[3205] in cryptography@c2.net mail archive
Russian FAPSI (NSA+FBI equivalent) wants lines to tap all ISP's
daemon@ATHENA.MIT.EDU (John Gilmore)
Thu Aug 20 13:39:11 1998
To: cryptography@c2.net, gnu@toad.com
Date: Wed, 19 Aug 1998 19:03:19 -0700
From: John Gilmore <gnu@toad.com>
It seems that Russia's FAPSI has been learning a lot from the FBI and
"digital telephony". They want ISP's to build wiretapping into their
networks, and even lease a line to FAPSI, capable of handling all
their traffic, at their own expense! This is the same agency that
controls licenses for Russian citizens to use any kind of encryption.
There's a good collection of information in English on this proposal at
http://feast.fe.msk.ru/libertarium/ehomepage.html
I'll also enclose a longish news article that covers much of the ground.
We sometimes forget that the terrible precedents for totalitarianism
that our own government is vigorously working on, are frequently
adopted and extended in societies with much less protection for
citizens. However much we let the bastards get away with here, worse
bastards will get away with ten times that in dozens of countries. If
we stop, and reverse, the trend here, it will tend to stop the trend
worldwide.
John
Russian Legislation Strikes Fear on the Net
By Jeanette Borzo
http://www.thestandard.net/articles/article_display/0,1449,1300,00.html
Russia's Libertarium site on the World Wide Web celebrated its fourth
anniversary this month. But site founder and coordinator Anatoly
Levenchuk, who himself is the proud owner of one of the first 150 Internet
addresses handed out in the former Soviet Union, barely noticed the
anniversary this year, because he, like many Web users in Russians, has
other things on his mind.
As early as this October, a new version of Russia's SORM ministerial act,
which stands for "system of efficient research measures", could be
approved by the Russian Ministry of Justice, according to sources in
Russia. Hatched between the FSB (a successor to Russia's KGB secret police
force) and the State Committee on Communications (Goskomsvyaz), the
so-called SORM-2 act would let the FSB boost its monitoring of
electronic-mail messages by digitally linking its offices with all
Internet service providers (ISPs) throughout Russia.
"The Internet is a virtual land of freedom," said Levenchuk. "SORM-2 will
be an invisible curtain between Russia and abroad, a curtain of distrust.
If we have uncontrolled Internet surveillance, it strikes fear into my
heart. SORM-2 will mean stealth eavesdropping that no one can audit
afterwards."
It's not just the obvious issues of human rights and personal privacy that
has Levenchuk and many other members of the Russian Internet community so
preoccupied. Russian Web users are also concerned about higher Internet
access costs, a chilled ISP market with fewer players, damage to a
burgeoning electronic-commerce market in Russia and even a further blow to
the already ailing Russian economy. For companies doing business in
Russia, or outside of the country but with Russian enterprises, SORM-2
could certainly change business practices concerning electronic-mail
communications as well as e-commerce transactions.
The Sorm Storm
As currently drafted, the SORM-2 act would require all Russian ISPs to
install a device that would connect the ISP to the security agency and let
the FSB eavesdrop on "all information (both incoming and outgoing)
belonging to subscribers of the network(s) in question," according to a
version of the proposed legislation posted on the Web.
"The stress is not about SORM, but about transition from the relatively
controllable SORM-1, with warrants, to the uncontrollable SORM-2,"
Levenchuk said. For FSB offices around Russia, "wiretapping will be (only)
as far away as a mouse click."
Last week, the SORM-2 interagency act went to the Ministry of Justice for
approval. If the Ministry of Justice approves the draft, then all that
remains is for representatives from the FSB and the State Committee on
Communications to sign the act. "Ministerial approval would be enough to
enforce the act through regulation enforcement (e.g., a licensing
procedure)," said Maksim Otstavnov, editor of Moscow weekly Computerra and
head of the Civil & Financial Crypto Labs at Moscow's Institute of
Commercial Engineering (ICE).
Although SORM-2 is not destined to be a law, per se, its approval will
ensure its enforceability, sources said. "SORM-2 is not a law it does not
have the review process of the Duma, the Senate and the President's
office," Levenchuk explained. While the Duma may unofficially review the
act, it will have no jurisdiction over whether or not the act is signed by
the necessary parties for enforcement. However, "SORM-2 will act as a law
to ISPs and they will not be able to avoid this regulation," Levenchuk
added.
And under the SORM-2 act, there will be no way to ensure that FSB
officials obtain a warrant before monitoring communications, Otstavnov
pointed out. And it is this very lack of checks and balances within the
FSB that has Levenchuk worried. "SORM-2 means an uncontrolled and
unrestricted FSB," Levenchuk said. "It must not be one organization that
issues the warrant, applies the warrant, and carries out the warrant by
eavesdropping. The next thing they'll want to do is to act as the judge in
court."
If the FSB has surveillance rights over society, I want society to have
surveillance rights over the FSB," Levenchuk explained.
And in Russia, the Internet society concerns significant numbers: Russia
has 350 Internet service providers and 1 million people using the
Internet, according to former Soviet leader Mikhail Gorbachev. Russia's
number of users doubles every year, Gorbachev said during a speech in
June, adding that traffic volume on the Internet grew 26 percent in the
first three months of 1998 over the volume measured in all of last year in
Russia.
How Real Is The Threat?
At its least menacing, SORM-2 is no more than an FSB attempt to test its
power over the Internet community here.
"It often happens with these organizations that they test the limits of
how far their authority can go," explained Robert Farish, International
Data Corp.'s research manager in Moscow.
"Last year we had similar situations with FSB propositions (and the FSB)
had to step back under public indignation," said Michael Novikov marketing
manager for software developer Arcadia Inc. in St. Petersburg. For
example, Novikov explained, the FSB accused scientists who were working
with the Soros Foundation of stealing national security secrets while they
were selecting scientific projects for grant support. Public reaction made
the FSB back down.
In particular, because SORM-2 would require ISPs to pay for the
surveillance devices, many say the proposal hasn't got a chance.
"The ISPs themselves have to pay for this equipment and none of them
want to do that," said Farish. "They're not prepared to go out
shopping for equipment so that the FSB can snoop on their business."
And enforcing the SORM-2 act would require cooperation from more than just
Russia-based ISPs. "A great number of ISPs operating in Russia are owned
by foreign entities," said Drew Weeks, a Prague-based data communications
analyst who covers the Eastern European market for IDC. "So ultimately
there are some foreign fingers in the market that would be adverse to that
sort of monitoring, the FSB couldn't do it blindly and get away with it."
Still, ISPs may not have much choice in the matter, if they hope to remain
in business. "If an ISP does not fulfill the regulation, they will not
have their license renewed. They have no choice, deploy SORM-2 and have a
license, or don't deploy SORM-2 and have no license," Levenchuk commented.
Increasingly Cryptic
Under Presidential Edict No 334 of 1995, Russians are forbidden from
"manufacturing, selling and usage of encryption devices without a license
from FAPSI, the Federal Agency for Governmental Communication and
Information," according to Otstavnov, but Russia's encryption edict gives
no legal definition of "encryption" and so "most agencies believe the
edict covers only state secrets matters," he explained.
Encryption licenses are not widely held among Russian encryption users,
many said, and if SORM-2 enters the Russian Internet market through the
front door, unlicensed encryption technology is likely to storm through
the backdoor.
"The most likely effect (of SORM-2) would be a very significant increase
in the use of software encryption," said IDC's Farish.
"After the media hype over SORM-2 one would be insane to send business or
personally sensitive data over the Net," said Otstavnov who added that the
SORM-2 initiative has worked already to boost the use of encryption, the
Russian PGP homepage
(http://www.geocities.com/SoHo/Studios/1059/pgp-ru.html) that Otstavnov
maintains has seen a tenfold increase in traffic in the last month.
Encryption, however, will hardly offer blanket protection for the Russian
Internet community.
"Advanced users will ignore SORM-2 by using more cryptography, but Russia
isn't a country of only advanced users," Levenchuk said. "Communication
lines have two sides, and if someone is wire-tapped on one side, then
there is surveillance on those who correspond with Russia too."
(Shrinking) Market Forces
So while those selling encryption technology into the Russian market would
likely benefit from SORM-2, many others would undergo a host of
disadvantages at the regulation's hands. The violation of human rights is
the first concern about SORM-2 for Arcadia's Novikov, and market damage
follows as a close second. Novikov anticipates an increase in ISP service
prices in order to cover installation and maintenance costs under SORM-2:
ISPs in Russia expect the surveillance device to cost $10,000 along with
approximately $1,000 per month for the line to the FSB.
"The SORM-2 financial burden will be quite heavy for small ISPs," said
Novikov. "Also, ISPs will lose some corporate users" because of fears over
insecure data exchange, perhaps through the possibility that the FSB would
reveal or sell corporate secrets."
"The first outcome will be rate increases," agreed Otstavnov. "ISPs
estimate SORM-2 costs at 10 to 15 percent of overall operational costs."
Also Russian Internet users may drop their Russian ISP in favor of a
non-Russian satellite service in order to avoid passing through
surveillance devices installed at Russian ISPs. But "just a very few
Russian Internet users could afford that," Novikov said, adding that many
students may have to give up the Web, as the cost of privacy increases.
"This additional investment will be paid from the pockets of users and it
will be a more expensive Internet in Russia, with fewer users," Levenchuk
said. "ISPs will have to make additional investments to have a license,
and that means there will be fewer Internet providers because it will be
more expensive to establish Internet service."
And as the ISP market shrinks, so is the level of market competition
likely to decline. "Right now the ISP market is rather competitive,"
Otstavnov noted. "Kicking out of smaller players would mean further cost
increases and a service quality drop."
Novikov also expects SORM-2 to mean "heavy damage to the e-commerce
industry" as well as a general chill put on Russian Internet development
in general. Russian businesses may simply decrease their use of the
Internet, he added.
Business users from abroad may shy away from working with Russian
enterprises, and Russian network managers will need to think twice about
corporate e-mail policies. "The writings of business people will not be
private, they will be sent to their correspondent and to Federal Big
Brother (as the FSB is often called in Russia)," Levenchuk said.
Internet growth in Russia may also be stunted. "Users will not trust the
Internet as a new media," Levenchuk said, adding that the FSB threat will
be much more real than the threat of hackers, which has already got some
potential Internet users worried. "The can trust Internet with mythical
hackers but they will not trust the Internet with the legendary FSB."
As a result, business may suffer.
"SORM-2 will be bad for e-commerce between Russia and other countries,"
Levenchuk continued. "SORM-2 applies to every network, including x.25
providers, not only to e-mail but to every online communication including
financial information and e-commerce. People from abroad will be less
trustful of Russia."
SORM-2 may also have a wider impact on the economy. "This creates a
problem of trust for the Russian economy as a free-market state,"
Levenchuk said.
So, for example, investments in the Russian telecommunications industry
might decline, Novikov said, as SORM-2 would mean "a reduction of
Russia-investment attractiveness, and possibly a decrease of investment
ratings."
The Final Word?
Of course, if SORM-2 is approved it will be subject to legal challenges,
like all government regulations. For example, the Parliament or civil
claimants could challenge SORM-2 in court, Otstavnov pointed out.
Failing legal challenges, the government will still have to dominate
market realities in order to effectively enforce SORM-2.
"I would doubt that the Russian government would be sophisticated enough
to carry out such a plan," said IDC's Weeks.
And as many Russians know, the government doesn't carry out every act it
signs.
"Just because something becomes law in this country doesn't necessarily
worry people," said IDC's Farish.
Or, as Arcadia's Novikov put it, "It's a common Russian tradition - not to
follow the law."
