Moscow Times, March 16, 1999
Beware FSB Surveillance Of Internet
EDITORIAL
In a master control room in the bowels of the Lubyanka, teams of FSB
agents spend their days intercepting private correspondences sent via the
Internet between friends, lovers, business partners, politicians. And there
is no one watching the watchers.
It's a disturbing idea. And as Jen Tracy reports in Business Extra on Page
15, it is well on its way to becoming a reality.
A new regulation known as SORM-2 is under review at the Justice Ministry,
awaiting minor tweaks before its eventual enactment. This regulation would
allow the Federal Security Service, or FSB, to conduct real-time monitoring
of every e-mail message, credit card transaction and web page sent or
received in Russia.
The SORM-2 arrangement would have this information piling up in FSB
computers. In theory, the FSB would need a warrant to look at any of it; in
practice, however, the FSB has already demanded such information from
Internet service providers without warrants, so there is no reason to
expect particular compliance with the constitution on that point.
The U.S. government already monitors international e-mail traffic through
the National Security Administration, and the NSA's legal authority to do
so seems equally dubious. But at least the NSA, unlike the FSB, has never
been accused of selling the information gathered for use as political
kompromat or using it to blackmail prominent businessmen. Nor, for that
matter, does the NSA trace its roots to that of a Soviet secret police
organ that tortured and killed.
The SORM-2 proposal also calls for Internet service providers themselves
to lay out the thousands of dollars it will likely cost to install the
surveillance hardware the FSB needs. Providers will pass on the cost of
this hardware to the consumers in the form of a 15 percent cost hike -
which means Internet users will pay more for the pleasure of being spied
upon.
That Internet service providers are a bit timid in leading the fight
against SORM-2 is not surprising - the FSB can just pull the licenses of
troublemakers and shut down their businesses. But SORM-2 ought to be
derailed, and providers should be encouraged to do more.
For starters, providers could indeed dump old stored e-mails from their
computers. These e-mails are stored as a byproduct of programs that track
each Internet user's web hits - but those programs could also be rewritten
to be more selective. Providers have no business storing old e-mails for
long periods of time - only so the FSB can come along and demand to read
them.
***************************
Who Reads Your E-mail?
By Jen Tracy
Imagine every one of your incoming and outgoing e-mails, every one
of your credit card purchases and every one of your electronic
banking transactions popping up in real time on a computer at the
Lubyanka, the former KGB headquarters that now houses Russia's
Federal Security Service. Imagine the FSB's computers collecting and
storing this information - for years, perhaps even decades - without
ever once bothering to obtain a warrant. That is the reality the FSB
is striving toward with a little-known legal project dubbed SORM-2.
The Russian security service is seeking what its American
counterparts have long enjoyed: complete access to the electronic
communications traffic of the nation's people and organizations.
SORM is the Russian acronym for Sistema Operativno-Rozysknykh
Meropriyatii, or System for Operational-Investigative Activities. A
1995 regulation called SORM -1 gave the security services the power
to monitor all telecommunications transmissions - provided they first
obtained a warrant.
That is the way things work now: The FSB and FAPSI, the Federal
Agency for Governmental Communication and Information, already
monitor e-mail transmissions. To do so, they must either tap into someone's
telephone - a time-consuming process that involves physically
splicing into select lines - or visit that someone's Internet service
provider. Either way, transmissions cannot be monitored in real time,
and the FSB needs a warrant before it can even get started.
In August, however, the FSB and the State Communications Agency,
Goskomsvyaz, drew up an addendum to the SORM regulations called
SORM-2. It would require all of Russia's Internet service providers -
there are about 350 across the nation - to install an FSB-provided
"black box" monitoring device in their main computers, and to build a
high-speed fiber-optic line from that device to the FSB. Because
SORM-2 is to be enacted as a regulation and not a law, it will be
reviewed by the Justice Ministry, but will not need the approval of
either parliament or President Boris Yeltsin.
These SORM-2 listening devices would route copies of all Internet
traffic to FSB computers - warrant or no. In theory, a warrant would
be needed to actually read any of the documentation piling up in the
FSB's hands. But in practice, human rights groups say, the FSB is
unlikely to worry about such legal niceties when the information it
wants is just a mouse-click away. In other words, human rights
activists are predicting a complete loss of Internet privacy for the
more than 1 million people in Russia who use the Internet - and for
tens of thousands more who use credit cards or other electronic
banking instruments here.
"This is a police-state practice. (The FSB) should not be alone
in its right to surveillance. Society should be able to audit the
agency in return. It's a step toward dictatorship," said Anatoly
Levenchuk, a Moscow-based Internet expert - and the man who first
revealed the existence of SORM-2, by posting a draft of the FSB
project on his own web site, www.libertarium.ru.
But the FSB is not the first to come up with the idea of tracking
all Internet traffic. The U.S. National Security Agency has been
doing it for years: Electronic surveillance information is collected
from across North America, Europe and Australia through an
international network called ECHELON, and routed to the NSA complex
in Fort Meade, Maryland.
The NSA has never confirmed that. But then, the NSA's own
existence was a secret - despite its staggering annual budget of $ 8
billion - until a 1982 book, "Puzzle Palace," told about it. Since
then the NSA has set up its own web page (www.nsa.gov:8080) - and
more and more information has come out in recent years about its
activities.
"Within Europe, all e-mail, telephone and fax communications are
routinely intercepted by the United States National Security Agency,"
according to a report commissioned by the European Parliament, and
presented to the parliament in January 1998.
"ECHELON indiscriminately intercepts large quantities of
communications and uses computers to identify and extract messages of
interest from the mass of unwanted ones," wrote New Zealand author
and researcher Nicky Hager in a 1996 book about the NSA, "Secret
Power." A key difference between the American and Russian security
services is that Russian spetssluzhby have a nasty habit of selling
information gathered electronically to the highest bidder, and the
information ends up serving political ends. As Noviye Izvestia noted
Friday, Internet users are already ironically referring to SORM as
Sistema Oblegcheniya Rassledovaniya Materialov, which could be
roughly translated as a System for Scandalously Unveiling
Investigative Materials. The newspaper Novaya Gazeta in January even
argued that this was the main point of SORM-2 - to let FSB agents
gather material for use in blackmailing business people and for other
dubious yet profitable activities.
The FSB can only dream of the $ 8 billion allocated to the NSA:
The entire 1999 Russian federal budget only foresees spending of
about $ 25 billion at current exchange rates.
In SORM-2, however, the FSB has come up with its own solution to
the expensive problem of setting up a Russian-style ECHELON system:
The FSB wants Internet service providers to pay for the installation
and maintenance of the SORM-2 black boxes and dedicated FSB hotlines.
Providers and Internet analysts say picking up the costs of
SORM-2 would set providers back thousands of dollars a month. That
extra cost would be passed on to Internet users in the form of
markups of 10 percent to 15 percent - which could be horrible for
business, as Internet access in Russia is already expensive, running
at least $ 30 or $ 40 a month for most people.
Dozens of the nation's smaller providers would not be able to
sustain the burden of paying for both their own costs and for SORM-2.
"The SORM-2 financial burden will be quite heavy for small
(providers)," said Michael Novikov, marketing manager for St.
Petersburg software developer Arcadia Inc., in an interview with The
Industry Standard computer magazine. "(Providers) will also likely
lose some corporate users because of fears over insecure data
exchange, perhaps through the possibility that the FSB would reveal
or sell corporate secrets." One way around SORM-2 is the use of
encryption programs. Legal experts disagree on whether private
individuals or companies in Russia can encode their e-mails and other
electronic correspondence, but Levenchuk, who has looked into it thoroughly,
insists it is legal.
And already people are turning to encryption. Maxim Otstanov, the
host of the Russian version of a U.S-based web site that offers the
commonly used encryption program Pretty Good Privacy, or PGP, says
that since the news of SORM-2 was first leaked by Levenchuk in the
summer, the number of hits to his web site have more than doubled.
You remember the KGB, don't you?" said Yury Vdovin, deputy
chairman of Citizens' Watch, a St. Petersburg-based human-rights
group. "They're used to collecting dossiers on citizens, just in
case. They collected, collect and will continue to collect
information on us. Now they're asking me to pay extra so they can tap
me at an even higher quality?" As Vdovin's comment suggests, there
seems to be a natural alliance between Internet providers and
human-rights activists against SORM-2. But appearances can be
deceptive: No such alliance has materialized, and the two groups are
often suspicious of each other.
Human-rights activists complain that providers are too
FSB-friendly as is - and allege that providers themselves are already
running their own mini-SORM -style operations, storing years worth of
their clients' old e-mails.
At a Citizens' Watch conference on privacy held last month in St.
Petersburg, Ivan Seckey of the Open Society Institute at the Central
European University in Budapest said that Russian Internet service
providers could be doing much more to fight the FSB.
"They should delete all transmissions immediately, so the FSB
can't force them to hand over information by threatening to revoke
their licenses," Seckey said. "They don't do this now because they
need the benevolence of the authorities, and also because they use
certain information for marketing purposes." Providers concede that
they store information about a client's Internet activity - that is
how they keep track of "hits" on certain web sites, and assemble
information about those hits by demographic factors, which is
important to advertisers and would-be advertisers on a certain web
site. And they concede that e-mails get stored along with that
information, because the programs that track Internet activity don't
differentiate between different kinds of activity - it all just gets
sent into the memory banks.
But beyond that, providers say the human-rights activists often
don't know what they're talking about. And they also say they are
afraid to stand up to the FSB and Goskomsvyaz because the state can
pull their licenses. Given that FSB power over their fate, it's not
surprising that many providers disdain the fiery talk of the human
rights and privacy rights activists, and instead try to speak carefully
of SORM-2 - as a narrow business dispute with the FSB
over who will pay for it.
"There is no conflict now (over SORM-2)," said Andrei Sibrant,
director of Moscow's Glasnet. "When the FSB comes to me with specific
documents detailing what technology I need to install and how much I
will have to pay for it, then there will be a massive conflict. Until
then there is no reason for human rights groups who know nothing
about the business to provoke a conflict." Andrei Sorokin, executive
director of St. Petersburg's Peterlink, offered a similar view. "I
will not, I repeat, will not buy this equipment for the FSB. This is
ridiculous. We'll have to pass along this cost to the customers.
We're in the middle of a crisis and they can barely afford the
Internet as it is," he said in a telephone interview. But if that
sounded combative, Sorokin's rhetoric is, like that of many other
providers, simply the opening bid: "When the time comes, we will band
together and fight. They can't close down an entire market. But until
then, there is nothing to fight." Levenchuk, the Internet analyst who
first spoke about SORM-2 on his web site, has long been trying to
organize opposition to it. It has been an uphill slog - in no small
part because Internet service providers themselves are rarely eager
to stand up to the FSB. "Usually providers are more FSB-friendly than
the public thinks," Levenchuk said.
The same complaint comes from Yevgeny Prygov of Krasnodar, who
was working with Levenchuk as the coordinator of an official
anti-SORM movement with its own web site, www.antisorm.df.ru.
"Well, the movement was a good idea but the movement has been
broken," Prygov said in an e-mail interview last week. "It lacks the
interest of (Internet service provider) executives." "The crisis in
Russia has redefined some of the priorities and the Anti-SORM
movement is one of the victims of this process," Prygov continued.
"People are thinking about how to stay alive and they forget the
value of freedom." In fact, about the only thing Prygov's anti-SORM
movement seems to have done was set up a web site, announce itself -
and disband.
"No steps were taken - only talks," Prygov admitted. "Everyone is
so afraid. I don't have a family but even I alone cannot go without
work for a month and expect to eat. We have to be careful to survive.
We have no reserves. The standard of living here is not to be
compared to that in Moscow or St. Petersburg." But even in Moscow,
the standard of living is no picnic for the unemployed. Membership in
the anti-SORM resistance movement has crumbled just as quickly here.
"They lasted all of five minutes," Levenchuk said. "The FSB
usually wins these things." The Internet service provider Data Force
was one of two Moscow companies that tentatively decided to oppose
SORM-2."After we had a discussion we decided to (join the) protest,"
said Sergei Domatov, Data Force's assistant director. "Afterward the
FSB contacted us, and we decided at this point there is nothing to
fight about. The FSB is doing their job, and we are doing ours." If
providers seem quick to fold, in part that's because they have long
ago learned the futility of arguing with the FSB. Even before SORM-2
the FSB has been known to request access to e-mails and other
information - with or without a court order.
Peterlink is one of many providers where company officials can
recount a visit from FSB agents who refused to present a warrant.
"We refused to give them information, but they're professional,"
said Sorokin of Peterlink. "They threaten to revoke our operating
license. We want to protect our clients' rights - but we also have to
protect our business. Everyone is afraid." "The FSB comes to
providers here and says simply, 'We want full access to all e-mail
traffic of your clients.' We ask for a warrant or court order, they
don't have one, but they have the power in every structure in the
province and (providers) surrender to stay alive," said Prygov of the
anti-SORM movement.
To date, only one provider has refused to conform to SORM-2
regulations. Since last April, Oleg Sirov of Volgograd-based
Bayard-Slavia Communications has repeatedly refused to cooperate with
FSB requests for information, demanding first to see a warrant. He
has also refused to foot the bill for the required technology.
But in telephone interviews from Volgograd, officials at
Bayard-Slavia Communications say they have recently been threatened
by the FSB with losing their license. They also say they have faced a
tax police audit that turned up nothing but was harrowing just the
same. Watching from Moscow, Levenchuk says of his friends at
Bayard-Slavia, "I am afraid that the official reason for withdrawing
their license will not be related to SORM-2." Boris Pustintsev,
chairman of St. Petersburg-based Citizens' Watch, said he was
pessimistic about the chances of an anti-SORM resistance movement
among providers.
"I'm sorry to say that they will probably only be successful in
going broke," he said.
But Pustintsev added that if more than half of all providers were
to unite, then with the backing of human rights groups they could
succeed.
"We will broadcast (news of the battle) throughout the world. The
FSB can't close them all down. That would be a scandal of
international proportion and Russia can't have that right now,"
Pustintsev said.
Citizens' Watch has set a self-imposed deadline of June to draft
proposals, to be read in the State Duma, the lower house of
parliament, on creating a system of checks and balances on SORM-2.
One such proposal described by Vdovin would involve giving a
"key" to the FSB computers receiving information from SORM-2 black
boxes and hotlines to an independent third party. That key would only
be loaned to the FSB when its agents can produce a court order; the
third party would also keep a log of all FSB SORM-2 eavesdropping
activity.
But human rights and privacy activists are quick to add that
SORM-2 raises fundamental questions about freedom that can't be
solved with a few laws and clever ideas.
"It's a problem of educating the people - starting from the
ground up," Levenchuk said. "It's no use fighting the FSB when no one
understands what the fight is for." Christopher Hamilton and Bradley
Cook contributed to this report.