On June 24, the Russian Parliament is expected to vote new anti-terrorism measures designed to tighten the Kremlin’s grasp on the internet. The suggested measures come from fear: The parliamentary elections scheduled for Sept. 18 are fast approaching, and social media, which was instrumental in getting protesters to streets during the December 2011 elections, is not yet under effective government control.
It isn’t for lack of trying. The authorities most counted on two strategies that failed to deliver the expected result by the end of 2015. The first—nationwide filtering of, according to independent watchdog Roskomsvoboda, more than 1.3 million websites since 2012—backfired spectacularly. The censors had assumed that users would passively accept the filtering, but this ended when rutracker.ru, the most popular torrent website in the country, was blocked in November. Russia at once skyrocketed to No. 2 in the number of Tor users, which anonymized and allowed them to circumvent filtering. The second strategy—to force Facebook, Twitter, and Google to move their servers to Russia under the pretext of protecting Russian users’ personal data from the NSA—was quietly sabotaged by internet giants. While they avoided taking a public stand, they simply didn’t move their servers.
These failures have panicked politicians because there is little time left to introduce new methods of control. The authorities made some erratic moves—dozens of bloggers were sent to jail for writing posts critical of the Kremlin, and some proposed issuing fines to those who promote circumvention tools like Tor. In fact, at the end of April, Fang Binxing, father of the Chinese “Great Firewall,” was invited to Moscow and courted by high-placed Russian officials.
But the effects of these strategies were minimal, so the Kremlin returned to an approach it had tried before: new repressive legislation aimed at internet companies.
The anti-terrorism package presented at the State Duma suggests two major amendments.
The first will require telecommunications operators and internet service providers to store phone call records and the content of online conversations for six months, and metadata for three years. The second idea is to require the “information-distribution organizations” (i.e., messengers and social media) that use encryption to provide the secret services with keys that will allow them to “decode” the information. The measure is meant to target encrypted chat messages and any website that uses the HTTPS protocol. In addition, the package will also outlaw the use of “uncertified means of coding (encryption) for the transmission of messages on the internet.” To get a certificate requires companies to give keys to the secret services with the apparent goal of backdoors in all apps to allow spying on messaging in Russia.
Both measures are difficult to implement on the technical level, but that doesn’t matter. They reflect the traditional Russian approach to surveillance based on coercion and intimidation.
Since the 1990s, every internet service provider in the country is required to have a device that connects its servers via underground cable to the headquarters of a local branch of the Russian secret services. As Irina Borogan and I wrote in our book The Red Web, this practice, known as the System of Operative Research Measures, has been constantly updated ever since.
But the current system provides means for direct interception of traffic, cannot conduct mass surveillance, and helpless against HTTPS. But it provides an excellent opportunity for the secret services to put telecoms under pressure—an ISP is required to install a SORM device, and for that, it needs to ask the security service what equipment is “recommended,” then buy the equipment and install it. Afterward, the ISP is the subject of constant checking from local prosecutors, the secret services, and telecom watchdog officials. It’s an awkward and dangerous position for the ISP, and most telecoms soon realize that the best way to avoid problems is to fully cooperate with the authorities.
Russia’s expanding control of the internet is based on the intimidation and coercion of businesses. The authorities are looking to engage the companies in an ongoing conversation on surveillance. This law is a great pretext for them to do so. The Kremlin knows pretty well how costly the new measure is for companies: According to the assessment provided by Mobile TeleSystems, one of the largest mobile operators in Russia, just implementing the tools to store data for six months will cost the company more than $30 billion.
It isn’t anywhere near effective to have the stored data dispersed all over the country on the servers of regional telecoms and ISPs instead of keeping data in one place, like the way the NSA stores data in its Utah facility. But that’s hardly the point. The idea is not to improve surveillance capabilities, but to have another frightening idea on the table that would prompt business to come to the Kremlin and plea for private consultations. The ruder and more expensive the new legislation appears, the better.
The idea of forcing messengers to give the keys to the secret services serves the same purpose. The most popular messengers in Russia are all foreign: Telegram, Facebook Messenger, WhatsApp, Twitter, Signal. Most of them have been quietly sabotaging government requests to move their servers to Russia. The new legislation would add to this pressure.
The Kremlin’s idea is to create as many pressing points for internet companies as possible and wait for them to come to private talks. Thus, they believe, could buy some time while they will try to lock the internet inside of the country. Russia’s Telecoms Ministry already announced a plan to have 99 percent of internet traffic kept within the country by 2020.