29 October 2013

Keir Giles

Senior Consulting Fellow, Russia and Eurasia Programme


Internet users in Russia could come under increased and more efficient overt monitoring and surveillance, under new regulations sponsored by the Federal Security Service (FSB).

A draft order is scheduled to come into effect on July 1, 2014 that would amend the current surveillance mechanism, by obliging Russian internet service providers (ISPs) to store comprehensive records of all activity by users for a period of 12 hours, with direct and immediate access to this information provided to the FSB. Official and semi-official Russian spokesmen note that this would not provide the security services with any new invasive powers; but users and the internet industry disagree and have raised concerns over both privacy and practicality. 

The new order adds to a series of recent initiatives that strengthen the role of the FSB in internet security in Russia. A draft law on critical infrastructure protection, mooted in 2012 and now under discussion, puts the FSB in charge of this area of cyber security. At the beginning of October plans for pervasive technical surveillance of the communications of competitors and spectators at the Sochi Olympics in 2014 by the FSB excited attention in Western media. And a bill submitted to the State Duma on October 17, confirmed the FSB as the lead agency for a wide range of activities including combating cybercrime and other 'threats to the information security of Russia', which are over and above the service's remit as specified in the Federal Law governing its activities. 

The most recent initiative would entail a radical upgrade to the SORM monitoring system, which provides the FSB and law enforcement agencies with a limited amount of data on internet use. The new requirements would expand the range of information captured on internet activity, including voice communications. Some ISPs are concerned that the provision for direct access is unconstitutional and illegal, and would circumvent any current requirement for the FSB to justify and obtain approval for any intercept or recovery activity which breaches a user's statutory rights to privacy of communications. 

Privacy and practicality 

Yet as with other internet security initiatives in Russia, such as the Unified Register of sites considered potentially harmful to minors (the so-called 'internet blacklist'), the internet industry and informed commentators are concerned not only over privacy implications but also over the feasibility of what is being proposed. Early fears that the 'blacklist' would be used as a tool of repression have so far proved unfounded, and most criticism now focuses on its flawed implementation, which results in outages of perfectly legitimate internet resources.

Similarly, the majority of comment on the proposed new regulation highlights cost and impracticality first, and potential breaches of privacy legislation and the Russian constitution second. The sheer volume of data to be stored on the activity of 75 million Russian internet users for 12 hours at a time, and the associated rate of data capture, will represent a significant and expensive technical challenge even for the largest telecoms operators. The provision for ISPs to manage storage have been interpreted by some commentators as a means of passing this workload and cost from the FSB to private industry – with severe implications for smaller players who would find it even more difficult to meet the requirements. 

The fact that these Russian initiatives are coming thick and fast following the arrival in Moscow of Edward Snowden adds multiple layers of irony. Russian media have noted the lack of official rationale or justification for the new measures. But in a climate where the implicit and explicit criticism of Russia for its internet monitoring and surveillance system has become markedly less pronounced following disclosure of the claimed capabilities and reach of US systems, it may be that the Russian authorities feel even less need to apologize to anyone for their own means of protecting national security. Meanwhile, after complaining of covert activity by the US and allies, Snowden has taken refuge as a 'human rights activist' in a country which seeks to emulate this activity to the best of its ability, some of it overtly. 

Privacy and security

A review of Russian comment on the new regulations reveals the familiar discussion of the balance between privacy and national security, but with relatively more weight given to security interests than we are accustomed to in the UK. Among other factors, this may represent a long-standing acceptance of the existence of SORM. Those few internet users who give it any consideration at all are accustomed to the notion that communications are monitored by default in the interests of security, and have not suffered from the illusion of privacy of internet users in Europe and North America. 

The most recent draft order that seeks to increase the role of the FSB in ensuring Russia's online security is currently beginning a second round of consultations in other interested government agencies. Prior experience suggests that this process, as well as public and industry discussion, may result in a relaxation of the proposed regulations before they are confirmed in law. But for the time being, the current version of the order remains on the Russian government's portal for public discussion of legislative initiatives - with the field for 'expert opinion' resolutely blank. 

To comment on this article, please contact Chatham House Feedback