Big brother in Eurasia: Surveillance goes digital
Surveillance and the ICT sector go hand in hand, and as technology evolves, so does the capacity of governments to monitor their citizens. Russia found itself at the centre of a global debate about cybersurveillance after National Security Agency whistleblower Edward Snowden requested asylum in Russia in August 2013. The country remained in the spotlight during the lead-up to the 2014 Sochi Olympics, when Russian law enforcement agencies announced they would monitor the communications of all foreigners.
In practical terms, the former members of the USSR use a variety of surveillance tactics, from physical monitoring in cyber cafes to advanced technical measures. From a legal perspective, ICT companies face thorny questions, as in most Eurasian countries, they must ensure that governments can install legal- interception technology on their equipment, but have no guarantees that the technology will be used ethically or legally.
In 2014, Russian politicians launched a number of initiatives with potential surveillance implications that could significantly limit Internet freedoms. In early July, the State Duma passed a law that requires Internet sites to store personal data of Russian citizens on servers inside the country, starting in 2016. Officially, the intention is to protect user data, but critics charge that the real goal is to create a legal pretext to exert pressure on — or shut down altogether – unruly elements of the online sphere, especially foreign services such as Facebook and Twitter. If foreign services comply with the regulation, the initiative may also make it much easier for intelligence agencies to access personal data.
Russia’s system for operative and investigative activities (SORM)
Allowing law enforcement agencies to monitor the activities of suspected criminals, SORM is Russia’s technical and legislative package for the legal interception of online communications. SORM has been widely adopted across the former Soviet Union; its use has been confirmed in Belarus, Ukraine, Uzbekistan, Kyrgyzstan, and Kazakhstan. Currently there are three different versions of the system: SORM-1 intercepts all telephone traffic (including mobile communications); SORM-2 monitors Internet traffic and VoIP; and SORM-3 monitors all communication media and provides for the long-term storage of data.
The principal difference between SORM and Western methods is the legal framework through which agencies monitor citizens. In the United States, a law enforcement agency can monitor a citizen with a court order, which is then implemented by the network operator or the Internet service provider. Under the legislative package for SORM, the officer must also acquire a warrant, but does not need to show it to the ISP, or to inform the ISP who is under surveillance, or allow access to surveillance equipment, the “black boxes” that intercept data. In a region where rule of law is weak and state security is prioritized, a system where no arm’s length third party, such as an ISP, is involved in the process is ripe for exploitation.
A recent bill, slated for implementation in 2014, would force private ISPs to pay for this data collection and retention, making all information available to Russia’s Federal Security Service (FSB) for 12 hours; in effect, it would download the cost and responsibility for implementing SORM onto the ISPs.
Surveillance goes mobile
The uptake of mobile phones, which in some countries has reached levels of 180%, has prompted renewed efforts to ensure that mobile activity is monitored. Many countries now require users to show official ID to register for SIM cards, making mobile activity easy to monitor. Countries have used different pretexts for requiring identification, but the result is the same – less anonymity on mobile networks.
Mobile surveillance measures have already put human-rights defenders and dissidents in many different countries at risk. For example, during the 2010 presidential election protests in Belarus, law enforcement bodies obtained data from carriers about subscribers who had used their mobile phones near the demonstration sites. The authorities later called some phone owners in for “talks.”
NSA revelations and the surveillance debate
Former NSA contractor-turned-whistleblower Edward Snowden found asylum in Russia in August 2013 as he was trying to make his way from Hong Kong to Latin America after obtaining thousands of files related to the agency’s infrastructure, activities, and methods. The documents exposed NSA’s mass collection of communication metadata on US citizens and allies such as Brazil, Germany, and France, and launched a global debate on the ethics and scale of state surveillance.
Despite its own extensive use of mass surveillance, as well as the lack of accountability of its security services, Russia seized on the global outcry over US surveillance practices in order to change the narrative in its favor. Russia used Snowden’s extended stay at Sheremetyevo airport and subsequent residency in the country to position itself as a defender of law and order in the world of surveillance, and as a champion of the rights of the stateless (Snowden’s American passport had been revoked).
Putin’s initial comments on the incident do not mention Snowden by name, but state the importance of observing legal methods and court orders when surveilling individuals. Putin later became more openly critical of the US, charging that US President Barack Obama can “spy and get away with it”.
In April 2014, during Putin’s annual televised question-and-answer session, Snowden appeared, via video, to ask him about the extent of the country’s surveillance practices. Putin assured Snowden, and the world, that Russia does not use a mass system of communication interception, and that surveillance is only carried out in accordance with court orders. There is, of course, extensive evidence to the contrary, most observers agree.
The ethics of ict companies in the post-soviet space
Doing business in the former Soviet Union presents some great ethical challenges. It goes without saying that companies looking to operate in foreign markets must follow the local legal structures. However, companies can easily find themselves in a position where following the law means engaging in ethically dubious activities.
Finnish-Swedish firm TeliaSonera discovered this in 2012. TeliaSonera, which has subsidiaries in six of the countries covered in this report, was accused of colluding with authoritarian regimes bent on crushing dissent. A report by the Swedish investigative show Uppdrag Granskning (Mission Investigate) alleged that TeliaSonera worked closely with Belarusian special services to provide real-time monitoring of dissidents. In Azerbaijan the documentary alleges that the company allowed the installation of “black boxes” on its equipment, effectively granting the law enforcement bodies access to communication and geo-location data without oversight.
Such incidents are not limited to legal intercept. An investigation by an independent news agency in Belarus raised allegations that Swedish telecommunications firm Ericsson had provided equipment that may have been used to track the mobile communications of protest participants. Belarusian security services allegedly did exactly that, monitoring unrest over the country’s 2010 presidential election. Networking and telecommunications equipment is dual-use: the same technology that ensures a high quality of service can also be used by security services to surveil targets.
The repression of human rights defenders in any country is reprehensible. However, the installation of legal intercept equipment is a prerequisite for doing business in practically every country, as is providing ICT development technology. This does not exonerate TeliaSonera, or any other foreign company in the region, if they are found to have colluded in unethical practices, but it does illustrate the challenges that ICT companies face as they work in environments where human rights are poorly protected.
This kind of challenge is likely to become even more difficult. In July 2014, Russian lawmakers passed a law requiring that all data on Russian users be stored within the country’s borders. Once signed by President Putin the law would take effect in 2016, posing a serious ethical dilemma for Internet companies like Facebook. If the data is stored within Russia, it is much easier for security forces to access the accounts of dissidents. Highlighting the challenges of doing business in states with poor rights records, this problem is not unique to Russia. Google, for example, left China in 2009 amid concern that it would be unable to protect users’ personal information.
Read part VII: A haven for cybercriminals