Dive into transparency
The story started in 2016. Then the so-called Yarovaya package was approved, which was the first example of changing the rules for Russian data access. The Yarovaya package included two bills adopted on the basis of the fight against terrorism. The bills got their name in honor of one of the authors, deputy Irina Yarovaya.
Since then, it has become mandatory for companies to store information about user messages and provide access to law enforcement.
From 1 July 2018, according to the “Yarovaya law”, all telecom operators are obliged to install operational search activities (SORM) equipment in their networks.
From then on, they store users’ phone conversations, text messages, pictures, videos and other messages. By law, conversations and messages must be stored for six months, and Internet traffic for 30 days.
In addition, the “Law of Yarovaya” compelled those who regulate the dissemination of information on the Internet to decode user messages. At the request of the FSB, companies must provide keys for encrypted traffic.
Edward Snowden, a former employee of the National Security Agency (NSA), has become fiercely critical of the Yarovaya Act.
“[Президент России Владимир] Putin signed an oppressive law that not only violates human rights, but also defies common sense, ”the former CIA officer hiding in Russia wrote on Twitter at the time.
forward to someone else
On August 1, 2014, the amendments to the Law on Access to Information entered into force. Regulators of information distribution (ORI) and a record in which they are listed has appeared in Russia.
Providers, Internet services, IT companies, banks, etc. including these companies. It is obliged to store data such as receiving, transmitting, transmitting and processing users’ voice information, text, pictures and other electronic messages for six months in Russia.
ARI is also obliged to provide this data to the investigating authorities upon request. According to the adopted amendments, the organizers should keep all information about sending a letter or downloading a file, but not the contents of the letter or file.
To do this, companies must also install equipment for operational search activities (SORM) in their networks.
In total, the registry includes hundreds of different organizations. Including Tinkoff Bank (the service tmsg-p2p.tinkoff.ru is indicated), Sberbank online, Pikabu (pikabu.ru), LiveJournal, Habr (habr.com), Vimeo.com, 2GIS (2gis.ru), ” Avito (avito) .ru), Bla Bla Car (blablacar.ru) and many other services.
Roskomnadzor regularly updates the register of information dissemination organizers (ARI), adding to it all new services and Internet resources. In 2022, registration was renewed by Yandex.Taxi, Yandex.Food, Yandex.Lavka and Yandex.Micromobility, among other things.
Total identification
Experts interviewed by socialbites.ca pointed out that at the moment, the Internet in Russia is developing in the direction of identifying any connection.
“Most Internet users today are transparent to operators, who store information about who connects to their networks, from which IPs, and also about user-generated traffic according to Yarovaya law,” said the commercial director. company “Security Code” Fedor Dbar.
According to him, a user who leaves any part of the country and enters the Internet in Russia in any way legally identifies himself as a citizen.
If access to the network is carried out through the home Internet, before that an agreement is concluded with the provider on the transfer of passport data, and through a smartphone, if the SIM card has the same passport data as the specified specialist.
Dbar explained that so far the only loopholes to maintain anonymity in the system are some public Wi-Fi hotspots. However, the expert noted that in most cases they now also have to register using a phone number.
Technically, it is not difficult to understand which citizens are using the internet and what they are doing there.
Get VPN
So why did the Ministry of Internal Affairs develop changes to the law on “operational search activity”? According to them, any information on the Internet can be considered necessary for their investigative action.
Igor Bederov, head of the information and analytical research department of T.Hunter, told socialbites.ca that access to any information is possible only if it is a matter of state security or the fight against terrorism.
In this case, the reading of letters and messages can be done with notice of the court before the trial or within 24 hours after the start of the action.
“We are talking about access to all information held by providers, telecom operators and large IT companies. I believe that Russia is gradually moving towards creating an identification system based on electronic digital traces,” Bederov said.
According to him, the need for such a system “has already matured 10 years ago.” To begin with, the identification system needs to collect data, identify traffic sources, forcing operators and companies to collect these sources.
“The next step could be centralized electronic data collection at SUEs (state unitary enterprises) and government agencies to overlay end-to-end analytics on the data and identify users,” Bederov said.
He expressed the opinion that the task of the draft of the Ministry of Internal Affairs is to identify those who are currently unidentified, but who are in Russia.
“To reach people they can’t reach yet,” the expert said.
According to him, such an approach would allow not to communicate with foreign social networks and foreign VPN services, which would not provide information anyway.
“Naturally, the accumulation of big data will allow users to be profiled based on what they use: VPN services, where they go, what additional accounts they have,” Bederov concluded.
The expert explained that it will be possible to determine whether VPN services are included and used, but it will not be possible for now to find the sites visited by a VPN-enabled user.
Fedor Dbar, commercial director of the Security Code company, stated that the essence of the proposed changes is to speed up and simplify the acquisition of information from telecom operators for law enforcement.
“They will be able to take it without a court decision. So no new tolerances or new technical capabilities,” the speaker thought.
According to him, this does not affect the security of the user’s anonymity and information using VPN.
Dbar explained that both in Russia and many other countries, by law, a person can only use certain authorized cryptographic services within the country.
“If border guards detect a VPN client on a phone or laptop while entering a country, the user or their device may not be allowed in. But this story is rarely “disturbed” by ordinary citizens, he added.
Dbar concluded that a user with a certain level of technical knowledge might try to hide themselves using anonymization tools such as VPN clients.