In the latest news from Russia's slow but inexorable march to tighter control over the Internet, the Russian security apparatus is now expanding its surveillance requirements for Russian ISPs. The newspaper Kommersant recently published an article [ru] detailing a complaint made by Vympelkom (the owner of the mobile network Beeline) to the Ministry of Communications about a new decree that is due to come into force next year. The decree (PDF found here [ru]), which was jointly developed by the Ministry and the FSB (Federal Security Service), will require ISPs to monitor all Internet traffic, including IP addresses, telephone numbers, and usernames. Not only that — the traffic will have to be stored for 12 hours after collection. Vympelkom argues that the decree runs contrary to several articles of the Russian Constitution, including the rights to privacy and due process.
Some bloggers were rightly scandalized by the news. Journalist and blogger Matvei Ganapolsky argued [ru] that the new regulations will be used to target members of the opposition, and that any arguments to the contrary will be explained away with the needs of the War on Terror. Ganapolsky also conspiratorially noted that the recent Volgograd suicide bombing coincides with the news of the new law:
Россия устроена так, что предложение подобного приказа удивительным образом совпадает со взрывом автобуса в Волгограде. И если я сейчас начну возражать, то тут же выпрыгнет господин Бастрыкин. И он скажет, что если бы могли читать всё это раньше, то теракта, возможно, не было бы, террористку засекли бы.
Russia is made in such a way that the suggestion of this decree miraculously coincides with a bus exploding in Volgograd. And if I start complaining, then Mr. Bastrykin (head of the Investigative Committee) will appear. And he will say that if only they could monitor it all before, then maybe there would be no bombing, the terrorist would have been caught.
Of course, as some bloggers cynically pointed out, the FSB already monitors the Internet, and already requires ISPs to place duplicating “black boxes” on their servers, routing all internet traffic through FSB offices in real time. ISPs are also already required to keep track of IP addresses and user IDs. These regulations already in place, called SORM –the System for Operative Investigative Activities — are just as bad in violating the Constitution as the new decree, argues [ru] exasperated LiveJournal blogger Daniil Lazoukov. Lazoukov also wondered why Vympelkom didn't protest when the surveillance system was first implemented in 2008.
According to Echo Moskvy blogger Eldar Murtazin [ru], an analyst at the Mobile Research Group, the explanation lies in the game-changing requirement that ISPs store all internet data for 12 hours. Currently the FSB simply does not have the resources or the technology to effectively monitor all Internet traffic in real time, especially because the volume of data has grown “exponentially” over the years. The 12 hour clause will allow the security apparatus a buffer, essentially outsourcing initial data collection and storage to the ISPs. The FSB would then be able to request any part of this data, provided they did it within the 12 hour window. This, in turn, says Murtazin, means that a large part of the cost of monitoring the Internet will be shifted to the ISPs, which is what they are really up in arms about.
Regardless of whether Murtazin is correct in ascribing purely pecuniary motives to Russia's ISP, the new SORM, while certainly similar to the old SORM, promises to be more effective at monitoring the Internet. The difference, to Habrahabr user shifttstas [ru], is in the spirit and the scope — the current SORM, while it does provide a small stream of data to the FSB for analysis, isn't concerned with “mass surveillance.” With the new SORM, everyone is a target.
It remains to be seen if the new regulations will change the experience of the average Russian Internet user, but the trend is clear. More control, less freedom.