Circling the Lion's Den

Is there mass surveillance in Russia?

Andrei Soldatov

In Russia the concept of surveillance and telephone tapping is well-established in the national psyche. There is a commonly used expression “this is not a conversation for the telephone” meaning that some things are better not discussed on the phone as it might be tapped. This expression came into use back in the Soviet times and is still part of our vocabulary.

Indeed, the system of electronic surveillance in Russia is rooted in its Soviet past. The system of special investigative actions known as SORM (sistema operativno-rozysknyh meropriyatii) was developed in the depths of KGB in the late 1980s and since then has been constantly updated. As a result, today SORM-1 is used to tap telephone lines, including mobile networks, SORM-2 intercepts the internet traffic and SORM-3 takes care of collecting all communications, their long-term storage and access to all subscribers’ data.

However, the key element of SORM — its unaccountability has remained in all its versions. And the reason for this is technological differences between the Russian SORM standard and the European ETSI and the USs CALEA.

In the US and Europe a law enforcement agency obtains a court order and sends it to the service provider who takes a copy and forwards it to a security service.

In Russia FSB officers also must have a court warrant. However, they are not required to show it to anyone apart from their superiors. Communications service providers are not entitled to know whose conversations or emails security services are intercepting. So from the point of view of technology, the system is designed in a different way: FSB has SORM Control Centres that link via a secure line to a service providers servers. In order to tap someones phone all the security agent has to do is type the command into the SORM Control Centre located on the premises of the local FSB office. This system is reproduced all over the country and in each regional capital the local FSB office is connected to all the regional communications providers.

The only reason why the system is designed in such a way is because it was developed by KGB in the USSR and in those times the idea of oversight in relation to surveillance had never been contemplated. Following the break-up of the Soviet Union a requirement to obtain a court order was introduced, but from technology point of view the system was left as it was, which is why there is no requirement to present the court order to anyone outside of the security service.

For a long time technology restrictions held back apparent lack of oversight with regard to the surveillance system in Russia. Although there were eight agencies with surveillance powers (FSB, Ministry of Interior, Federal Guard Service, Federal Drug Control Service, Foreign Intelligence Service, Penal Service and General Intelligence Directorate), in practice telephone tapping and internet traffic surveillance was conducted by the Federal Security Service (FSB) on request from other agencies.

FSBs phone tapping capabilities were limited to such an extent that there was a list of telephone numbers waiting to be put under surveillance.

In mid-2000s everything changed when other agencies began to develop their own parallel phone tapping systems. Today the Ministry of Interior, Federal Drug Control Service and Penal Service all have their own systems which allow them to listen in to peoples conversations without turning to FSB for help.

This, of course, extends the opportunities to intrude into peoples private lives. And where there are more opportunities to obtain private information, there are more opportunities for corruption.

While looking at the criminal cases related to unlawful phone tapping we noticed that since 2000 almost all the cases involved members of surveillance units of the law enforcement agencies. While in 1990s the surveillance was conducted by private detective agencies, private security firms and other private agents, today some police officers sell to entrepreneurs capabilities of their technologies. And this happens on a regular basis because its cheaper and safer to bribe a law enforcement agent than to maintain own security unit.

This trend means that its not only political activists and members of the opposition who can fall victim to the surveillance. It is also economically active citizens whose information may be of interest to their business partners or competitors.

A year ago, on 17 April 2014, during Direct line question-and-answer session with Vladimir Putin, Edward Snowden asked him about a mass surveillance of online communications and a mass collection of private data by intelligence and law enforcement agencies. The Russian President replied:

To begin with, Russia has laws that strictly regulate the use of special equipment by security services, including for the tapping of private conversations and for the surveillance of online communications. They need to receive a court warrant to be able to use this equipment in each particular case. So there is no, and cannot be any, indiscriminate mass surveillance under Russian law.

Even at the time it was clear that Vladimir Putin was being sly: the requirement to have a court order doesnt guarantee due oversight in relation to security services. Nevertheless, with regard to mass surveillance he was formally right. Russian SORM system is designed as targeted surveillance system which means that using it requires the name of the individual to be subjected to surveillance (or other identity details, such as their phone number or IP address). This information then allows to intercept all the communications of this individual.

However, in spring of 2015 the situation has changed. In April 2015 a new updated online SORM systemwas introduced in Russia, whereby SORM functions are combined with DPI technology (Deep Packet Inspection). This technology allows to look inside the data packets. Not only you can read the address on the envelope, you can also open it and read the letter inside, said an engineer who works with this technology while explaining how DPI works. It can get inside anyones internet traffic and read, copy and even modify their messages and the web history.

DPI can sort the traffic according to users and protocols and create a full log of the data downloaded and viewed by any user. For the first time Russian security services have the opportunity not only to spy on citizens, but also by means of SORM and DPI to find and identify in the flow of data traffic those individuals who discusses particular topics online or visits certain webpages and social networks. This brings the Russian system much closer to the idea of mass surveillance than a year ago.