hilah Kohen