Russia Wants to Force Internet Companies to Cooperate With Its Surveillance System

On June 24 the Russian parliament is expected to vote new anti-terrorism measures designed to tighten the Kremlin’s grasp on the Internet. The suggested measures come from fear: The parliamentary elections scheduled for Sept. 18, 2016, are fast approaching, and social media, which was instrumental in getting protesters to streets during the December 2011 elections, is not yet under effective government control.

It isn’t for lack of trying. The authorities most counted on two strategies that failed to deliver the expected result by the end of 2015. The first — nationwide filtering of, according to the independent watchdog Roskomsvoboda, more than 1.3 million websites since 2012—backfired spectacularly. The censors had assumed that users would passively accept the filtering, but this ended when rutracker.ru, the most popular torrents website in the country, was blocked in November. Russia at once skyrocketed to second position in the number of users of the Tor network, which anonymizes users and allows them to circumvent filtering. The second strategy—to force Facebook, Twitter and Google to move their servers to Russia under pretext of protecting personal data of Russian users against NSA—was quietly sabotaged by the Internet giants—while avoiding to take a public stand, they simply didn’t not move their servers.

These failures have panicked politicians, because there is little time left to introduce new technologies of control. The authorities made some erratic moves—dozens of bloggers were sent to jail for writing posts critical of the Kremlin, and some proposed issuing fines to those who promote circumvention tools like Tor. In fact, in the end of April, Fang Binxing, the father of the Chinese “Great Firewall,” was invited to Moscow and courted by high-placed Russian officials.

But the effects of these strategies were minimal, so the Kremlin returned to an approach it had tried before: new repressive legislation aimed at Internet companies.

The anti-terrorism package presented at the State Duma suggests two major amendments.

The first will require telecommunications operators and internet service providers to store phone calls records and the content of online conversations for six months and metadata for three years. The second idea is to require the “information-distribution organizations” (i.e., messengers and social media) that use encryption to provide the secret services with the keys that will allow them to “decode” the information. The measure is meant to target encrypted chat messages and any website that uses the HTTPS protocol. In addition, the package will also outlaw the use of “uncertified means of coding (encryption) for the transmission of messages on the Internet.” To get a certificate requires companies to give the keys to the secret services, with the apparent goal to get all apps to have backdoors to allow to spy on messaging in Russia.

Both measures are difficult to implement on the technical level, but that doesn’t matter. They reflect the traditional Russian approach to surveillance, which is based on coercion and intimidation.

Since the 1990s, every Internet service provider in the country must have on its premises a device that connects its servers via underground cable to the HQ of a local branch of the Russian secret services. As Irina Borogan and I tell in our book The Red Web, this practice, known as the System of Operative Research Measures, has been constantly updated ever since.

But the current system provides means for direct interception of traffic, cannot conduct mass surveillance, and helpless against HTTPS. But it provides an excellent opportunity for the secret services to put telecoms under pressure—an ISP is required to install a SORM device, and for that, it needs to ask the security service what equipment is “recommended,” then buy the equipment and install it. Afterward, the ISP is the subject of constant checking from local prosecutors, the secret services, and the telecom watchdog officials. It’s an awkward and dangerous position for the ISP, and most of telecoms soon realize that the best option to avoid problems is to fully cooperate with the authorities.

Russia’s expanding control of the Internet is based on the intimidation and coercion of businesses. The authorities are looking to engage the companies in an ongoing conversation on surveillance, and this law is a great pretext for them to do so. The Kremlin knows pretty well how costly the new measure is for the companies. According to the assessment provided by Mobile TeleSystems, one of the largest mobile operators in Russia, just implementing the requirement to store data for six months will cost the company more than $30 billion.

It isn’t anywhere near effective to have the stored data dispersed all over the country on the servers of regional telecoms and ISPs instead of keeping data in one place, like the way NSA stores data in its Utah facility. But that’s hardly the point. The idea of the new legislation is not to improve surveillance capabilities, but to have another frightening idea on the table that would prompt business to come to the Kremlin and plea for private consultations. The more rude and expensive the new legislation appears, the better.

The idea of forcing messengers to give the keys to the secret services serves the same purpose. The most popular messengers in Russia are all foreign—Telegram, Facebook messenger, WhatsApp, Twitter, Signal. Most of them have been quietly sabotaging government requests to move their servers to Russia. The new legislation would add to this pressure.

The Kremlin’s idea is to create as many pressing points for Internet companies as possible and wait for them to come to private talks. Thus, they believe, could buy some time while they will try to lock the Internet inside of the country. Russia’s Telecoms Ministry already announced a plan to have 99 percent of Internet traffic to be kept within the country by 2020.

By Andrei Soldatov, Future Tense