Written by: Roman Faithfull and Olivia Betts
Since the start of the war, Russia has been introducing new laws and making amendments to existing ones to expand the scope of its digital authoritarianism. These changes assist the state in tracking, repressing, and manipulating domestic and foreign populations. Almost immediately following the outbreak of the so-called “Special Military Operation” (SVO) on 24 February 2022, new laws came into effect that criminalised “discreditation of the Armed Forces of the Russian Federation”. Subsequently, on 20 March 2022, the Kremlin used existing legislation to label Western social media platforms such as Facebook and Instagram as “extremist” and block them in the country. As a result, many Western media outlets stopped reporting from Russia, reasoning that they could not abide by the country’s anti-free speech laws and still report accurately on the war. These legislative changes have led Russians to lose most regular and unimpeded access to free media.
Such changes were not novel. Since the early 2000s, the Kremlin has effectively been criminalising criticism of the government, legalising unrestricted surveillance of its citizens’ online activities, and increasing its control over its domestic internet. These laws have mostly affected private individuals, the press, Russia’s domestic private sector, and state organisations. However, a recent development may prove to be much more worrying for private companies operating in Russia.
What happened
On 3 August 2023, representatives of Russia’s Federal Security Service (FSB), submitted proposals to amend a number of federal laws, including “On the FSB”, “On State Protection of Judges…”, and “On the Police”. The proposed amendments seek to give employees of the FSB, Russia’s Foreign intelligence service, judges and representatives of other Russian law enforcement agencies the permission to remotely access, edit and delete sensitive personal data held by private companies.
Currently, organisations in Russia must store messages, images, audio and video. This data must be held in Russia and be provided to law enforcement if required (along with the information necessary to decrypt it). The FSB proposes to expand this to include geolocation data and data relating to means of payment. This would affect all companies operating in Russia or transmitting data through the country. The FSB has presented this proposal under the guise of “protecting the personal data of significant persons” by providing them more anonymity.
Reason for the proposal
The proposal is likely motivated by two main factors: fear of deanonymisation and corruption.
Fear of deanonymisation
By law, Russians’ personal information must be collected by both government agencies and commercial organisations when they exchange goods and services. For example, when they make online purchases, pay for parking, rent a car, or order a taxi, both the provider and the state record as a minimum their full name and telephone number, and often their passport number, bank details and other important information.
Though this data – which authorities seek to access and protect in the proposal – should in theory already be private, in many cases it is quickly and easily obtained by private citizens via probiv. This Russian word, literally meaning “to break through”, refers to illicit services offered on cybercriminal locations which provide buyers confidential information from insiders at a range of private and state organisations. If one wants to discover the residence or mobile phone number of a law enforcement official or their family members, this information can be obtained quickly, easily and cheaply through dedicated probiv forums.
At a time when saboteur attacks against Russian law enforcement are common, especially those working at military recruitment centres, officials are rightly concerned with their anonymity and personal safety. Should these proposals come into effect, officials would be able to simply delete or change their personal information, preventing it from falling into the hands of those who would seek to harm them.
Figure 1. Advertisements for insider information on a Russian-language cybercriminal forum focused on probiv
Corruption
The proposed changes to the law will ostensibly ensure the personal safety of officials. However, in reality, they will likely also be used to falsify evidence in favour of the state and lead to increased corruption, as Mikhail Klimarev, the director of the Russian activist group Internet Defence Society, has argued.
Instances of Russian officials changing or removing their personal data in state databases already occurs. In 2016, real estate documents held by the Federal Service for State Registration, Cadastre and Cartography (Rosreegstr), the agency responsible for recording such transactions, were changed to hide corruption. Documents bearing the names of the sons of the former Prosecutor General of Russia Igor Chaika were amended to display their names as “LSDUZ” and “YFYAU9”. They were then subsequently changed to “private person” and “Russian Federation”. This was done to hide that Chaika had awarded favourable contracts to his sons’ businesses despite previous claims that their companies and their father’s place of work were unconnected.
Figure 2. Rosreegstr documents amended to show a property owner’s name as “LSDUZ”
The proposed amendments would give officials scope to make similar changes to records held by private companies, and therefore hide fraud should such documents be leaked or requested in court. Furthermore, though the proposals are in theory limited to viewing or amending the personal data of officials, it is difficult to see how they would stop officials from accessing, amending, or deleting the data of other individuals held in the same database. Officials could then present the amended data in court to convict a dissenter of a crime they did not commit. For example, financial records, such as card details, could be altered to show that an individual has engaged in money laundering.
Other motivations likely include the Kremlin’s wishes to further access and control its citizens’ data as the March 2024 election looms. This comes amid increasing discontent in the country due to mounting battlefield losses and the growing impact of sanctions.
How would the changes take place in practice?
Should the proposals come into effect, there may be little practical change. When seeking to access private data, Russian law enforcement officials are legally required to have a warrant. However, as they are not legally obliged to show this warrant, it is likely that they view private data without it. Enacting this legislative change would help authorities put further legal pressure on private organisations to provide them with the access they seek.
It is not known whether the proposals would allow officials remote and unauthorised access and control of private data, or whether they would need to physically attend the business to request (or force) access. However, Russia has a number of tools at its disposal to enforce its digital authoritarianism that it could use to remotely access privately held data. Notably, the System for Operative Investigative Activities (SORM), the technical specification for lawful interception interfaces of telecommunications and telephone networks operating in Russia, may provide officials with such capacity, as the equipment has deep packet inspection (DPI) capability, amongst others.
This proposal is strongly opposed by Russia’s Big Data Association (RUBDA), which includes Yandex, VKontaktye, Rostelecom, MegaFon and other domestic technology and telecommunications companies. However, RUBDA is not against officials being able to access, amend, or delete private data in principle. Instead, it only insists that this should be done through official request and via so-called “first officers”: undercover FSB officers seconded to many large private businesses. In this way, the companies could at least track what data had been accessed and by whom.
It is likely that the motivation for RUBDA’s opposition does not come from the altruistic desire to protect citizens’ rights to privacy. Rather, RUBDA is likely aware that unfettered access to private companies’ data by the state will likely lead to data leaks; government agencies are the main source of leaked data in Russia. It is possible that as officials access data, they may inadvertently (or purposefully) enact data policy changes that expose the information to others.
In terms of how this applies to foreign organisations operating in Russia, the changes may present an overall relatively minor impact on compliance with existing laws relating to data confidentiality, integrity, or availability in practical terms. This is due to the current extra-judicial or unsanctioned tendencies of Russian law enforcement officials.
In legal terms, the proposed changes could be significant. Should they come into effect, foreign organisations operating in Russia should assume that their private data can be accessed, edited and deleted by Russian law enforcement officials. They should take care to ensure that data that is meant to be protected under foreign data protection frameworks such as the European Union’s GDPR is not stored or transmitted through Russia.