RT reports that a new law that requires Internet service providers to keep records of their clients’ traffic, for state security services to review upon request came into force on 1 July. However the law’s purpose is quite a bit more than it appears on the surface:
The controversial legislation, dubbed by the media the ‘Yarovaya Bill’ after its main sponsor – the former chair of the Lower House committee for security, MP Irina Yarovaya (United Russia) – was signed by President Vladimir Putin in early July 2016. The authors described it as a response to the 2015 bombing of a Russian passenger jet in Egypt and terrorist attacks in Paris.
Yarovaya also said the law was necessary to fight the “global information monopoly of the United States” – a term she used for the situation in which US agencies have unsanctioned and unhindered access to the personal data of any citizen in any country, while limiting the special services of other nations from accessing resources that could be used to search for criminals.
Initially, the new law required communications companies, including internet providers, to keep information about their clients’ data traffic for three years (one year for messengers and social media networks) and to keep the records of phone calls, messages, and transferred files for six months.
However, the new rules and the costs involved in implementing them led to protests from internet businesses, and earlier this year the government agreed to lower the required storage period to 30 days from the original six months. Data providers, however, must then gradually increase the period of time until it reaches six months, by July 2023.
As of the launch date, providers are only required to store client data in “zero volume,” while storage in “full volume” will be required starting October 1.
The seemingly amazing charge that forms the basis of the Yarovaya Bill’s intent has validity to it. According to ZDNet.com, former Microsoft privacy chief Caspar Bowden verified this back in 2013:
Former Microsoft privacy chief Caspar Bowden, speaking at a panel discussion in Brussels [early in 2013], warned that U.S. law allows the government to spy on non-U.S. citizens files and documents, and that new Europe-wide data protection law proposals specifically allow such surveillance.
Bowden told the panel that anyone outside the U.S. who uses cloud products—such as Amazon, Apple, Microsoft, Google products, including businesses that outsource their infrastructures to keep costs down—are at risk of being spied on by the U.S. government.
“It doesn’t have to be a political party,” he told attendees. “It can be an activist group or anybody engaged in political activity, or even just data from a foreign territory that relates to the conduct of foreign affairs in the United States.”
He also warned that the new EU Data Protection Regulation, which will be voted on by members of the European Parliament later this year, introduces “loopholes” that permit foreign state spying. He warned that U.S.-based Internet giants—such as the aforementioned, are forced into handing over data on European citizens when required, or they could face sanctions or prosecution.
The new Russian statute goes into full effect on 1 October, when internet providers will be required to store client data in what is called “full volume.”
The bill also requires communications companies to hand over encryption keys to state security agencies on demand, allowing them to read encrypted data. Non-compliance could cost companies between 800,000 and one million rubles ($13,000 – $16,100) in fines.
The new rules only apply to companies that are listed on the special register of “organizers of information distribution on the internet” maintained by the state internet watchdog Roskomnadzor. Today, the register includes many Russian services, including the country’s most popular social media network, Vkontakte, and various services of internet giant Yandex, but not foreign services such as Google or Facebook.
RT reports that the new law is seen as a bane to businesses, who complain about the new measures. For example, the press service of the Russian state corporation Rostelcom noted that it would be “difficult to execute [the data storage rules] because the market was experiencing a lack of certified hardware for data storage.”
A further newspiece from RT notes that the requirements were loosened before this law came into force. Originally, providers were being required to store six months’ worth of client traffic records, but in April this requirement was amended down to only one month.
Still, providers in Russia are concerned that this amount of data storage is difficult to comply with. Further, although the initial term of storage is now one month, it is still expected to ramp up to the full six-month period by July 2023. One company, Megafon, estimates the cost of the needed equipment upgrades for compliance to cost about 35 to 40 billion rubles (presently between US $574 and $656 million.)