Circling the Lion's Den

'Russia’s Surveillance State'

In 2012Privacy International,CitizenLaband Agentura.Ru, the Russian secret services watchdog, have joined forces to launch a project entitled'Russias Surveillance State'. The aims of the project were to undertake research and investigation into surveillance practices in Russia, including the trade in and use of surveillance technologies, and to publicise research and investigative findings to improve national and international awareness of surveillance and secrecy practices in Russia.
Presentation of the project at the29th Chaos Communication Congress (29c3) held by the Chaos Computer Club [CCC], Hamburg, Dec 30, 2012.

The investigative stories made by the project:
Things to know:
At present there are eight agencies in Russia that can conduct operational investigations (including surveillance): the Interior Ministry (MVD), the FSB, the Federal Protective Service, the Foreign Intelligence Service, Customs and Excise, The Federal Anti-drug Agency, the Federal Prisons Service (FSIN) and the Main Intelligence Directorate of the General Staff (GRU).
Over the last six years, Russias use of SORM has skyrocketed. According to Russias Supreme Court, the number of intercepted telephone conversations and email messages has doubled in six years, from 265,937 in 2007 to 539,864 in 2012. These statistics do not include counterintelligence eavesdropping on Russian citizens and foreigners.

At the same time, Moscow is cracking down on ISPs that dont adhere to their SORM obligations. We discovered Roskomnadzor (the Agency for the Supervision of Information Technology, Communications, and Mass Media) statistics covering the number of warnings issued to ISPs and telecoms providers. In 2010, there were 16 such warnings, and there were another 13 in 2011. The next year, that number jumped to 30 warnings. In most cases, when the local FSB or prosecutors office identified shortcomings, they sent the information to Roskomnadzor, which warned the ISP. Penalties for failure to meet their obligations are swift and sure. First, the ISP is fined, then if violations persist, its license may be revoked.

Expanding the Surveillance State

In 1995, a presidential decree (No. 891) stipulated that "control over postal items, telegraphic and other communications ... shall be handed to the bodies of the Federal Security Service...[the FSB]". The same decree ordered that unified central control points (or remote control points) were to be established by the FSB. The first ones were established in Moscow and St. Petersburg, and subsequently in other Russian cities, at regional FSB departments headquarters. A cable was laid from these points to the premises of the providers where special interception equipment had been installed. In this way, the FSB became responsible for installing the SORM equipment, while other intelligence services and the police gained access to the interception system via FSB remote points.

By the first decade of the new millennium, however, the FSB were no longer in sole charge of the technical side of SORM. On forums across the country, Internet providers began to complain about being approached by a variety of different law enforcement and secret services officials demanding that interception equipment corresponding to their own needs should also be installed. At least five Russian government agencies now operate their own systems of interception.

To illustrate these relationships, we have published a number of tender notification letters for the SORM equipment supply, originally placed onthe Russian government procurement website(downloads below).
Examples of the state contracts for surveillance equipment (Legal Interception SORM).

The legal landscape

The legal framework governing surveillance operations in Russia primarily consists of the Federal Law on Operational-Search Activities(adopted on 12th August 1995) and the Code of Criminal Procedure of the Russian Federation. Over the course of the project, we will be analysing how the various pieces of legislation governing communications interception are applied by the courts, and considering firstly whether the existing legal framework is sufficient in and of itself, and secondly whether it is accurately understood and applied by the judiciary.

Also: Investigative stories 2011-12