‘The state has no right’ Russian state servers are hosting a third-party system that monitors voter turnout

On June 24, Meduza reported on an electronic system that is being used in several regions across Russia to monitor turnout among employees at major enterprises during the plebiscite on amending the constitution (this includes changes that could allow President Vladimir Putin to remain in office until 2036). The system uses the website Votely.ru. Formally, it was developed by an IT specialist from Rybinsk named Ivan Petrov and not by government agencies. As it turns out, however, the system is running on servers owned by state agencies in several regions across Russia, including in Chuvashia, the Komi Republic, Bashkortostan, the Krasnodar territory, and the Tambov region. 

This translation has been edited and abridged for length and clarity.

As Meduza previously reported, in several regions across Russia, IT specialists working for the national postal operator, Russian Post, were “mobilized” to monitor voter turnout among employees in the plebiscite on constitutional amendments — a nationwide vote that began on June 25 and will run until July 1. Computer technicians at Russian Post were reportedly instructed to use a system available via the website votely.ru. After obtaining access to a demo version of the system, Meduza discovered that dozens of Russia’s biggest companies are also registered with Votely, including the defense firm Rostec, the telecommunications company Rostelecom, the petrochemical company Sibur, the steel giant Severstal, as well as Russian Railways, Lukoil, and others. According to Meduza’s sources, at least two regions planned to use Votely to monitor voter turnout: the Yaroslavl region, where the system was developed, and the Altai territory. 

Based on the system’s demo version, Meduza learned that each participating enterprise is issued a series of barcodes or QR codes. Then “those responsible for mobilization at the enterprise” are instructed to upload staff rosters, complete with employees’ names and telephone numbers; the website then links each one to a unique code. During the voting period, volunteers at polling stations will scan these QR codes under the pretense of conducting quizzes and staging contests among voters, and thereby collect data on voter turnout. 

After Meduza published its report, Votely closed access to its demo version and the system’s user instructions, and deleted its mobile apps for scanning QR codes and collecting turnout data from the iOS and Android app stores. By that point, however, Meduza had already found the directory with the user instructions on the Votely website (for some reason it wasn’t password protected). The instructions included a video, published below, demonstrating the system’s user interface and discussing how to work with it in detail.

Government tracks

The formal developer of Votely’s online system and mobile apps is a man by the name of Ivan Valentinovich Petrov who lives in the city of Rybinsk (Yaroslavl region). An IT specialist by training, he previously worked for the local authorities in 2017, when he created a website for the Yaroslavl regional governor’s project “on the development of a modern city environment” titled “We decide together!” 

That said, the Votely system that Petrov developed is now working through IT infrastructure belonging to Russia’s government agencies. According to data from the service Subdomain Finder, the votely.ru site has 30 subdomains that use the format xx.votely.ru, where “xx” is typically a number, which coincides with the number assigned to whatever region is using the system, a source familiar with Votely’s work told Meduza.

“For authorization in the system, you need to select a region, and enter a login and password, after this the user is transferred to the regional version of the system — this is what all the subdomains are needed for. The system is divided by region, in order to differentiate users’ access to data,” he said.

Meduza independently verified the ownership of the IP addresses of all the votely.ru subdomains. According to RIPE NCC — a not-for-profit corporation that acts as a regional Internet registry for Europe, Central Asia, and the Middle East — a number of the Votely subdomains are located at IP addresses belonging to government agencies in the Komi Republic, Tomsk, Volgograd, Krasnodar, Bashkortostan, Chuvashia and Tambov. The remaining subdomains are located at private data centers, in particular, at Rostelecom and the Russian Internet hosting provider Selectel Ltd. 

Meanwhile, the numbers in the subdomain do in fact coincide with the number assigned to the region where its network is located. For example, the subdomain 68.votely.ru is located at the IP address 194.226.132.6, which is registered to the Tambov regional government’s Regional Information Technology Center. Votely subdomains have also been linked to IP addresses belonging to organizations in the Yaroslavl region, where the system was developed, as well as the Altai territory, the Nizhny Novgorod region, and another ten of Russia’s regions. 

The general director of the Internet hosting provider Diphost, Filipp Kulin, found additional evidence pointing to the fact that the Votely system is running on state servers. 

“For example, information on the ‘reverse records’ of the IP address 194.226.132.6, which corresponds to 68.votely.ru, is located on the DNS servers ns.tambov.go.ru, ns.tambov.gov.ru, ns2.tambov.gov.ru, and ns3.tambov.gov.ru. The domain gov.ru is a verified domain [that belongs to] Russia’s Federal Protective Service’s [Special Communications Service] and is used by the government. Therefore, the government is responsible for what is hosted on these DNS servers. If the DNS server records for the given range of IP addresses were made without the administrator of ns.tambov.gov.ru knowing, then they would be responsible for a ‘mistake’,” Kulin explains. As such, he concludes that the “votely.ru administrator definitely had extremely close ties to the leadership of at least several regions of the Russian Federation.” 

“I agree that some of the votely.ru service’s resources are hosted on networks controlled by government information and technology centers. Admittedly, they may have the right to host third-party resources on a commercial basis, but in that case I see ‘interesting coincidences’,” says Leonid Evdokimov, a developer from the research lab Censored Planet. 

He notes that while 68.votely.ru directs to the IP address 194.226.132.6, which is registered to the Tambov region’s Information Technology Center, this IP address’s “reverse record” directs to the website voting.tambov.gov.ru — an official website of the Tambov regional administration (this website, in turn, directs back to the same IP address). “For me this leaves a minimum of doubt about the existence of some links between the Tambov region’s administration and the online resource 68.votely.ru,” Evdokimov underscores.

The general director of the Internet Research Institute, Karen Kazaryan, agrees: “Indeed, all of this data means that there’s a high probability that the owner of the site votely.ru has access to servers that host the websites of government agencies. It is worth noting that the majority of regional information centers provide commercial services, formally this could be such a case. However, the replication of such schemes across regions probably indicates that the site’s owners have closer, informal links with the infrastructure providers for government agencies.” 

Legal issues

At Meduza’s request, a group of experts familiarized themselves with the instructions for working with Votely. Afterwards, they expressed doubts that the system’s handling of personal data complies with the law.

“The fact that the service is clearly collecting the personal data of Russian citizens in large quantities is concerning, moreover, it’s unlikely that the employees of [these] enterprises agreed to this,” says Karen Kazaryan. According to him, the existence of such a database of voters carries “significant risks” for citizens’ safety.

According to Mikhail Emelyannikov —a managing partner at the consulting agency “Emelyannikov, Popova, & Partners,” which specializes in data protection — the scheme touches on two provisions of Russia’s Labor Code: Article 88, which concerns employers transferring workers’ personal data to third parties — in this case, the owners of the servers monitoring voter turnout, — and Article 86, which concerns employers receiving personal data from a third party — specifically, information on employees visiting polling stations. “The Labor Code allows both, but on one important condition — the employee’s consent, given to the employer in writing,” Emelyannikov emphasizes.

Stanislav Andreychuk, co-chair of the movement for the protection of voters’ rights “Golos,” underscores that the government doesn’t have the right to monitor voter turnout in this way. “This goes beyond the powers that citizens have given [the government]. The state has no right to monitor the [electorate] — it should create conditions for equal and free expression, and this actually implies the absence of any supervision over whether or not a person voted. Only the system of electoral commissions, which, in fact, has been removed from the structures of the authorities’ government agencies, should have turnout data, moreover, this data should be anonymized,” Andreychuk says. 

However, this is not the first time that the Russian government has tried to use various technologies to control voter turnout, he continues. “The story about the use of QR codes isn’t new, last year there was definitely evidence of monitoring the turnout of the dependent electorate with the use of QR codes, for example in Yekaterinburg,” Andreychuk says. “At the same time, I am very surprised that a system that is collecting this data is posted on a site in the .ru [domain] almost openly.” 

Andreychuk emphasizes that people who are forced into going to the polls cannot cast their ballots freely — those who show up to vote due to coercion will naturally assume that if some third party is monitoring voter turnout, it can also find out how they voted. “People will begin to get wary and vote under pressure,” Andreychuk warns.

The prime minister’s spokesman, Boris Belyakov, had yet to provide Meduza with a comment at the time of publication. Chuvashia’s Digital Development Ministry, as well as the regional information technology centers of Bashkortostan, the Tambov region, Krasnodar territory, Volgograd region, Tomsk region, and Komi Republic — whose networks, according to Meduza’s investigation, are hosting Votely subdomains — did not respond to our request for comment.