6 September 2015

New Law Requires Russian Telecoms and Other Companies to Store Personal Data on Russian Citizens

Sarah Steffen
September 3, 2015

Russia tightens Internet controls, makes it easier to spy on citizens, critics say

Russia’s new law, which requires companies processing personal data on Russian citizens to store this data on local servers, came into force on Tuesday. It’s just the latest in a string of measures aimed at increasing government control over the Internet since President Vladimir Putin was re-elected in 2012.

Russian authorities say the law is there to help secure data by Russian citizens in the wake of former NSA contractor Edward Snowden’s allegations of widespread spying. However, critics have said it raises serious privacy concerns, as the law makes it easier for the Russian government to spy on its own citizens.

“Nobody asked them to protect personal data of Russian citizens, it was always a government initiative,” said Andrei Soldatov, an investigative journalist who covers Russia’s intelligence agencies and who co-authored the book “The Red Web” on the Internet in Russia.

Backdoor access to citizens’ data?


“We have a nationwide system of surveillance of the Internet and we have special legislation about surveillance on the Internet. And this legislation requires all Russian Internet Service Providers to provide direct and unrestricted access - backdoors - for the Russian security services,” he told DW.

“So if global platforms were to decide to relocate their service to Russia, it would mean that Russian security services would immediately get access to data of these global platforms,” he added.

Russian authorities want companies to store personal data of its citizens on local servers in Russia

That view is echoed by Laura Reed, a research analyst for Freedom Houses’ Freedom on the Net department. “There’s evidence that the government has been using [its] surveillance capabilities to target human rights activists and opposition figures,” she told DW.

So far, it’s unclear whether companies have indeed agreed to move personal data about Russian citizens to servers on Russian soil. Russia’s media watchdog Roskomnadzor announced it would be checking some 300 companies this year, but told DW in an email that search giant Google and social media platform Facebook would not be part of that group.

‘System based on intimidation’

“The idea of this law is not immediate implementation. The idea of the legislation is to have something at hand to put more pressure on the Internet in Russia and specifically on global platforms,” Soldatov said. “The Russian system of managing the Internet is based on intimidation.”

Russian authorities would get access to data of platforms, such as Facebook and Google, Soldatov said

The Kremlin had invited companies for talks, he added. “And the Kremlin was quite successful. Over the last two years, all three [major] companies - Twitter, Facebook and Google - sent their high representatives to Moscow for secret talks with the Kremlin.”

Meanwhile, Facebook has reportedly told officials it would not comply with the new law, whereas Google reportedly moved some servers to Russia.

Facebook declined to comment and Google did not respond to interview requests. A Twitter spokesperson sent a link to a Roskomnadzor statement saying that federal censors don’t consider the kind of user data Twitter collects as personal information under the law.

A move that’s indeed surprising, says Freedom House’s Reed, “because Twitter is a company the government has pressured in the past”. Just last year, she recalled, the Russian government requested that anyone who had more than 3,000 followers had to register their real name with the government.

“With laws like this, the fear is that the government will use it selectively,” she added.

'Constructive conversations’ with Facebook

In a recent interview with Russian online newspaper Lenta, Roskomnadzor head Alexander Zharov confirmed that the watchdog had met with representatives of Twitter and Facebook, but declined the notion that Facebook refused to transfer personal data to Russia.

“The conversation took place in a constructive manner, and we expect that Facebook in the nearest future will fulfill the promise to announce a formal position on the transfer of databases with personal data of Russian users on servers located in Russia,” Roskomnadzor said in an email.

Soldatov says the law is rather vague and it was also unclear how companies were supposed to distinguish personal data on Russian citizens from personal data from other non-Russian citizens. For instance, how are social media sites supposed to know whether a person with a Russian-sounding name living in Germany is a Russian citizen?

Latest move to tighten grip

In November 2012, after protests when Putin returned to power, Russia introduced its controversial system of Internet censorship that allowed authorities to blacklist websites without a court decision. Just last week, Russia briefly blocked access to the Russian-language version of Wikipedia because it failed to take down an entry about a drug. Russia has also blocked access to opposition websites as well as blogs of opposition leader Alexei Navalny.

“We saw the same thing happening on Facebook as Russian authorities tried to block some of the groups on Facebook last year when Russian opposition politician Alexei Navalny was due to face a new court verdict. And people tried to gather in Moscow to protest. Immediately ,Roskomnadzor attacked Facebook and required them to close down event groups devoted to protest,” Soldatov said.

And Russia is set to tighten its grip even more: Come 2016, a new “right to be forgotten” is due to come into effect. It will go well beyond the European legislation of the same name as the Russian version doesn’t exclude public figures. “There is concern that it is going to be used as a free pass for local politicians and others to get information about them removed from search results online,” Reed said.

According to a statement by Roskomnadzor, the “law will not apply to information about events that contain signs of criminal acts, terms of criminal responsibility which have not expired, as well as information about crimes, which are not removed, or outstanding previous conviction.”

What’s next?

It’s unclear if and when the government will fully enforce its new data localization law, but it seems the scare tactics are working. “It’s much easier to intimidate companies than, say, to intimidate thousands of users,” Soldatov said. “Because if you are going after users, you need to be technically advanced. But if you are dealing with companies, all you need is to do is find pressure points for these companies.”

No comments: