‘User X with driver Y traveled from point A to point B’ Yandex is set to start sharing Yango taxi ride data with the FSB. Users in Israel, Europe, and elsewhere may find their privacy rights compromised by Russia’s new surveillance law.
Starting on September 1, 2023, the FSB will gain round-the-clock access to user data collected by Yango, a Yandex-owned ride-hailing and delivery app also operating under the brand name Yandex Go. The order that will give Russia’s secret police extraordinary new powers of surveillance has already been signed by the country’s prime minister, Mikhail Mishustin. It won’t be just the residents of Russia who come within the scope of surveillance, since Yango’s services are also available in Israel, Europe, and a number of other countries. Together with the Finnish journalist Jussi Konttinen, Meduza’s correspondents Svetlana Reiter and Denis Dmitriev investigated how Yandex plans to circumvent international data protection laws, and who will be affected most by its deepening cooperation with Russia’s system of mass surveillance.
No ‘material or logical division’
About a year ago, the customer support team at Yandex Go started receiving customer questions about the location of its data servers. Despite the war and the sanctions, Yango was then operating in more than 20 countries, including Israel, Norway, Finland, Belarus, Kazakhstan, Georgia, and Armenia. What prompted a wave of concern was the news that Russia was about to pass a new law granting its Federal Security Service (FSB) round-the-clock access to all the traffic data aggregated by certain taxi services. Due to a quirk in its formulation, the law, in fact, applied to only one Russian company: Yandex Go, the only taxi service on the Russian register of information distributors.
Until then, companies in Russia were only obliged to share their data with the law enforcement and security services if petitioned formally by the officials. Now, concerned customers were writing to Yandex from outside of Russia, asking for explanations about their data and whether it would be handed over to the secret police. This prompted an internal message exchange, in which the management clarified that “data from all of Yango” is “stored in Russia,” and there is no “material or logical division” between data collected from users inside and outside of the country. All of Yandex’s data centers, the messages stated, were located in Russia, but mentioning this information should be avoided when talking to customers.
The IT giant had good reason to be cautious in admitting this. As a result of its decision to keep user information from different countries mingled in a single body of data, the FSB stands to gain access to all of Yango’s foreign traffic, part of which is comprised of Russians who recently left the country because of their political opposition to Putin and the war started by his regime in Ukraine. Come September, the secret police will have unrestricted 24/7 access not only to information generated by their devices (IP addresses, device serial numbers, etc.), but also their user-generated data like names, phone numbers, email addresses, bank accounts, user comments, and, of course, the addresses of their trips.
While it’s difficult to foresee exactly how this data will be used by the authorities, here’s what we do know about Yandex’s history of cooperation with the country’s law enforcement and security apparatus.
In October 2020, Yandex published a report on user data shared with the government in response to official requests. It revealed that in just the first six months of 2019 the company had received over 15,000 requests for information. In 84 percent of all cases, it satisfied those queries. A significant share of the inquiries were about users who subscribed to its email, food delivery, or taxi services.
In 2018, it was information supplied by Yandex that helped the police solve a murder commissioned on the dark web.
A year later, information about the taxi trips taken by Meduza’s former journalist Ivan Golunov helped the authorities fabricate a criminal case against him. The data Yandex turned over to the Russian law enforcement contained a log of close to 100 trips taken by Golunov. The confidential address of Meduza’s Riga office was also part of that data.
‘Distributed’ — but concentrated in Russia
Two Yandex employees who agreed to speak with Meduza on condition of anonymity explain that Yandex currently has three data centers, located in the Moscow, Ryazan, and Vladimir regions. Another data center is slated to open soon in Kaluga.
Before the war, some of Yandex’s data was also hosted from the Finnish Mäntsälä municipality, as documented by a June 2019 letter from the tech company’s legal team to the Finnish Data Protection Authority (DPA). In March 2022, when Latvia banned Yandex Go precisely because its data centers were located in Russia, the company responded with a statement that it had “never denied that its algorithms might use Russian servers along with the Finnish data center.”
Two Yandex insiders explain that Yango routinely duplicates ride data across the three Yandex data centers, regardless of where in the world the trips took place. A former employee notes that distributing data across servers helps ensure the app’s stability.
Several years ago, when Yango was just beginning to operate in Europe and had to comply with the European General Data Protection Regulation (GDPR), the company considered moving its international data to servers outside of Russia, including the Mäntsälä data center. But it didn’t take long before Yandex realized it would be “time-consuming, costly, and a real pain.”
Once the war broke out, no one revisited the idea of moving data abroad, a Yandex insider recalls. Three different sources in the company all confirm that even the Mäntsälä center is no longer being used to store the ride data. “We can’t possibly let NATO find out about Kremlin officials taking rides to strip clubs,” quips a source connected to Yandex’s corporate leadership.
Once Yandex’s top executives started facing international sanctions, the Mäntsälä data center was cut off from the Finnish power supply and had to switch to a diesel generator. Yandex’s Finnish subsidiary, Yandex Oy, had its assets frozen. This Yandex branch has now changed its name to Global DC and is appealing the sanctions through the Helsinki District Court. Yango, meanwhile, is still operating in Finland.
‘A huge pain in the ass’
Yango’s ride-hailing app is tied to the overall Yandex infrastructure through Yandex ID, a single authorization system for all the users of Yandex’s multiple services. This is what stands behind the ease of summoning a Yango ride “whether you’re in Almaty or Tel Aviv,” says a current Yandex employee. “Everything is centralized, everything is controlled from a single point”; “that’s how the code was written, and that’s how the service works,” the speaker adds.
Isolating international trips from this unified body of data would be a “huge pain in the ass that would require a complete overhaul of the architecture,” says a source close to Yandex’s corporate leadership. A former employee agrees with this assessment: “Launching a different data center is a complex problem requiring major financial and technical resources, and you can’t solve this problem by buying a server on Amazon, since what you can buy from Amazon as an ordinary customer probably won’t be enough to handle the load.”
Sign up for The Beet
Underreported stories. Fresh perspectives. From Budapest to Bishkek.
But Yandex’s former chief technology officer Grigory Bakunov thinks that where there’s a will to differentiate the data, there should also be a way:
Every single installation of the app is linked to a concrete location, and you can differentiate and granulate everything city-by-city. So it’s perfectly possible to move, say, the Istanbul or the Tbilisi data. The problem is that, come September, the secret services will gain access to the common data that flows into Yandex. And that includes the foreign rides.
European data protection laws known as the GDPR let users withdraw their consent to personal data processing at any time. They also insist on the users’ “right to be forgotten,” that is, their right to have information about them deleted and banned from being used by others. In some cases, it can even protect the privacy rights of non-European citizens: for instance, if their personal data is being processed by a European company.
Yandex has long claimed that its European operations were in strict compliance with the GDPR. These protections are also mentioned in the confidentiality policies published by Yango and Yandex Go. Inside Russia, though, European privacy norms may well be compromised where they come in conflict with the applicable Russian law.
The former Yandex executive Grigory Bakunov says that he can see two possible ways in which the FSB could make use of the data obtained from Yandex:
Imagine that you have two possibilities. Either you can work bare-handed with a heap of raw data, or you can, figuratively speaking, get an email report based on certain variables: “User X with driver Y traveled from point A to point B.” It’s really in the hands of the FSB whether they want to work with the big pile of data. If they have enough specialists, maybe they wouldn’t mind reading the whole trove.
If the FSB were to choose the second option, Bakunov suggests, Russians who left the country for former CIS countries since the start of the Ukraine war will be especially at risk:
That trove contains ride data from Kyrgyzstan, Kazakhstan, Armenia, Georgia, and other places where Russians moved since the start of the war. This, I would say, is more of a threat than access to data on Finland, Norway, or Algeria.
What happened since this article first appeared in Russian
After receiving Meduza’s query about Russia’s plans to grant the FSB access to Yandex user data, the Finnish Data Protection Authority (DPA) ordered Yandex to suspend transferring Yango user data to its Russian servers between September 1 and November 30, 2023. The temporary order also spotlighted Yandex’s Dutch data processing contractor, Ridetech International B.V.: “The data protection authorities of Finland and Norway are cooperating closely with the Dutch Data Protection Authority,” said the DPA’s press release. Finland’s data protection ombudsperson Anu Talus credits Meduza for drawing her attention to the situation.
Yandex responded to Meduza’s reportage by pointing out that its data management practices are no different from the methods used by “the largest internet services” globally. In a more extended statement sent to Meduza, the company said it’s engaged in “dialogue” with the DPA to assure complete compliance with European regulations.
Yandex’s company statement in full
The legal regulations of the Russian Federation have no jurisdiction over the international ride-hailing business of Yango and do not apply to Yango users as they make trips and use the app outside of Russia. This will not change after the 1st of September.
Yango service is provided for the users in Finland and other countries by the Dutch company, Ridetech International B.V., which processes personal data of the users in strict compliance with the GDPR and other EU/EEA legislation, also ensuring all data subjects rights including that of erasure. Any data that Yango processes can only be inquired by any authority outside of our domestic Dutch jurisdiction, including the ones in the Russian Federation, via an official request of the Dutch authorities to Ridetech International B.V., and solely via the established international procedures, for example involving Interpol.
Our company has high standards of security policy, which are confirmed by the international public report on the security, availability, processing integrity and confidentiality of data SOC2/3.We are currently studying the decision of the Data Protection Ombudsman today with a view to comply with newly introduced requirements.
We are engaging in a dialogue with the Data Protection Ombudsman’s office to ensure we’re in full compliance with the regulation.
Reportage by Svetlana Reiter (Meduza), Denis Dmitriev (Meduza), and Jussi Konttinen (Helsingin Sanomat).