The Duma's new ‘Big-Brother’ legislation kills Russia's Internet companies and hurts ordinary Web users. Here's how.
Last week, lawmakers in the State Duma approved what Edward Snowden has called “Russia's new Big-Brother law.” A major part of this legislation creates new regulations on the Internet. According to the amendments, telecom providers and the “organizers of information distribution” will need to store copies of nearly all information they transmit. They can't delete this information until it's six months old. This applies to recordings of phone calls, as well as the contents of text messages. And they have to keep copies of metadata of these communications (the information about when and between whom messages occurred, but not the actual content of the messages) for a whopping three years. Companies will additionally be required to help Russia's Federal Security Service (the modern-day successor to the Soviet KGB) decrypt all the data. The largest Internet companies in Russia—Mail.ru and Yandex—oppose the bill, as do the industry groups the Russian Association for Electronic Communications and the Regional Center for Internet Technologies, and even the “Communications and IT” working group within the Russian government. Meduza looks at why this legislation isn't just impractical, but will also harm ordinary Internet users and Internet companies alike.
The legislation requires telecom providers and “organizers of information distribution” (which could be literally any website on the Internet, as determined by Russia's state censor) to store all data sent by its users or visitors. This is a gigantic amount of data: Russia would need every data-storage manufacturer in the world working for seven years straight, before the country had the infrastructure necessary to accommodate so much storage and processing.
And there's another problem: the electrical grid in central Russia simply isn't powerful enough to fuel the still-unbuilt data centers that will be required by the new legislation. The equipment and materials needed to build these data centers, moreover, isn't produced in Russia, so companies will be forced to buy imported goods.
Experts say the costs of building this infrastructure will be more than 5 trillion rubles (roughly $77 billion). For comparison, the federal government's total revenues in 2015 totaled 13.7 trillion rubles (about $210 billion). The legislation says implementing the new statutes won't require any state subsidies, but that's untrue: at the very least, government agencies will need to upgrade the country's data cables (given that Russia's existing network of cables is too weak to cope with the higher volume of transmitted information created by the new regulations).
The government also risks losing income from Russia's Internet companies, which currently pay taxes on their profits. The new legislation could make many businesses unprofitable, after they're forced to spend tens if not millions of rubles on new data-storage equipment.
The new legislation requires all “organizers of information distribution” that add “additional coding” to transmitted electronic messages to provide the Federal Security Service (FSB) with any information necessary to decrypt those messages. What lawmakers seem not to understand is that virtually all information transmitted over the Internet is “encoded.” Any text or image sent over email using Simple Mail Transfer Protocol (SMTP) is in something called Multipurpose Internet Mail Extensions (MIME) format. Will “organizers” need to send the FSB information about how MIME works?
If we're talking about encryption, we're talking about almost half the traffic on the Internet—and the volume is only growing. In most cases, incidentally, the “organizers of information distribution” don't have the keys to decrypt their own data. (That is precisely how Internet privacy works.) For example, it's not even technically possible to store encryption keys when using the HTTPS protocol, which is used by an enormous number of websites, including the one you're reading now, and even Gosuslugi.ru, the Russian government's official portal where citizens can contact the state about public services. In other words, the legislation bans the state's own website for contact with ordinary citizens.
How this legislation is supposed to regulate financial systems is also unclear. The SWIFT network that links the world's financial institutions doesn't use Russian cryptographic algorithms, but nearly all the world's banks—including banks in Russia—use SWIFT. The world's payment systems, moreover, are required to comply with the Payment Card Industry Data Security Standard (PCI DSS), a proprietary information security standard that doesn't disclose its encryption keys.
In order to comply with the legislation, programmers will need to come up with new encryption methods that must simultaneously work with existing encryption methods, given that foreign companies won't support these new technologies (which don't currently exist, anyway). But even if Russia manages to create some kind of center to house all encryption keys, the concentration of data would make the center extremely attractive, and therefore very vulnerable, to hackers. By breaking into this hypothetical data center, after all, it would be possible to decrypt any message sent inside Russia.
The new legislation also violates Russian citizens' right to the privacy of correspondence, which is enshrined in Article 23 of the Constitution. In order to deprive Russians of this right, police need a court order. The “Yarovaya legislation,” however, grants law-enforcement agencies access to everyone's messages without any judicial oversight.
Today, most messaging apps use encryption. In fact, encryption is one of their most important competitive advantages, as users often seek out the safest and most secure communications available. The new law will make any Russian online service less competitive. It's unclear what foreign companies will do. Some might simply walk away from the Russian market.
This text is based on statements by the Russian Internet companies Yandex and Mail.ru (which are considered “organizers of information distribution”), the industry groups the Russian Association for Electronic Communications and the Regional Center for Internet Technologies (which position themselves as links between the state and the Internet), and the “Communications and IT” working group within the Russian government.