Denis Davydov, executive director of the Safe Internet League, a nongovernmental organization closely linked to the Kremlin, is happy with what the Duma did this summer. Davydov says a piece of legislation signed into law on July 7 by President Vladimir Putin will protect the nation from terrorists. The law requires internet service providers such as MTS, a cell phone operator, and search engine Yandex to store all Russian traffic, including all private chat rooms, e-mails, and social network posts, for as long as six months at their own expense as of July 1, 2018. The providers, which include global giants such as Facebook’s WhatsApp, must also surrender encryption keys to Russian security services. The backers of the measure argue that by giving the Kremlin total access to internet traffic, the guardians of public safety will never be taken unawares.
The law is one of about a dozen enacted over the last four years to police Russia’s cyberspace and cordon it off from the global net. One piece of legislation allows the state to block sites without seeking a court’s approval. Hundreds have been blocked already. Thanks to such measures, Davydov says, “we can be sure that here in Moscow no one will take a truck and ram it into a crowd of people or take an ax and start hacking people on a suburban train.”
Apart from restrictions on the internet, the Russian laws stipulate harsher punishment for those aiding terrorism and extremism. The authorities tend to apply the latter term to a wide range of opposition activities, such as staging rallies or, in some cases, sharing critical posts about the government on Facebook. Edward Snowden, the fugitive from American justice who leaked thousands of classified documents belonging to the U.S. National Security Agency, condemned the recently passed law from Russia, where he lives in exile.
In a rare upsurge of public concern, a petition against the law posted on the government online platform Russian Public Initiative has collected more than 100,000 signatures. The government is obliged to consider asking the State Duma to revisit the law. It’s unlikely it will be repealed, because only 2 out of 13 petitions have been upheld by the government since the platform was launched in 2013.
Internet experts in Russia point out that putting the law into effect will be difficult. The combined cost for all internet providers to store Russian traffic may amount to 2.5 trillion rubles ($39 billion), according to Irina Levova, whose group is part of the Expert Council, a body of academics and industry experts that helps the government draft and implement legislation. She figures Russia would need 59 million terabytes of storage to carry out the law. Irina Yarovaya, head of the Duma committee on security and anticorruption and co-author of the law, declined to comment.
Putin made matters worse by telling the government that it should ensure the storage hardware is produced in Russia, which has very little of the infrastructure needed to build the equipment on the scale necessary. That’s only a part of the problem. Internet security expert Andrei Soldatov, who co-authored The Red Web, a best-seller on Russian internet politics, says Russia has neither software to analyze such huge amounts of data nor sufficient manpower in the security forces to interpret the results.
Soldatov says half the traffic is encrypted, and this figure will steadily rise. He finds the demand to hand encryption keys to security bodies outlandishly old-fashioned, because encryption is now mostly done by apps independently from internet service providers. Immediately after signing the legislation, Putin commanded the Russian Federal Security Service (FSB) to come up with solutions for unlocking encryption within two weeks. But when the deadline came on July 20, FSB announced it won’t require companies owning internet chat rooms to hand over the keys, essentially acknowledging the futility of the effort.
Leonid Volkov, an IT expert and opposition politician, says instead of making it easier to track terrorists, the law—which mandates checking all internet traffic—aids terrorists by “making the haystack, in which one needs to find the needle, much bigger.”
Personal information, such as credit card numbers, will be more vulnerable to abuse. Volkov cites his own example: A Kremlin-friendly TV channel tracked him down and harassed him in a country hotel, a location they could only have found by accessing a government database that stores the passport details of hotel guests.
“I don’t think anyone knows yet how bad it’s going to be,” says Adam Segal, a cybersecurity expert at the Council on Foreign Relations and author of The Hacked World Order. Noting the law’s two-year implementation period, he says, “U.S. companies and others are staying very quiet, waiting to see what the Russians actually do.”
Russia adopted several repressive internet laws in past years only to see them ignored by Western internet giants. Facebook and Google were supposed to move servers to Russia by Sept. 1, 2015, to handle Russian citizens’ personal data. There’s no evidence they’ve done so. Neither company would comment.
Yet Davydov is optimistic that Western companies will cooperate. “They are businessmen, and they understand that if they spit on our law, then they shouldn’t work in our country,” he says. Davydov’s group is working on proposed legislation that he hopes will help overcome the problem of encryption and make the Russian internet more autonomous.
Will these laws prevent acts of terrorism in Russia? “That’s the $64,000 question,” says CFR’s Segal. “It’s not clear even on the U.S. side that we’ve been successful in using big data to prevent major attacks.”
The bottom line: Putin has sponsored laws granting the Russian government the power to read anyone’s e-mail, but the costs could be prohibitive.