Defense In Depth
Why U.S. Security Depends on Alliances—Now More Than Ever
Thanks to a new Russian government program, the privacy and security of those who use the world’s most popular online platforms—including Facebook, Google, and Twitter—are at risk. The companies involved have yet to say how they plan to respond. They should speak up now.
Russian President Vladimir Putin has long sought to control the Internet in Russia. Spooked by the Arab Spring and street protests in Moscow in 2011–12, both organized through Twitter and Facebook, Putin has tried everything from filtering the Internet at the nationwide level to introducing blacklists of websites and deploying cutting-edge online surveillance technologies. In the spring of this year, Russian officials even ran a simulation in which they cut off the country from the global Internet during a political crisis. Like other initiatives before it, though, the attempt failed. The big national operators duly complied with a government request to cut off traffic, but small Internet service providers kept transferring data to the networks outside.
Most recently, the Kremlin has settled on a strategy that involves legal sallies against international digital companies—including Apple, Facebook, Google, and Twitter.
The effort began a year ago. In July 2014, Moscow adopted a law that prohibits the storage of Russian citizens’ personal data anywhere but on Russian soil. The law was set to come into force in September 2015. As justification, Russian parliamentarians pointed to Edward Snowden’s revelations about the United States’ mass surveillance program. The new legislation, they said, would protect the Russian people from spying by the U.S. National Security Agency.
In reality, the law had nothing to do with data protection. The real goal was to make international technology companies subject to Russian communications law, under which all Internet service providers and network hosts in the country must provide the Russian security services with direct and unrestricted access to their servers. In Russia, the security services can intercept any communications they like, from the biggest email service Mail.ru to the social network Vkontakte. Once the new law went into force, they would be able to do the same with international platforms. The end result could be the creation, within Russia, of a kind of intranet governed by very different rules from those beyond the country’s borders.
By all appearances, the law will go into effect in January as planned, but it is anyone’s guess as to how many companies will play by the new rules.PLAYING BY THE RULES
The Kremlin has reason to think that it can achieve its goals. Facebook, Google, and Twitter sent high-ranking representatives to Moscow once Putin signed the law on July 21, 2014. Details of their talks were kept secret.
And over the spring and summer, Russian media reports suggested that international companies might indeed fulfill the Kremlin’s wishes. Ebay, it was said, agreed to comply; PayPal followed suit, as did Booking.com. In March, the Ministry of Communications convened a gathering of the biggest Russian data centers. At the meeting, a representative of Rostelecom, a state-controlled Russian telecom operator, announced that Google had already relocated its servers to Rostelecom’s data center, adding, “the Company is our client now, and we are the restricted access, semi-government facility.” At the time, Google declined to comment.
Things got more complicated in late August, when Russian authorities said that they would not check for compliance with the new law until January. The stated reason was to give companies another four months for the transition. In truth, however, officials seemed confused by a report published a day earlier in the Russian newspaper Vedomosti that Facebook had refused to comply with the legislation.
Days later, however, on September 10, the Kremlin was handed a truly big prize. The Russian daily Kommersant reported that Apple had rented over 50 racks of communications servers in Russia to relocate the data of Russian citizens. And on October 19, Viber, a popular messenger service, announced the relocation of some of its servers to Russia. Alexander Zharov, the head of Roskomnadzor, the government agency that oversees the Internet, media, and communications, took the opportunity to condemn Facebook for failing to comply unlike its peers. The government “has not yet received a response from Facebook on observance of the law on personal data,” he said, indicating that the authorities’ patience was growing thin.
By all appearances, the law will go into effect in January as planned, but it is anyone’s guess as to how many companies will play by the new rules.
There has been a tendency to think of the new law as a Russian problem. And indeed, it does potentially subject Russian Internet users to unwarranted and uncontrolled surveillance. But the issue goes far beyond Russia’s borders.
Big Internet companies, including Facebook and Google, don’t distinguish their Russian users from others; they do not ask for national identity papers to register an account. In other words, if they comply with Russian law and put servers on Russia soil, they may well be subjecting all their users to possible interception or interference by the Russian security services.
The Russian approach to interception is brutally effective.Russia's telecommunication interception system is known as SORM (Sistema Operativno-Rozysknikh Meropriatiy, or the System of Operative Research Measures). It was initially designed by the Soviet KGB in the late 1980s. Although Moscow has regularly updated SORM, the agency’s primary goal has remained the same: to get unrestricted access to all information on servers and networks. All over Russia, SORM black boxes—about the size of a VHS player—are installed at Russian telecom companies and Internet service providers. Russian law requires security officers to get a court warrant to start interception, but those officers do not have to show the warrant to anyone but their superiors. The telecommunication company personnel have no right to see it since they have no security clearance.
The Russian approach to interception is brutally effective. It grants the Russian security services unfettered access to users’ data and to the technologies that companies field to protect and encrypt communication among their servers and users’. In one example, in 2012, it became clear that the regime even legally used the national system of surveillance to spy on political opponents. That year, the Russian Supreme Court ruled that Moscow’s surveillance of Maxim Petlin, a regional opposition leader and a member of the local council in Yekaterinburg, was lawful, since he had taken part in rallies during which calls against extending the powers of Russia’s security services were heard. The court decided that these calls constituted support for “extremist actions” and approved the subsequent spying carried out by SORM.
Complying with Russian law would undermine the so-called transparency reports that global companies have started issuing to document increasing demand from law enforcement agencies all over the world to intercept or remove content. These reports have exposed striking and troubling facts; for example, that total removal requests to Google from Russia tripled between June 2013 and June 2014 (from 253 to 728). Once international companies give in to Russian demands, they will have no idea how many requests they get. The Russian security services would be able to help themselves to whatever data they want, without anyone being the wiser.
U.S. tech giants have remained extremely secretive about their dealings with the Kremlin. Information about their responses seems to be limited to Russian media reports, which are sometimes sanctioned by the authorities. The companies have refrained from comment, never denying the reports, but not admitting to their contents either. In the course of our reporting, we contacted every firm mentioned in this article and asked whether they were complying (or plan to comply) with the law, and whether they had any concerns about doing so. None of them replied to our inquiries, except for Booking.com, which said that it had taken “various steps” to comply with the legislation. If Facebook, Google, and Twitter follow suit, millions of people around the world could be at risk of Russian interception—and Russia might be only the start, since other countries could happily follow its example.
Russia has one of the world’s most intrusive programs of lawful communications interception. International companies should be extremely careful about opening their doors to it. And at the very least, if they do, they should be transparent about it. The trust of their users everywhere is at stake.