It’s been a rough month for Internet freedom in Russia. After it breezed through the Duma, President Putin signed the “Yarovaya package" into law—a set of radical “anti-terrorism” provisions drafted by ultra-conservative United Russia politician Irina Yarovaya, together with a set of instructions on how to implement the new rules. Russia’s new surveillance laws include some of Bad Internet Legislation’s greatest hits, such as mandatory data retention and government backdoors for encrypted communications—policies that EFF has opposed in every country where they’ve been proposed.
As if that wasn’t scary enough, under the revisions to the criminal code, Russians can now be prosecuted for “failing to report a crime.” Citizens now risk a year in jail for simply not telling the police about suspicions they might have about future terrorist acts.
But some of the greatest confusion has come from Internet service providers and other telecommunication companies. These organizations now face impossible demands from the Russian state. Now they can be ordered to retain every byte of data that they transmit, including video, telephone calls, text messages, web traffic, and email for six months—a daunting and expensive task that requires the kind of storage capacity that’s usually associated with NSA data centers in Utah. Government access to this data no longer requires a warrant. Carriers must keep all metadata for three years; ISPs one year. Finally, any online service (including social networks, email, or messaging services) that uses encrypted data is now required to permit the Federal Security Service (FSB) to access and read their services’ encrypted communications, including providing any encryption keys.
Opposition to the Yarovaya package has come from many quarters. Technical experts have been united in opposing the law. Russia’s government Internet ombudsman opposed the bill. Putin’s own human rights head, Mikhail Fedotov, called upon the Senators of Russia’s Federal Council to reject the bill. ISPs have pointed out that compliance would cost them trillions of rubles.
But now the law is here, and in force. Putin has asked for a list of services that must hand over their keys. ISPs have begun to consider how to store an impossibly large amount of data. Service providers are required to consider how to either break unbreakable encryption or include backdoors for the Russian authorities.
It is clear that foreign services will not be spared. Last week, the VPN provider, Private Internet Access (PIA), announced that they believed their Russian servers had been seized by the Russian authorities. PIA says they do not keep logs, so they could not comply with the demand, but they have now discontinued their Russian gateways and “will no longer be doing business in the region.”
Russia’s ISPs, messaging services, and social media platforms have no such choice: because they cannot reasonably comply with all the demands of the Yarovaya package, they become de facto criminals whatever their actions. And that, in turn, gives the Russian state the leverage to extract from them any other concession it desires. The impossibility of full compliance is not a bug—it’s an essential feature.
Russia is not the only nation whose lawmakers and politicians are heading in this direction, especially when it comes to requiring backdoors for encrypted communications. Time and time again, technologists and civil liberties groups have warned the United States, France, Holland, and a host of other nations that the anti-encryption laws they propose cannot be obeyed without rewriting the laws of mathematics. Politicians have often responded by effectively telling the Internet’s experts “don’t worry, you’ll work out a way.” Let us be clear: government backdoors in encrypted communications make us all less safe, no matter which country is holding the keys.
Technologists have sometimes believed that technical impossibility means that the laws are simply unworkable – that a law that cannot be obeyed is no worse than no law at all. As Russia shows, regulations that no one can comply with aren’t dead-letter laws. Instead, they corrode the rule of law, leaving a rusting wreckage of partial compliance that can be exploited by powers who will use their enforcement powers for darker and more partial ends than justice.
Russians concerned with the fall of Internet freedom, including the Society for the Protection of the Internet (IPI), have planned a protest in cities across the country on July 26. EFF will continue to follow the situation closely as it develops.