Sliding downhill after Sochi
They are the two most famous people in Russia: Vladimir Putin, the country’s president, who publicly stated that the internet is a “CIA project”, 1 and Edward Snowden, the US National Security Agency (NSA) whistleblower who sought asylum in Moscow. For months neither was known to have talked. Then, this April, they appeared in a television debate. 2 Speaking via video link, Snowden asked: “Does Russia intercept, store or analyse in any way the communications of millions of individuals?” Putin’s answer was adamant. “We don’t have a mass system for such interception,” he said, “and according to our law it cannot exist.”
Unfortunately for the country’s internet users, there is a weight of evidence – much of it recently uncovered by researchers – that a mass system of interception does in fact exist and that Russia does have laws which enable it to exist. In Russia, as Snowden surely knew, the question increasingly is not which parts of the internet are being monitored by the state but which parts are not. It is why his new home is an unlikely refuge for a champion of communications privacy.
Policy and political background
The Soviet Union (USSR) had no qualms about surveillance. From its inception, the secret services pried into the private lives of its citizens. In the 1980s this resulted in the development of an automated nationwide communications interception service which could monitor the government-owned telecommunications services.
This did not stop with the USSR’s collapse. 3 The KGB’s 4 successor, the Federal Security Service (FSB), remained committed to surveillance. The telecommunications sector was no longer owned by the state, but the Ministry of Communications stipulated that the newly privatised companies install a device that is believed to enable the FSB to listen to or record calls without the provider’s knowledge. This was SORM (System of Operative-Investigative Measures). Its capabilities have since been increased, first under SORM-2 and then SORM-3. Described by one expert as “Prism on steroids”, 5 it is now an intercept programme that privacy campaigners maintain permits the FSB to monitor and collect traffic without the knowledge of internet service providers (ISPs) or their users.
The country’s laws do contain prohibitions on mass surveillance and FSB officers are required to obtain a court order to access communications. 6 Once a warrant has been obtained, however, it does not have to be shown to phone or internet providers, as is required in much of the West. Free speech activists have shown that the only person the FSB officer must show the court order to is his superior. 7 “Assume any electronic device can be exploited”
Ahead of the Sochi Winter Olympics, the US State Department’s Bureau of Diplomatic Security warned staff visiting the Games: “Assume any electronic device you take can be exploited. If you do not need the device do not take it.”
Visitors were given a series of dos and don’ts to protect their privacy, according to those who have seen the document. 8 It read like something from a John le Carré novel. “Essential devices should have all personal identifying information and sensitive files removed or ‘sanitized’. Devices with wireless connection capabilities should have the Wi-Fi turned off at all times… Do not connect to local ISPs at cafés, coffee shops, hotels, airports or other local venues… Change all your passwords before and after your trip… Be sure to remove the battery from your Smartphone when not in use.”
On how the Russian state apparently gained such penetration, we primarily have two Russian investigative journalists – Andrei Soldatov and Irina Borogan – and the website they co-founded, Agentura.ru, to thank. For Sochi, the pair collated dozens of open source technical documents on the government procurement website Zakupki, 9 cross-referenced with the public records of various oversight agencies, to show how telephone and Wi-Fi networks were being amended in the run-up to the Games.
The organisers of Sochi had trumpeted it as the most technologically accessible Games ever with free high-speed Wi-Fi access at all venues, and at media centres and hotels, as a well as a 4G LTE 10 network. Soldatov and Borogan detailed in “Surveillance at the Sochi Olympics2014” how wireless encryption had apparently been disabled in this network so that, although communications remained encrypted against casual eavesdropping by hackers, they would not be for the FSB. 11 The pair furthermore produced documents showing Rostelecom, the national telecoms operator responsible for the 4G network, was installing deep packet inspection (DPI) devices. 12
Soldatov and Borogan also revealed the existence of an FSB presentation on how SORM was being upgraded for the event. 13 The existence of SORM is well known. Indeed Russian internet users never seem to have been under the illusion, as in the West pre-Snowden, that internet use was private. 14 In every Russian town there are widely believed to be underground cables that connect the local FSB bureau with ISPs and telecom providers. Originally created by the KGB to monitor phone calls, from 1998 SORM could also access the internet. 15 This incarnation of SORM enabled only a limited amount of data to be collected, however, not least because many intercepts were operated manually by agents. According to Soldatov and Borogan, this is no longer the case. SORM’s Sochi incarnation collects information from all forms of communication and provides long-term storage. Furthermore, they write, the introduction of the DPIs enables those sending and receiving specific packets of electronic information to be identified, and for the information in those packets to be filtered.
Since 2000 eight Russian agencies have access to intercepts: the Interior Ministry, the FSB, the Federal Protective Service, the Foreign Intelligence Service, Customs and Excise, the Federal Anti-drug Agency, the Federal Prisons Service and the Main Intelligence Directorate of the General Staff. 16 Independent privacy watchdogs report that it is the ISPs who are required to cover the cost of installing the devices enabling traffic to be monitored, but they are denied access to the surveillance boxes so neither service providers nor their users know what is being collected or when. Those that resist face penalties: 17 first a fine; then, if they do not comply, the possibility of their licence being revoked. A joint investigation by Agentura.ru, Citizen Lab and Privacy International found 16 such warnings to telecoms and internet providers in 2010. For 2011 they found 13. In 2012 the number had jumped to 30. 18 The use of SORM also appears to be growing. Figures from the Russian Supreme Court showed a doubling of telephone communication intercepts between 2007 and 2012 from 265,937 to 539,864. 19 These figures did not include counterintelligence conducted on Russian citizens and foreigners – and it was before Snowden’s NSA revelations.
Keir Giles of Chatham House has argued that the Russian authorities have long approached the internet differently to the West. 20 Democratic societies traditionally see freedom of expression and individual liberties as core rights to be protected. But the Russian perspective is to dwell on national security dangers. Snowden’s disclosures renewed belief in government circles that internet use in Russia must be more carefully controlled and free of foreign interference – and gave a fresh justification to those who already wanted it to be so. 21
In December the Russian Duma extended the so-called internet “black list” with a law allowing “extremist” websites to be blocked without court consent. The definition of “extremist” included the calling of unauthorised demonstrations. The Kremlin’s own Committee on Human Rights warned that this risked infringing the country’s constitution. 22 However, three independent sites were blocked shortly afterwards, and more followed as the crisis escalated in Ukraine. Furthermore, to the concern of Reporters Without Borders and others, from August bloggers with more than 3,000 daily viewers will be placed under the same content restrictions as newspapers and television. 23 This means they will have to register with the authorities. A number of blogging sites are removing features showing visitor numbers as a result. In addition Lenta.Ru, a major online current affairs site, was effectively destroyed in March when its editor-in-chief and executive director were sacked, resulting in the resignation of its entire team of journalists. 24
Soldatov and Borogan have said that Russian businesses that rent space on servers in Russia are required under the stipulation of their licences to give access to the security services via SORM. 25 But platforms such as Facebook, Twitter and Google are not hosted in the country. Indeed Facebook and Twitter did not even have a formal representative entity there. This is a particular problem for anyone wishing to intercept their traffic, as social network sites are notoriously difficult to monitor due to being closed accounts and therefore resistant to semantic analysis.
Snowden’s revelations seemingly prompted renewed effort to bridge this knowledge gap. Legislation has been introduced to make website owners and operators (including Facebook, as the law states it includes foreign websites with Russian users) archive user data for six months and be willing to provide it to the government when requested. 26 Foreign internet companies are also being pressured to invest in local data storage facilities. In April, Maksim Ksenzov, the deputy director of Roskomnadzor (the Agency for the Supervision of Information Technology, Communications and Mass Media), hinted that those who did not comply could be switched off. 27 Prime Minister Dmitry Medvedev sharply denied this was the case, calling on officials to “use their brains” before announcing the closure of social networking sites. However, Kommersant has published leaked documents that it claims show the government intends to prohibit any DNS 28 server outside of Russia from using the .ru or .rf domains. 29
It is not just international social media owners that are under pressure. Vkontakte is the country’s largest independent social media site – and a favourite of opposition activists after its founder, Pavel Durov, refused to close groups organising protest marches during the early 2012 protests. Durov initially resisted attempts by Vkontakte’s Kremlin-friendly shareholders, including Alisher Usmanov, to force him out. 30 This April, however, he left not only the company but the country. A few days earlier he wrote on his blog that the FSB had ordered him to provide personal data on the organisers of 39 groups on Vkontakte, allegedly linked to Ukraine’s Euromaidan movement. 31
Explaining his departure, Durov warned it had become “harder and harder to remain with those principles on which our social network is based.” His statement ended with a quote from Douglas Adams’ comedy science fiction novel The Hitchhiker’s Guide to the Galaxy. Given Russia’s increasingly hypnagogic internet – officially free but in practice looking anything but – it was an aptly surreal choice. “So long,” he said, “and thanks for all the fish.”
Snowden seemingly acknowledged SORM’s invasive net when, after his exchange with Putin, he called on journalists to pressure the Russian president “for clarification as to how millions of individuals’ communications are not being intercepted, analyzed or stored, when at least on a technical level the [Russian] systems that are in place must do precisely that in order to function.” 32 It is this question – what the Russian state is doing with the interception network it appears to have spent millions of roubles creating – that is of such concern to privacy, security and human rights campaigners.
There is a public security cause for the central government to keep an eye on electronic communications. The extent of the Sochi programme, which also saw 5,500 video cameras installed and drones – some with thermal vision – deployed, was in part a reflection of the heightened terrorist threat from regional separatist groups. But the evidence indicates that this intercept programme is seemingly being extended far beyond such extremist groups.
The amount of data produced by Russia’s 75 million internet users is vast, and data capture, let alone storage, may well be beyond the capacity of many telecoms operators. 33 Soldatov has said that Russian technology for storing and intercepting communications is not as advanced as that used by the US. 34 Moreover, as InfoWatch head Natalia Kasperskaya has pointed out, Russia remains dependent on Western computer technology following the near collapse of the country’s own microelectronics industry in the 1990s. 35 Any attempt to “balkanise” the Russian web would only lead to poorer access, slower speeds and greater costs to the consumer.
Nevertheless, the policy trajectory appears clear. First the Kremlin targeted phones. Then it targeted emails and internet pages. Now there is an assault on social networks. A raft of lawful methods now exist for the Russian state to collect information and block unwanted online content – while Soldatov and Borogan have detailed a range of extralegal approaches allegedly being adopted as well. Given such circumstances, the Bureau of Diplomatic Security’s warning ahead of Sochi appears not only prudent for its staff but for anyone wishing to protect their communications in modern-day Russia.
The following advocacy steps can be recommended:
- Lobby national governments to encourage Russia not to suppress free expression online, to drop proposed restrictions on bloggers, and to end pressure on social networks and independent websites.
- Promote legal support for media organisations with limited financial capacities, including by creating collective legal tools.
- Create and disseminate best practice guidelines to promote protection on the internet.
- Conduct outreach programmes for the wider public to highlight the social and economic advantages of a free and open internet.
- Lobby the Russian government to adopt transparent civic discussions ahead of the adoption of new laws impacting on communications freedom.
1- Al Jazeera. (2014, April 25). Putin says Internet is a CIA project. Al Jazeera.www.aljazeera.com/news/europe/2014/04/putin-says-internet-cia-project-201442563249711810.html
2- Mackey, R. (2014, April 17). Video of Snowden Asking Putin About Surveillance. The New York Times.thelede.blogs.nytimes.com/2014/04/17/video-of-snowden-asking-putin-about-surveillance/?_php=true&_type=blogs&_r=0
5-Walker, S. (2013, October 6). Russia to monitor 'all communications' at Winter Olympics in Sochi. The Guardian. www.theguardian.com/world/2013/oct/06/russia-monitor-communications-sochi-winter-olympics
6- Federal Law No. 144-FZ on Operational - Search Activities (1995, last amended 2004). www.legislationline.org/documents/id/4191
7- Soldatov, A., & Borogan, I. (2013). Russia's Surveillance State. World Policy Journal, Fall. www.worldpolicy.org/journal/fall2013/Russia-surveillance
14- Giles, K. (2013, October 29). After Snowden, Russia Steps Up Internet Surveillance. Chatham House. www.chathamhouse.org/media/comment/view/195173
15-Pincus, W. (2014, April 21). In questioning Russia’s Putin about surveillance, Snowden misses the point.The Washington Post. www.washingtonpost.com/world/national-security/in-questioning-russias-putin-about-surveillance-snowden-misses-the-point/2014/04/21/c3e09352-c732-11e3-bf7a-be01a9b69cf1_story.html
16- Soldatov, A. (2012, October 11). Privacy International and Agentura.Ru launch the joint project 'Russia’s Surveillance State'. Privacy International. https://www.privacyinternational.org/blog/privacy-international-and-agenturaru-launch-the-joint-project-russias-surveillance-state
17- One such court decision can be seen here: msud106.krd.msudrf.ru/modules.php?name=info_pages&id=1002&cl=1
21- Ames, M. (2014, January 16). Edward Snowden demands press freedom (for journalists who don’t live or work in Russia). Pando Daily. pando.com/2014/01/16/edward-snowden-demands-press-freedom-for-journalists-who-dont-live-or-work-in-russia/
22- Sugarman, E. (2014, March 27). Russia's War on Internet Freedom Is Bad for Business and the Russian Economy. Forbes. www.forbes.com/sites/elisugarman/2014/03/27/russias-war-on-internet-freedom-is-bad-for-business-and-the-russian-economy/
23-Reporters Without Borders. (2014, April 18). Will the Russian internet soon be under complete control? Reporters Without Borders. en.rsf.org/russia-will-the-russian-internet-soon-be-18-04-2014,46167.html
24- Human Rights Watch. (2014, April 24). Russia: Veto law to restrict online freedom. Human Rights Watch. www.hrw.org/news/2014/04/24/russia-veto-law-restrict-online-freedom
27- Hille, K. (2014, May 16). Russian regulator threatens to block Twitter. The Financial Times. www.ft.com/cms/s/0/a3ea4946-dd06-11e3-b73c-00144feabdc0.html#axzz39plsMHbi
30- Walker, S. (2014, April 2). Founder of Vkontakte leaves after dispute with Kremlin-linked owners. The Guardian. www.theguardian.com/media/2014/apr/02/founder-pavel-durov-leaves-russian-social-network-site-vkontakte
34- Lake, E. (2014, April 18). Sorry, Snowden: Putin Lied to You About His Surveillance State – And Made You a Pawn of It. The Daily Beast. www.thedailybeast.com/articles/2014/04/17/sorry-snowden-putin-lied-to-you-about-his-surveillance-state-and-made-you-a-pawn-of-it.html
This report was originally published as part of a larger compilation: “Global Information Society wach 2014: Communications surveillance in the digital age” which can be downloaded from http://www.giswatch.org/2014-communications-surveillance-digital-age.
Creative Commons Attribution 3.0 Licence ‹creativecommons.org/licenses/by-nc-nd/3.0› Some rights reserved.