A path to safety (or identity theft) As more and more Russian regions use apps to enforce self-isolation, digital experts are finding glitches that could cause mass data leaks down the line

On April 22, it became public knowledge that 21 of Russia’s federal subjects are setting up digital permit systems to enforce self-isolation rules: with a few exceptions, anyone who wants to leave their home in those regions will have to get official permission. All 21 regional governments are using one and the same interface: “Gosuslugi Stop Coronavirus.” That’s the application already in use in the Moscow region. The city of Moscow has its own, independent permit system, and several other major cities are following its lead: they have also developed their own so-called “digital collar” software to issue permits for going outside as well as “digital guardsman” software for police to check the permits. “Digital Guardsman” is actually the official name of the program under use in Tatarstan, the first of Russia’s federal subjects to require digital codes for those planning to venture outside their homes. Meduza asked journalists Anna Vilisova and Ilya Shevelev to investigate the permit systems in several regions, consulting with digital security experts to figure out whether the apps might make Russians vulnerable to hacking or personal data leaks.

Disclaimer: To produce this article, Meduza spoke with a number of specialists in information security, IT, and software development. Some of them used their skills to analyze regional-level digital permit systems, but they did so autonomously and did not have access to any of the results obtained by their colleagues. Many requested anonymity. One St. Petersburg-based expert who investigated the website under use in the Nizhny Novgorod region declined to share his bug report with Meduza, saying regional authorities might react inappropriately. All the information presented in this article has been cross-checked and confirmed. The authors of this piece did not hack into or otherwise exploit vulnerabilities in the government websites described.

How digital permits work in Russia’s fight against COVID-19

Even though Tatarstan beat it to the punch, the Moscow area’s decision to control its residents’ movements using digital passes has been one of the most-discussed developments in Russia’s coronavirus battle. The city of Moscow and the surrounding region, which are two different federal subjects, have introduced separate permit mechanisms, but the two systems are compatible. Someone traveling from Moscow to the suburbs, for example, can simply use a city travel pass without getting one from the Moscow region’s government as well.

To travel in Moscow proper, users have to fill out a form either on the website for the mayor’s office, by telephone, or by SMS using an abbreviated number. All of those services feed into the same permit system, and all of them still have unresolved glitches. It first became mandatory for those moving around Moscow using any vehicle or transport system to present an individual QR code on April 15. That morning, crowds piled up at the entrances to several metro stations as police worked to check each passenger’s code, raising concerns about social distancing. The resulting public backlash led Moscow’s government to switch to an automatic permit checking system for public transport: users must now link their COVID-19 travel passes to an existing public transit pass, and all other forms of transit tickets have been temporarily prohibited.

Instructions for obtaining a travel pass are harder to find on the Moscow regional government’s website than they are on Moscow City Hall’s. One page says users can fill out a form directly through Gosuslugi (Public Services), a nationwide online portal that allows Russians to do anything from filing income tax forms to paying traffic fines to signing up for doctors’ appointments. The alternative is to register through Gosuslugi Stop Coronavirus, a new app attached to Gosuslugi that is not active within Moscow city limits. It is likely that the decision to integrate the public services portal with the new COVID-19 pass system in the Moscow region put users’ privacy at risk: digital security experts have noted that the QR codes produced by the new app include encrypted links to the user’s personal data. That leaves Moscow-area residents vulnerable to leaks that could ultimately land their information in search engine results.

RIAMO, a local news agency for the Moscow region, also published a report saying residents can get digital passes by texting the abbreviated number 0250. However, that number was already reserved at Megafon, one of Russia’s three major cell service providers, for a paid entertainment service that cost 30 rubles (40 cents) per text message. When Megafon clients in the Moscow suburbs tried to use the number to apply for digital passes, the cost of that unrelated service was added to their bills. A Megafon representative told the newspaper Vedomosti that the Moscow region’s government had not contacted the company in advance to reserve the 0250 number for its digital pass system. Still, the error was quickly corrected.

As the COVID-19 pandemic continued to escalate, a number of Russian regions followed in the capital’s footsteps by developing their own systems to issue both one-time and long-term digital permits. Regional governments did their best to make technical and design decisions themselves using the financial and technological resources they already had at hand. Some also leaned on local regulations passed for the specific purpose of fighting the pandemic.

“What we’re seeing now is that similar services are being released in many regions on very short notice and obviously without appropriate design, development, and testing procedures in place,” said Alexey Rayevsky, CEO of the information security company Zecurion. “That means not enough attention was given to the question of how to protect these services — maybe no attention at all. Sometimes, at the stage when these programs are already under use, people find errors in their primary functions, not to mention their security defenses.”

Rayevsky believes leaks of user data from these digital pass programs can be expected to emerge within the foreseeable future. Amid the COVID-19 pandemic, he explained, regional authorities likely haven’t had the time or the opportunity to ensure that their permit programs meet regulatory standards and are properly licensed by Russia’s Federal Service for Technological and Export Control (FSTEC).

Mikhail Klimarev, a technology expert who directs the nonprofit Internet Defense Society, agreed with Rayevsky: “Personal data will leak out. You don’t have to ask a fortune-teller to see that because the system is being made in a hurry. So far, there has never been a high-profile case investigating personal data leaks from government agencies [in Russia]. I mean, every week, two or three cell service employees get put in jail for disclosing personal data, but I’ve never heard of a single case where a bureaucrat was put behind bars or given any legal penalty at all.” At the time that this article was published, Meduza was unable to find evidence that any of the digital pass systems in Russia’s regions had already facilitated data leaks onto the Internet.

Other digital security experts who spoke with Meduza are focusing on two categories of risk. The first is the risk of unauthorized access to users’ personal information, which could cause leaks. The second is the risk that the permit systems will simply put users at risk when they run into operational glitches. “If there are glitches in the permit services [themselves], just as there have been with the programs that issue and check the permits, then citizens will be fined for violating self-isolation rules just because the people checking them won’t be able to confirm that they had the right to leave their homes,” said one digital security expert who asked to be identified only by the first name Pyotr.

The responsibility of protecting user data in Russia falls to Roskomnadzor, the country’s media regulation and censorship agency. It was assigned a leading data protection role in addition to its existing duties through a 2009 order from the executive cabinet. Roskomnadzor can hit anyone violating federal data protection law with a range of penalties, from making the illegitimately acquired data inaccessible online to suing those who acquired it.

However, the agency’s website does not include any information about security for digital permit systems that process Russians’ personal information. Meduza reached out to Roskomnadzor to ask whether its officials have conducted a technical audit of any digital permit systems and what sanctions might await those who operate those systems if personal data leaks are detected. We did not receive a response by publication time.

Rushing through Krasnoyarsk in 60 minutes

In the city of Krasnoyarsk, a digital pass system has been in place since April 22. The program was developed by the regional Digital Development Ministry for individual use; self-employed workers in the area can bypass the web app by sending an email, and essential businesses can do the same for their employees. Ministry specialists review the emails individually, register business accounts, and send back usernames and passwords that allow workers to travel outside on a regular basis.

For everyone else, there’s a website under the subdomain for the ministry’s IT Center. The service does not have a mobile app, but the framework that was used to build the site, AngularJS, adapts itself to mobile devices automatically (just like the website you’re reading now). Users can access one-time passes either as QR codes or as text codes that the web app issues through SMS texts.

Krasnoyarsk residents looking to get a one-time individual pass face three main limitations:

• First, the website that issues the permits draws identifying information about each user from Russia’s public services database. The site explains that this pathway was made mandatory to protect users: getting data from the government is meant to minimize possible data leaks. However, this requirement also creates an artificial barrier for users because anyone who wants to get a pass has to register their information in the Gosuslugi portal first. Individuals who have previously chosen not to trust the government with their personal data have no choice — if they want to get a permit, they have to make an account.
• There is a set list of reasons a user can give for leaving their home. However, the list is fairly broad. It includes visiting or chaperoning underage children, providing volunteer work for those in need, visiting elderly or ill relatives, visiting an attorney or notary, participating in a funeral, going to a dacha, and an option labeled “other emergency situations.” The service also requests the address from which the user will depart and the approximate amount of time they will be gone.
• Perhaps most restrictively, each individual can only receive two permits per day, each permit can only be used once, and permits are valid for only 60 minutes. It’s not clear why Krasnoyarsk decided to put those limits in place.

Krasnoyarsk is one of only 15 Russian cities that house more than a million people, but it has no subway system and is known for its traffic jams and long distances between neighborhoods. For example, traffic typically comes to an almost-complete stop in the city’s Kommunalny Bridge area during rush hour. Yandex Maps indicates that driving a car from Predmostnoy Square across town to the municipality of Badalyk takes around half an hour with no traffic. This means that for many Krasnoyarsk residents, a single-use permit would only allow them to travel to their destination and back, not to actually volunteer or visit loved ones.

An employee for Krasnoyarsk’s coronavirus call center recommended an alternative solution to Meduza: rather than relying on a digital pass, someone traveling around the city could write an explanatory note on a piece of paper saying why they had left their home.

Krasnoyarsk’s regional version of the community involvement program “Active Citizen” is running a survey to determine whether locals find the new digital passes convenient. A Meduza correspondent was able to sign up for the survey and submit responses using a Gosuslugi account registered in St. Petersburg, 2,800 miles away.

Data processing in Krasnoyarsk

Krasnoyarsk’s single-use permit system has a security certificate and various safety measures in place. Still, a St. Petersburg-based digital security expert who asked to remain anonymous said there are rough patches in the system. The expert noted that the regional Digital Development Ministry uses a public login page to access the Pronto! cloud interface where its data is stored; the form is accessible to any Internet user who visits one of the ministry website’s subdomains. The cloud system itself was produced by CommuniGate Pro.

The St. Petersburg-based specialist believes that without sufficient security measures, the login page being used in Krasnoyarsk could leave the ministry’s database vulnerable to random password guessing attacks, in which hackers automatically attempt possible logins until they gain access to the system they’re targeting. If hackers are able to infiltrate the ministry’s cloud storage, they could leak not only the data associated with single-use COVID-19 permits but also the data collected for all of the ministry’s other projects.

A Moscow-based digital security expert who also requested anonymity disagreed with their colleague, arguing that the CommuniGate Pro system was not at significant risk: “Given that the system at hand facilitates collaborative work through emails, calls, and chats, it’s unsurprising that it would require access ‘from the outside’ through a login form. That’s a standard practice for any communication system.”

The Moscow-based expert cited documentation for CommuniGate Pro that shows that the system is well-protected against attacks that attempt to guess username-password combinations. In addition to other protective measures, the system allows for client certificate authentication, which is “one of the most secure authentication methods, especially if it’s used along with two-factor authentication,” the security expert said. “[The certificate] is impossible to generate through guessing, and generating it requires a cryptographic signature from the organization that [controls the login process].”

According to Russia’s State Registry of Certified Data Protection Tools, CommuniGate Pro has undergone FSTEC testing.

Reporting your dog walks in Nizhny Novgorod

Nizhny Novgorod’s digital permit system was produced by the state-controlled Center for Project Coordination in Digital Economics, and it’s based on an existing service called “Resident Map for the Nizhny Novgorod Region.” Users must apply for a pass through the map’s website or its mobile app.

The Resident Map apps require maximal access to the device on which they’re used: they can record sound and video footage, take photos, and access a smartphone’s geolocation history. On Android, the apps sometimes require permission to launch whenever the phone’s system does, operate without being open, and access the network of devices remotely connected to a user’s phone. However, those same requirements also hold for a lot of other popular apps, including Gosuslugi.

Data processing in Nizhny Novgorod

Nizhny Novgorod’s system doesn’t require access to additional data from a user’s telephone or from external databases, but it does mandate that users register on the Map portal and provide some personal information even if their permanent address is outside the city. The information required for a permit application is the same as what users hand over to make a Resident Map account.

Even workplace passes are run through the Map portal. Employers whose businesses or organizations are officially considered essential can request multi-use permits for their employees, and if those applications match up to employee databases on the government’s end, then employees can use their Resident Map account pages to access their travel permits.

On the Russian social site Habr, users began to notice major errors in this system in early April. They discovered that the QR codes it produces don’t actually display the user’s travel pass when scanned; instead, they show a test page that contains gibberish data.

An anonymous digital security expert from St. Petersburg also said the permit system in Nizhny Novgorod might be vulnerable to hacks. “The page for companies and organizations [that employers can access once they register] includes a form where you can upload data from an existing file, and that’s scary. The form doesn’t validate the file format it receives, and that means somebody could upload a php-web-shell to the site and [ultimately use that file to] get unauthorized access to the service.”

While testing the Nizhny Novgorod site, the St. Petersburg-based expert was able to upload php files containing his own code, and they were all successfully saved on the Resident Map server with no changes to their contents. The expert argued that this meant a hacker could successfully carry out the first stage of an attack intended to steal user data. Because the website asks for all users to submit their phone numbers, full names, and identification numbers from a passport or other government document, anyone leaking that data would leave users vulnerable to other attacks, including identity theft.

Limitations for users

Anyone who applies for a permit in Nizhny Novgorod as an individual rather than a business has to give a reason for wanting to leave their home. The available list of options mirrors those provided in other Russian regions but also includes some activities that Russians elsewhere can still do without permission from the government: walking dogs, taking out the trash, and going to a grocery store or a pharmacy (though the app doesn’t require users to go to the store or pharmacy nearest them).

As in Krasnoyarsk, digital passes for moving around Nizhny Novgorod have time limits, but they are far less severe. Single-use permits for driving a private vehicle, taking a taxi, walking a dog, or taking out the trash have no designated expiration time, but they must be requested for a specific date. Going to the doctor, buying groceries, visiting relatives, or, if necessary, going to work can only take up to three hours. Passes for leaving the city to visit the surrounding Nizhny Novgorod region last up to three days. As in other regions, Nizhny Novgorod residents have to give the exact addresses of their starting point and destination.

The instructions for local officials tasked with checking permits on their rounds say that both police and emergency dispatchers have access to Nizhny Novgorod’s digital permit database because this allows them to view the passes even before their QR codes are actually checked. The instructions also emphasize that if a police officer does not have a mobile phone, they should call a dispatcher and state the number of the digital pass to be checked. Resident Map’s privacy policy states that the information processed through its server can be handed over to third parties as well, including government agencies that are legally permitted to access that data.

Sharing your data with the local bank in Kazan

Tatarstan was a pioneer in digital permit systems for self-isolation enforcement, making permits mandatory even before Moscow did. Since April 1, 2020, the region’s residents have had to apply for a permit to leave their homes. As in many other Russian federal subjects, Tatarstan’s permit system is run out of the regional Digital Development Ministry. However, the ministry has also teamed up with Ak Bars Bank. The digital development minister is among the bank’s shareholders.

The reason that was given publicly for this collaboration is that working with Ak Bars Bank allows Tatarstan to keep all of its infrastructure for COVID-19 permits inside the republic, increasing the data security. In 2019, Ak Bars Bank worked with the conglomerate Tatneft to develop a Tatarstan-based cloud storage service called ABCloud. ABCloud was then used this spring to develop an SMS notification system for Tatarstan’s government to send text blasts out to local residents.

Tatarstan’s digital development minister has promised the public that after the region’s self-isolation rules are lifted, the database his ministry uses to keep track of digital permits will be deleted. However, when users register on the region’s digital permit website, they are asked to agree for their data to be processed by Ak Bars Bank directly. The help hotline for the service, currently staffed by 200 operators, is also run out of the bank’s own call center.

Users can sign up for a digital travel pass in Tatarstan either by text or through an existing account on an online portal for government bodies and agencies.

Data processing in Tatarstan

We asked Damir Gainutdinov, an attorney for the human rights group Agora, whether or not Tatarstan’s system could send user data into the hands of what is essentially a commercial entity. “The fact that users have to agree to their personal data being processed when they sign up to use the system is nothing to be afraid of,” Gainutdinov said. “When you register, a link comes up to an Ak Bars Bank privacy policy that was adopted on April 10, 2019 — in other words, it’s a typical privacy policy for a bank. Why ABB is handling this issue in the first place and on what basis is a separate question. I think [collaborations like this] should take the form of a [competitive] state contract. If security standards are followed, and the contract was made in accordance with a law, then I see no problem with it.”

Meduza was unable to find any competitive auctions for state purchases in 2020 where Ak Bars Bank offered services like the one it’s providing to Tatarstan now. We reached out to the bank’s press office asking for an explanation of the legal arrangement behind its collaboration with Tatarstan’s Digital Development Ministry and for more information on how it will delete user data from the digital pass program. The bank did not respond by the time this article was published.

“I think that if a certification process did happen and they followed the law [on personal data protection], then you don’t have to worry about the data they’re storing and processing — the data is safe,” said an anonymous expert from Moscow, agreeing with Gainutdinov’s assessment. The digital security expert also didn’t see anything amiss in the government’s partnership with Ak Bars Bank. He noted that many banks and IT companies are certified in Russia to work with personal data. Most of the experts Meduza consulted for this story said they had never heard of ABCloud being successfully hacked.

Limitations for users

Everyone in Tatarstan has been asked to register in the digital permit system so that police can track whether or not someone has left their home at all times. Users do not need to actually use the system to ask for a permit if they’re only walking a dog, going to the nearest grocery store or pharmacy, taking out the trash, or receiving utility services. As in Krasnoyarsk, Kazan residents can only receive two permits per day.

Initially, there were only a few reasons people could give for leaving their homes in Tatarstan: going to a courthouse, dropping off or picking up children at school, visiting a hospital or veterinary clinic, going to a funeral, renewing a passport, traveling between a permanent residence and a dacha or country home, visiting a bank or post office, picking up essentials like food and medicine, helping relatives who are unable to work, and moving from one place of residence to another. That list was later expanded to include visiting government offices and pension funds. Now, it also encompasses getting a haircut, but only once a month.

People who are registered as independent contractors in Tatarstan can access extra options when formulating their permits: delivering an order, providing taxi services, or commuting to work. A special “Digital Guardsman” app allows law enforcement officers to check permits on their rounds.

Anyone who is required to go to work even under lockdown doesn’t need a pass to do so; they just need a special form from their employer. Volunteers can get a similar form from Tatarstan’s Youth Issues Ministry.

Onward and outward

On April 22, Moscow Mayor Sergey Sobyanin suggested that digital permit systems should be used in every Russian region to slow the spread of COVID-19. Now, that’s beginning to become a reality, but new regions jumping on the digital pass bandwagon aren’t developing their own web applications. Instead, they’ll be using Gosuslugi Stop Coronavirus, the federally-developed app under use in the Moscow region. Twenty-one federal subjects applied to be added to the app and were approved to join the program.

Not all of those regions even have a mandatory self-isolation rule in place. For example, residents of the Yaroslavl region have only gotten recommendations against going outside. Still, Yaroslavl Governor Dmitry Mironov has said he will soon have to announce more restrictions: case counts in the region have continued to rise, government recommendations have not been enough to keep the population home, and many residents have begun to ask for harsher anti-coronavirus measures themselves.

Even as the number of Russian regions aiming to use mandatory digital passes reaches into the dozens, the tech company Yandex’s “Self-Isolation Index” program has shown no significant changes in people’s behavior when permit systems are put in place. Experts who spoke with Meduza also said many regions just won’t have the infrastructure necessary to enforce such a system. Instead, those experts believe, permits will be used primarily to help bureaucrats demonstrate compliance to federal authorities.

“The entire body of Russian law related to IT and telecommunications rests on three main principles,” said Internet Protection Society Executive Director Mikhail Klimarev. “We call them BIS: ban, intimidate, steal. Instead of explaining to people that self-isolation is in their own interest, [the government] just tries to scare them. In reality, the likelihood of getting fined in Moscow [for going out without a permit] is lower than the probability of contracting HIV.”

“And then I have no idea how you can get this done when it comes to the regions. How can you do it when there’s no centralized public transit system, when nobody can control it all? You can’t station a police officer at every door. People who have to go out will go out anyway, and the chance that someone will catch them — and people will figure this out very quickly — is extremely small,” the digital policy expert said.

There is also reason to believe that problems will arise in regional permit systems beyond a lack of enforcement. For example, they may well malfunction so severely that they will prove impossible to use.

In Primorsky Krai on Russia’s Pacific coast, for example, a mandatory permit system was supposed to have been introduced on April 7, but it was canceled that very day. All of the region’s residents were supposed to get a special text message from the Gosuslugi portal, but by lunchtime, the regional government’s official website posted a message instead announcing that the service was still in beta mode and police would not be penalizing anyone for violating it. Ten days later, Governor Oleg Kozhemyako fired Digital Development and Communications Minster Sergey Maksimchuk, saying Maksimchuk had not effectively performed his duties while in office.