Telegram Besieged

Published by Damir Gainutdinov at 05/02/2018

Source: Flickr

A case initiated by the Russian Federal Security Service (FSB) against Telegram messenger last summer was the Russian authorities’ first demonstrative attack on digital privacy. It was meant to send a signal to both internet service providers (ISPs) and users, and part of a broader war against the free internet launched by the Russian authorities back in 2012, shortly after the protests in Bolotnaya Square in Moscow and at the start of Vladimir Putin’s yet another presidential term.

Along with further tightening of so-called anti-extremist legislation and a 40-fold increase in fines for participation in “unauthorized” rallies, the authorities began taking steps to gradually establish total control over the then self-regulated “Runet”. They used two main instruments: restricting access to prohibited information and expanding surveillance of users, while guiding ISPs into cooperation by threatening to block access to their services in Russia.

Initially, the authorities justified extrajudicial blocking of websites by the need to protect children from harmful influences such as drugs, pornography, and suicide. But then they kept adding new reasons why access to resources should be blocked, and 18 months later, the list included new entries such as “calls to participation in protests” and publication of “extremist” materials. This increasingly meant any criticism of the government or caricatures of government officials.

Today, this list of resources blocked in Russia consists of almost two dozen items, including webpages of “undesirable” organisations, social networks, search engines, news services and messengers who refuse to comply with Roskomnadzor’s¹Federal Service for Supervision of Communications, Information Technology and Mass Media. requirements. This list does not replace but is added to the tens of thousands website blocks ordered by Russian courts each year.

In 2014, the term “information-dissemination organizer” was added to Russian law; this phrase effectively covers any internet services enabling the dissemination of information as well as any websites where users can leave comments.

Since 2016, such internet services have been required to store all their data in Russia. This includes user data and metadata, i.e. data on access and connections between subscriber devices, as well as all transmitted messages, be they voice or text.

In the same year, the Russian authorities blocked LinkedIn for refusing to move user data to Russia. In 2017, they blocked Blackberry Messenger, Imo, Line and Zello for refusing to register as “information-dissemination organizers.”

Russian security services have used this legislation to implement the “SORM” system, a holdover from the Soviet past used to store all data traffic for extended periods of time. This technology has proven ineffective in a new digital reality. While things look good to them on paper, with the registry of information-dissemination organizers already including more than a hundred internet services, encryption remains an insurmountable obstacle to total control. Today, more than 70% of the world’s internet traffic is encrypted—and that even if one counts only data transmitted via https and disregards encrypted emails, text messages and voice traffic—and the share of encrypted traffic will definitely increase up to 100%.

Since 2016, ISPs using encryption in Russia are required to provide the FSB with their encryption keys to allow decryption of any correspondence. While the local services Vkontakte, Mail.ru and Yandex have long since cooperated with the Russian authorities, this requirement now also applies to any and all of the world’s ISPs.

In June 2017, Roskomnadzor required Russia’s fourth most popular messenger Telegram to register as an “information-dissemination organizer.” At that time, the messenger’s Russian audience stood, by various estimates, at 6 to 10 million users. The founder and CEO of Telegram Pavel Durov made a statement to the effect that any information needed for entering Telegram in Roskomnadzor’s registry was publicly accessible. But Telegram would never disclose its subscriber data to any government in the world.

Nevertheless, on 12 July 2017, the FSB sent the company its first request for “information necessary for decrypting” messages in 6 subscriber accounts allegedly belonging to persons suspected of terrorism. Having received no response, the FSB drafted a report of administrative offence under Article 13.31 (2.1) of the Russian Code of Administrative Offenses, and on 16 October 2017, a magistrate court imposed a fine of 800,000 rubles to be paid by Telegram. While this may seem like a small amount for a global company expecting to raise up to five billion dollars in investments in the near future, this court ruling would enable the Russian authorities to demand cooperation once again and then block Telegram permanently for Russian users if the company refused to comply.

Thus the company challenged the FSB and magistrate’s actions on the following main grounds.

First, disclosure of encryption keys effectively means granting access to user correspondence, which requires a court order, according to Article 23 of the Russian Constitution, Article 186 of the Code of Criminal Procedure and Article 9 of the Federal Law on Operative-Search Activity. The company did not receive any court orders requiring such disclosure.

Second, the FSB did not have the authority to send requests for information disclosure directly to a foreign company but had to use special mechanisms and procedures established by the Russian Code of Criminal Procedure and the European Convention on Mutual Assistance in Criminal Matters.

Third, the end-to-end encryption architecture used in Telegram’s secret chats means that encryption keys are generated locally by user devices and nobody else can access them, not even Telegram’s administrators. The company simply had nothing to provide to the FSB. Under such circumstances, the requirement to “hand over encryption keys” would mean creating a backdoor to allow security services uncontrolled access to all user communications.

In this regard, it is worth recalling the position expressed by the UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, “…there is no special access that can be made available only to government authorities, even ones that, in principle, have the public interest in mind. In the contemporary technological environment, intentionally compromising encryption, even for arguably legitimate purposes, weakens everyone’s security online.”

Fourth, in considering the case brought before it, the magistrate court committed a number of procedural violations, such as not having the jurisdiction over such matters, absence of a prosecutor during the proceedings, as well as the party having drawn the administrative violation report, lack of convincing evidence, and failure to examine the key aspects of the case.

Adding Telegram to Roskomnadzor’s registry and demanding access to several Telegram users’ correspondence appeared to be yet another exploratory attack, after the one on LinkedIn, designed not so much to squeeze the company out of the country but rather to test the global and Russian internet community’s reaction.

At the same time, the Russian authorities continue to build a regulatory framework to enable more surveillance and to shift the costs and responsibility for its implementation to the IT industry.

For example, since recently, ISPs have not been allowed to disclose information about specific requests from the authorities concerning user data. A law requiring messenger operators to identify their users came into force in 2018, while last year, Roskomnadzor declared war on anonymous cell phones and reported a record 106,500 of confiscated “illegal” SIM cards.

The absence of civic oversight—and illusory judicial oversight—over security services is exemplified by the fact that in the past 10 years, Russian courts satisfied more than 98% of their requests for warrants to wiretap phones and extract private information from communication channels. This makes encryption the only remaining guarantee of privacy.

We also should note that government invasion of privacy and further expansion of surveillance are global rather than country-specific trends. Thanks to Edward Snowden, we now know about the NSA’s program for mass interception of telephone conversations and web traffic around the world. UK home secretary Amber Rudd said recently that law-abiding “real people” do not need encryption. Even the governments of certain countries believed to be fully democratic tend to cooperate with bypassing the constitutional guarantees of their citizens’ privacy and anonymity.

In the coming years, we are likely to see further struggles between two kinds of legislation and technology: those that enable governments and corporations to eavesdrop on citizens, and those that support citizens in preserving their anonymity, through which they can implement their fundamental rights.

Legal documents related to the Telegram case are available in Russian only.[:]