Data Collection and Retention in Russia: Going beyond the Privacy and Security Debate

17 Jan 2014

Alexandra Kulikova is a freelance Internet policy researcher and regular contributor to the LSE Media Policy Project blog. She has written this blog for GPD as an update to our recent report: DECIPHERING RUSSIA Russia’s Perspectives on Internet Policy and Governance. The views expressed in this article are those of the author

At the end of 2013, Russia further intensified its state electronic surveillance regime with an draft order placing new technical requirements on telecom companies. Unusually, there has been some push back from one of the largest telcos in the country, Vympelcom. Their objections are clearly on the grounds of cost, nonetheless the angle being taken by Vympelcom is that the measure violates citizens’ constitutional rights. However, despite the recent NSA controversy and heightened public awareness around privacy and rights online, this argument has sparked little interest among the general public.

Russia’s current national system of lawful interception of electronic communications (both meta-data and content data) – SORM – has long been extensively used by Russian Federal Security Service (FSB) and other security agencies. Under existing legislation, operators are already legally bound to install equipment facilitating traffic data collection and transfer to external FSB servers for further processing but, until now, this ‘non-privacy by design’ scheme has not required local data storage.

The new draft order, which was first drafted by Minsvyazi (Russian Ministry of Communications) in Spring 2013, now forces telecom and internet providers to install equipment allowing data collection and retention on their servers for a minimum of 12 hours. It will provide the FSB with direct access to a wider range of data than was possible before – including users’ phone numbers, account details on popular domestic and overseas online resources (like Gmail, Yandex, Mail.ru etc), IP addresses and location data – without a court order, for the purposes of national anti-terrorist investigations. And, while the duration of retention is seemingly short compared to similar UK or EU data retention regulations, the fact that the data ultimately make it to the FSB servers for indefinite storage renders this specification almost irrelevant.

For industry this draft order means significantly upgrading the existing capacities as well as installing more sophisticated equipment to tap into the foreign companies’ messaging services like Gmail, Facebook, Twitter, Yahoo which have now all enabled secure //:https encryption by default.
Vympelcom, one of Russia’s largest telcos, is pushing back against the draft on human rights grounds. It claims that the draft contradicts Clauses 23 and 24 of the Constitution which secure citizens’ right to private correspondence, phone calls, postal or communication unless there is a special court order allowing intervention. Collection, storage and use of such data without user’s consent is not lawful.

It is highly likely that the underlying causes of concern for Vympelcom are primarily economic – namely the cost of implementing this measure. Under federal law the costs of special investigative techniques’ are state-funded, however the new draft order places the responsibility and costs on industry. This is not necessarily a problem – the reactions by the Russian Duma and President Putin to the outcry over the anti-piracy laws show that they may be becoming receptive to economic arguments that support for internet rights and freedoms (read more here).

The real shame, however, is that despite the global debate about online privacy that has been spreading since the NSA controversy came to light, this issue has gained little attention among the Russian public who are used to domestic surveillance practices and have a high tolerance threshold to privacy intrusions. Apart from worried comments in blogosphere and some attempts by civil society to influence the policy-makers, there has been a real absence of any meaningful public discussion after the draft order became public and an online public consultation on the issues yielded no expert feedback.

The draft order, which comes into effect in time for the Winter Olympics in Sochi, is best understood as part of the trend of online and offline measures against terrorism, which has been particularly evident since 2011. Whether this, and other similar measures (including a recent bill on blocking extremist websites), are used to further citizen safety – or are in fact part of a wider crackdown of dissent – remains to be seen.