Who’s asking? ‘Yandex’ releases first-ever transparency report on requests for user data from the Russian authorities

For the first time ever, the Internet services giant Yandex has released statistics on the number of requests for user information it has received from Russian government agencies. In the first half of 2020, branches of the government sent the company more than 15,000 requests and Yandex fulfilled 84 percent of them. According to Russian law, the Federal Security Service (FSB), Interior Ministry, and other security agencies have the right to request that companies hand over data if it’s necessary for investigative work. However, it’s not customary to talk about the number of these requests — even less so about their content — in any industry besides the Internet business. Among foreign companies, Google first published these statistics ten years ago, followed by Twitter, Facebook, and other major Internet service providers. Today’s publication from Yandex is the first example of a transparency report from among Russia’s major Internet companies.

In the first half of 2020, Yandex received 15,300 requests to disclose user data from Russian government agencies. The company handed over information to the authorities in response to 12,900 of these requests and refused to do so in the remaining 2,400 cases. This was revealed in Yandex’s newly released, first-ever transparency report. The company did not explain why it chose to make this information public at this particular time.

What the Russian intelligence agencies want to know

The majority of the requests were regarding information on Yandex.Passport and Yandex.Mail users: in the first six months of 2020, Yandex received 8,800 such requests from government agencies and handed over information in response to 7,700 of them.

Yandex.Passport is a key service for managing your Yandex account; it stores all of the user’s basic registration information, including full name, telephone number, information about linked bank cards, account login history, login devices, linked accounts on social networks, and a variety of other details. “Very often, requests to a particular service come down to providing data from Yandex.Passport. For example, it could be a request on a user who used one of Yandex’s services for fraud,” the company told Meduza.

As for Yandex.Mail, the company provides access to a user’s correspondence only in accordance with a court order restricting the individual’s right to privacy of correspondence, the company underscores. “Without a corresponding court decision such information can’t be released,” Yandex maintains. According to the Russian Supreme Court’s judicial department, Russian courts received 514,700 requests from government agencies on restricting privacy of correspondence and telephone conversations in 2019, of which 514,100 were satisfied.

In second place for receiving the most inquiries from government agencies is the service Yandex.Taxi: in half a year, the authorities sent 5,200 appeals asking for data from this service, and the company transferred information in response to 4,100 of them. “The most important thing — and this applies to all of our services — we always provide the minimum required data. It’s always an individual case for each request. For Yandex.Taxi, this can be, for example, the car number or the driver’s information,” said Ilya Grabovsky, the head of Yandex’s press service.

Earlier, the Telegram-based news outlet Baza reported that the police officers from the Drug Control Division for Moscow’s Western Administrative Okrug, who now stand accused of planting drugs on Meduza journalist Ivan Golunov, obtained information about his residential address by requesting information about his trip history from Yandex.Taxi. The service’s representative then argued that the company received an official request from the police and, in accordance with the law, was required to hand over this information. 

The BBC Russian Service also claimed that thanks to travel information from Yandex.Taxi, law enforcement agencies were able to find the killer behind the murder of special investigator Yevgenia Shishkina — hacker Yaroslav Sumbayev, who she was investigating, allegedly ordered her killing. 

Yandex spokesman Ilya Grabovsky confirms that government agencies can sometimes request information about a user’s movements and “if the request comes through an official channel and meets all of the requirements, we are obliged to disclose [the information].”

“I will also note that the route might be needed in cases where there was some kind of accident and the culprit fled the scene. Or to figure out if the taxi driver was on a Yandex.Taxi order or not at the time,” he said, giving an example. 

All of Yadex’s other services accounted for the 1,200 other requests from government agencies, of which the company satisfied more than 1,000. Ilya Grabovsky promised that from now on, Yandex will publish a transparency report every six months. 

Some of Yandex’s other services — in particular Yandex.Mail and Yandex.Disk — are included in the registry of so-called “organizers of the spread of information” maintained by the federal censor, Roskomnadzor. This means that they are subject to additional obligations to law enforcement agencies. In accordance with the so-called Yarovaya law, which came into effect on July 20, 2016, the FSB’s Center for Operational and Technical Activities can require any service included in the registry to provide it with “information necessary for decoding the received, transmitted, delivered and/or processed electronic messages of Internet users.” In essence, this means these services have to hand over the encryption keys for user correspondence to the authorities.

Yandex received such requests from the FSB in 2019. At the time, the company’s managing director Tigran Khudaverdyan, said that the company had “a solution to the problem.” “The situation is very simple: there’s the Yarovaya law and everyone must comply with it. Our task is to make sure that compliance with the law doesn’t contradict the privacy of user data,” he said. The details of the “solution” were never disclosed — Khudaverdyan refused to make this information public, citing the legislative restrictions. However, the current regulations do not indicate that companies have no right to disclose information about their interactions with the intelligence services on this issue. 

Who else publishes statistics on requests from government agencies?

Major international Internet companies have been publishing their own transparency reports for a long time already, but none of Russia’s market leaders have dared to do so until now. Prior to Yandex, Habr was the only one to make this information public — the online communications portal for IT specialists released a transparency report in February 2020. Apparently, the company satisfied 30 requests from the Russian authorities from 2013 to 2018 and rejected nine more. In 2019, Habr received 14 requests and fulfilled all of them. Most of the appeals came from Roskomnadzor and the Interior Ministry. 

The Russian social network VKontakte made one unsuccessful attempt to release a transparency report — in response to a scandal that erupted over the transfer of data to law enforcement agencies in 2018. At the time, the public got wind of several criminal cases for extremism and insulting the sentiments of religious believers that had been brought against VKontakte users after the company’s administration passed information about them to law enforcement. Vkontakte’s managing director Andrey Rogozov promised that the company would release a transparency report to “make the process more transparent.” However, the document that was later published — the “Policy for work with government agencies” — did not contain any information about the number of requests from the authorities. 

Major international Internet companies have been regularly publishing transparency reports for a long time — Google was the first to do so in 2010. In its latest report, for the second half of 2019 (more recent data has yet to be published), the company said it received 81,700 requests for user data from government agencies around the world, of which only 74 percent were partially satisfied (that’s about 60,400). United States government agencies sent the most requests to Google: 26,100 to be precise. The company received only 258 inquiries from the Russian authorities.

In the second half of 2019, Apple received 10,100 requests from the U.S. authorities and provided information in response to 8,600 of them. During the same period, the company received 1,019 requests from Russian government agencies, of which it satisfied 833.                                                                               

During the same period, Facebook received 140,800 requests from government agencies around the world, 51,100 of which came from the United States. The company fulfilled 88 percent of these requests. During that time, Facebook only received eight requests from Russia, all of which were granted.