Encryption

I Learned It By Watching You!

New Russian anti-encryption and data retention laws look sadly familiar.

|


St. Petersburg, Russia—Did legislation in the United Kingdom and the United States inspire Russian authorities to adopt strong new domestic spying laws?

Russian President Vladimir Putin signed the anti-encryption and data monitoring "Yarovaya Law" on July 7. Named after Irina Yarovaya, the ultraconservative legislator who pushed for it, the legislation is styled as an "anti-terrorism" measure. Among other things, it mandates that internet service providers and other telecommunications companies store all telephone conversations, text messages, videos, and picture messages for six months. In addition, telecom companies must retain customers' metadata—that is, information about with whom, when, for how long, and from where they communicated—for three years.

Under the Yarovaya Law, providers of telecommunication services—such as messenger apps, social networks, email clients, and websites that encrypt their data—are required to help Russia's Federal Security Service decipher messages sent by users. In other words, the new law essentially requires internet service providers and other tech firms to install back doors in their services. The fine for refusing to cooperate can be as high as a million rubles (more than $15,000).

In order to comply, telecom firms operating in Russia claim that they will have to build vast new data storage infrastructure costing many times more than they now make in profits. They also point out that most of the required data storage technologies are manufactured outside of Russia. And they plausibly argue that the new rules will bring information technology investment and innovation in the country to a halt.

From the authorities' point of view, the fact that most Russian telecoms will not be able to comply with the Yarovaya Law is a feature, not a bug. As the U.S.-based Electronic Frontier Foundation notes, those companies are now "de facto criminals," giving the Russian government "the leverage to extract from them any other concession it desires."

Russia Direct, a website funded chiefly by the government newspaper Rossiyskaya Gazeta, tellingly observes that "in Russia, the legislation is compared to the USA Patriot Act." No doubt the extensive capabilities exercised in secret by America's National Security Agency (NSA) and disclosed by whistleblower Edward Snowden in 2013 elicited considerable professional envy among Russian spy agencies. Those revelations did provoke alarm among civil libertarians at home, prompting Congress to pass the USA Freedom Act last year, ending the agency's clandestine bulk collection of Americans' telecommunications data. But some analysts argue that, even with the new law, when it comes to the NSA's domestic spying, not much has actually changed.

There is one big difference between what's happening in the U.S. and what may soon be allowed in Russia: "While the Patriot Act prescribed covert surveillance of citizens, the new so-called 'Yarovaya Law' mandates open surveillance," the Russia Direct article continues. In other words, Putin is implementing what some lawmakers in the United States and the United Kingdom have long advocated.

For example, Britain's Investigatory Powers Bill, nicknamed the "Snooper's Charter," sets up a review process that will likely end up authorizing the bulk collection and retention of telecommunications and internet metadata. It was passed in June—before the Russian Duma passed its new domestic spying law—by an overwhelming majority in the House of Commons, and is now under consideration by the House of Lords. (In July, the Court of Justice of the European Union ruled that Britain's data retention mandates violate the privacy of its citizens. But Brexit will make such rulings moot.)

The bill "will fundamentally shift the relationship between citizen and state, allowing mass interception and mass hacking, forcing internet and phone companies to store everyone's communications data and web browsing history, and [requiring] retention of bulk personal datasets, which are population-level databases," explained Silkie Carlo, a policy officer for technology at the human rights group Liberty, in ComputerWeekly. And like its Russian counterpart, the bill gives the British government the authority to ban end-to-end encryption in telecommunications and web services and to force companies to provide "back doors" so that government spies can listen to and read citizens' communications.

Meanwhile, American supporters of domestic spying have been indefatigable in proposing legislation to undermine the privacy of citizens. For example, during the run-up to the passage of the USA Freedom Act, Senate Majority Leader Mitch McConnell (R–Ky.) proposed an amendment that would have required telephone companies to alert the government six months in advance if they want to start keeping phone records for less than 18 months. This was evidently so that spy agency officials would have an opportunity to intervene and try to force them to continue to retain customer records.

In April, Sens. Dianne Feinstein (D–Calif.) and Richard Burr (R–N.C.) introduced the Compliance with Court Orders Act of 2016, which would force telecommunications companies to obey when courts demand access to content on their devices or services. Specifically, companies would be required to give police "data in an intelligible format if such data has been made unintelligible by a feature, product, or service owned, controlled, created, or provided" by the company. The upshot is that tech companies would be compelled to enable government snoops to read their customers' communications even when the messages were encrypted.

"Every service, person, human rights worker, protester, reporter, and company will be easier to spy on," declared Sean Vitka, counsel at the internet freedom activist group Demand Progress, in a statement. "Even as this bill undermines every American's privacy and safety, its jurisdictional narrowness is yet another catastrophic flaw. It does not control Russian products, or the North Korean government."

And what if other countries start demanding access to users' data? That very question came up at a New America Foundation conference in 2015. "So if we're going to build defects/back doors, or golden master keys for the U.S. government," Alex Stamos, Facebook's chief security officer, asked NSA director Adm. Michael Rogers, "do you believe we should do so for the Chinese government, the Russian government, the Saudi Arabian government, the Israeli government, the French government? Which of those countries should we give back doors to?"

Rogers acknowledged that there are "international implications to" what the U.S. government is asking for but said he thinks the parties can work through them. "I am sure that the Chinese and the Russians are going to have the same opinion," Stamos replied.

The Russian propaganda television service RT has quoted Russian legislators arguing that the Yarovaya Law is necessary to counter global information dominance by the United States. Fortunately, so far, the big U.S.-based companies—Google, Twitter, Facebook—show no signs of complying with the intrusive new policy.

If anti-encryption legislation can be defeated in the U.S. and the U.K., then tech companies in those countries will be able to offer strong privacy protections not only to their customers at home but, perhaps more importantly, to users in authoritarian countries as well.