27 август 2020
Либертариум Либертариум

Russian Legislation Strikes Fear on the Net

IDG News, 1998, August 5
As early as this October, a new version of Russia's SORM ministerial act ? which stands for "system of efficient research measures" ? could be approved by the Russian Ministry of Justice, according to sources in Russia. Hatched between the FSB (a successor to Russia's KGB secret police force) and the State Committee on Communications (Goskomsvyaz), the so-called SORM-2 act would let the FSB boost its monitoring of electronic-mail messages by digitally linking its offices with all Internet service providers throughout Russia.

05.08.1998, Jeanette Borzo

Russia's Libertarium site on the World Wide Web celebrated its fourth anniversary this month. But site founder and coordinator Anatoly Levenchuk, who himself is the proud owner of one of the first 150 Internet addresses handed out in the former Soviet Union, barely noticed the anniversary this year, because he, like many Web users in Russians, has other things on his mind.

As early as this October, a new version of Russia's SORM ministerial act, which stands for "system of efficient research measures", could be approved by the Russian Ministry of Justice, according to sources in Russia. Hatched between the FSB (a successor to Russia's KGB secret police force) and the State Committee on Communications (Goskomsvyaz), the so-called SORM-2 act would let the FSB boost its monitoring of electronic-mail messages by digitally linking its offices with all Internet service providers (ISPs) throughout Russia.

"The Internet is a virtual land of freedom," said Levenchuk. "SORM-2 will be an invisible curtain between Russia and abroad, a curtain of distrust. If we have uncontrolled Internet surveillance, it strikes fear into my heart. SORM-2 will mean stealth eavesdropping that no one can audit afterwards."

It's not just the obvious issues of human rights and personal privacy that has Levenchuk and many other members of the Russian Internet community so preoccupied. Russian Web users are also concerned about higher Internet access costs, a chilled ISP market with fewer players, damage to a burgeoning electronic-commerce market in Russia and even a further blow to the already ailing Russian economy. For companies doing business in Russia, or outside of the country but with Russian enterprises, SORM-2 could certainly change business practices concerning electronic-mail communications as well as e-commerce transactions.

The Sorm Storm

As currently drafted, the SORM-2 act would require all Russian ISPs to install a device that would connect the ISP to the security agency and let the FSB eavesdrop on "all information (both incoming and outgoing) belonging to subscribers of the network(s) in question," according to a version of the proposed legislation posted on the Web.

"The stress is not about SORM, but about transition from the relatively controllable SORM-1, with warrants, to the uncontrollable SORM-2," Levenchuk said. For FSB offices around Russia, "wiretapping will be (only) as far away as a mouse click."

Last week, the SORM-2 interagency act went to the Ministry of Justice for approval. If the Ministry of Justice approves the draft, then all that remains is for representatives from the FSB and the State Committee on Communications to sign the act. "Ministerial approval would be enough to enforce the act through regulation enforcement (e.g., a licensing procedure)," said Maksim Otstavnov, editor of Moscow weekly Computerra and head of the Civil & Financial Crypto Labs at Moscow's Institute of Commercial Engineering (ICE).

Although SORM-2 is not destined to be a law, per se, its approval will ensure its enforceability, sources said."SORM-2 is not a law it does not have the review process of  the Duma, the Senate and the President's office," Levenchuk explained. While the Duma may unofficially review the act, it will have no jurisdiction over whether or not the act is signed by the necessary parties for enforcement. However, "SORM-2 will act as a law to ISPs and they will not be able to avoid this regulation," Levenchuk added.

And under the SORM-2 act, there will be no way to ensure that FSB officials obtain a warrant before monitoring communications, Otstavnov pointed out. And it is this very lack of checks and balances within the FSB that has Levenchuk worried. "SORM-2 means an uncontrolled and unrestricted FSB," Levenchuk said. "It must not be one organization that issues the warrant, applies the warrant, and carries out the warrant by eavesdropping. The next thing they'll want to do is to act as the judge in court."

If the FSB has surveillance rights over society, I want society to have surveillance rights over the FSB," Levenchuk explained.

And in Russia, the Internet society concerns significant numbers: Russia has 350 Internet service providers and 1 million people using the Internet, according to former Soviet leader Mikhail Gorbachev. Russia's number of users doubles every year, Gorbachev said during a speech in June, adding that traffic volume on the Internet grew 26 percent in the first three months of 1998 over the volume measured in all of last year in Russia.

How Real Is The Threat?

At its least menacing, SORM-2 is no more than an FSB attempt to test its power over the Internet community here.

"It often happens with these organizations that they test the limits of how far their authority can go," explained Robert Farish, International Data Corp.'s research manager in Moscow.

"Last year we had similar situations with FSB propositions (and the FSB) had to step back under public indignation," said Michael Novikov marketing manager for software developer Arcadia Inc. in St. Petersburg. For example, Novikov explained, the FSB accused scientists who were working with the Soros Foundation of stealing national security secrets while they were selecting scientific projects for grant support. Public reaction made the FSB back down.

In particular, because SORM-2 would require ISPs to pay for the surveillance devices, many say the proposal hasn't got a chance.

"The ISPs themselves have to pay for this equipment and none of them want to do that," said Farish. "They're not prepared to go out shopping for equipment so that the FSB can snoop on their business."

And enforcing the SORM-2 act would require cooperation from more than just Russia-based ISPs. "A great number of ISPs operating in Russia are owned by foreign entities," said Drew Weeks, a Prague-based data communications analyst who covers the Eastern European market for IDC. "So ultimately there are some foreign fingers in the market that would be adverse to that sort of monitoring, the FSB couldn't do it blindly and get away with it."

Still, ISPs may not have much choice in the matter, if they hope to remain in business. "If an ISP does not fulfill the regulation, they will not have their license renewed. They have no choice, deploy SORM-2 and have a license, or don't deploy SORM-2 and have no license," Levenchuk commented.

Increasingly Cryptic

Under Presidential Edict No 334 of 1995, Russians are forbidden from "manufacturing, selling and usage of encryption devices without a license from FAPSI, the Federal Agency for Governmental Communication and Information," according to Otstavnov, but Russia's encryption edict gives no legal definition of "encryption" and so "most agencies believe the edict covers only state secrets matters," he explained.

Encryption licenses are not widely held among Russian encryption users, many said, and if SORM-2 enters the Russian Internet market through the front door, unlicensed encryption technology is likely to storm through the backdoor.

"The most likely effect (of SORM-2) would be a very significant increase in the use of software encryption," said IDC's Farish.

"After the media hype over SORM-2 one would be insane to send business or personally sensitive data over the Net," said Otstavnov who added that the SORM-2 initiative has worked already to boost the use of encryption, the Russian PGP homepage (http://www.geocities.com/SoHo/Studios/1059/pgp-ru.html) that Otstavnov maintains has seen a tenfold increase in traffic in the last month.

Encryption, however, will hardly offer blanket protection for the Russian Internet community.

"Advanced users will ignore SORM-2 by using more cryptography, but Russia isn't a country of only advanced users," Levenchuk said. "Communication lines have two sides, and if someone is wire-tapped on one side, then there is surveillance on those who correspond with Russia too."

(Shrinking) Market Forces

So while those selling encryption technology into the Russian market would likely benefit from SORM-2, many others would undergo a host of disadvantages at the regulation's hands. The violation of human rights is the first concern about SORM-2 for Arcadia's Novikov, and market damage follows as a close second. Novikov anticipates an increase in ISP service prices in order to cover installation and maintenance costs under SORM-2: ISPs in Russia expect the surveillance device to cost $10,000 along with approximately $1,000 per month for the line to the FSB.

"The SORM-2 financial burden will be quite heavy for small ISPs," said Novikov. "Also, ISPs will lose some corporate users" because of fears over insecure data exchange, perhaps through the possibility that the FSB would reveal or sell corporate secrets."

"The first outcome will be rate increases," agreed Otstavnov. "ISPs estimate SORM-2 costs at 10 to 15 percent of overall operational costs."

Also Russian Internet users may drop their Russian ISP in favor of a non-Russian satellite service in order to avoid passing through surveillance devices installed at Russian ISPs. But "just a very few Russian Internet users could afford that," Novikov said, adding that many students may have to give up the Web, as the cost of privacy increases.

"This additional investment will be paid from the pockets of users and it will be a more expensive Internet in Russia, with fewer users," Levenchuk said. "ISPs will have to make additional investments to have a license, and that means there will be fewer Internet providers because it will be more expensive to establish Internet service."

And as the ISP market shrinks, so is the level of market competition likely to decline. "Right now the ISP market is rather competitive," Otstavnov noted. "Kicking out of smaller players would mean further cost increases and a service quality drop."

Novikov also expects SORM-2 to mean "heavy damage to the e-commerce industry" as well as a general chill put on Russian Internet development in general. Russian businesses may simply decrease their use of the Internet, he added.

Business users from abroad may shy away from working with Russian enterprises, and Russian network managers will need to think twice about corporate e-mail policies. "The writings of business people will not be private, they will be sent to their correspondent and to Federal Big Brother (as the FSB is often called in Russia)," Levenchuk said.

Internet growth in Russia may also be stunted. "Users will not trust the Internet as a new media," Levenchuk said, adding that the FSB threat will be much more real than the threat of hackers, which has already got some potential Internet users worried. "The can trust Internet with mythical hackers but they will not trust the Internet with the legendary FSB."

As a result, business may suffer.

"SORM-2 will be bad for e-commerce between Russia and other countries," Levenchuk continued. "SORM-2 applies to every network, including x.25 providers, not only to e-mail but to every online communication including financial information and e-commerce. People from abroad will be less trustful of Russia."

SORM-2 may also have a wider impact on the economy. "This creates a problem of trust for the Russian economy as a free-market state," Levenchuk said.

So, for example, investments in the Russian telecommunications industry might decline, Novikov said, as SORM-2 would mean "a reduction of Russia-investment attractiveness, and possibly a decrease of investment ratings."

The Final Word?

Of course, if SORM-2 is approved it will be subject to legal challenges, like all government regulations. For example, the Parliament or civil claimants could challenge SORM-2 in court, Otstavnov pointed out.

Failing legal challenges, the government will still have to dominate market realities in order to effectively enforce SORM-2.

"I would doubt that the Russian government would be sophisticated enough to carry out such a plan," said IDC's Weeks.

And as many Russians know, the government doesn't carry out every act it signs.

"Just because something becomes law in this country doesn't necessarily worry people," said IDC's Farish.

Or, as Arcadia's Novikov put it, "It's a common Russian tradition - not to follow the law."

[email protected] Московский Либертариум, 1994-2020