SORM & Co.: Russia at the forefront of digital mass surveillance

More and more countries are increasingly intervening in the digital lives of their citizens and pushing ahead with online surveillance. The EU is no exception with its planned chat control and constant attempts at data retention. However, Russia is one of the pioneers in these processes, writes the civil society organization RKS Global in its recently published status report. The enormous resources that the Russian authorities spend on mass surveillance enable them to "effectively persecute political opponents", according to the study. However, they "do not protect society from tragedies such as the recent terrorist attack on Crocus City Hall" near Moscow.

According to the study, state surveillance in Russia is primarily based on technical infrastructure that is directly integrated into networks. This enables mass surveillance of users. Internet providers and providers of electronic services not only act as deputy sheriffs, but are also "agents of mass surveillance". The legal basis for this are "laws with open objectives and formulations", which give law enforcement authorities and secret services such as the FSB a "wide margin of discretion". This in turn encourages abuse of power. Those responsible are not held accountable, according to the analysis. Overall, the principle of proportionality is violated "as many aspects are secret". Public control is not possible.

The Russian surveillance system targets citizens of the country and third countries almost indiscriminately, with a particular focus on migrants. Attempts are being made to "capture all internet users and remove their anonymity, including through the use of technological solutions". With laws for bloggers, for example, many communication services have been obliged to retain content data for six years and metadata for up to one year since 2014 and 2016 respectively. The regulatory authority Roskomnadzor interprets the requirements very broadly and applies them not only to common messaging services, but also to apps for online banking with a chat function, for example.

SORM and facial recognition are constantly being expanded

RKS is paying particular attention to the SORM system, the technical infrastructure controlled by the FSB for intercepting electronic communications. This "provides round-the-clock, real-time and warrantless access to communications data, including subscriber data, unencrypted message content and log, billing and geolocation data". SORM allows investigators to access "practically all information that is transmitted via telecommunications providers or channels without users and operators being aware of it". It is now also possible - at least in part - to monitor some virtual private networks (VPNs), Skype, encrypted chats via WhatsApp, Telegram and Signal, for example, as well as satellite communications. The most recent changes from September 2023 included VoWiFi (Voice over Wi-Fi) and Wi-Fi calling in the scope of interception.

According to the report, there are no legal requirements in Russia for the use of biometric data for surveillance purposes. "This blurs the boundaries between online and offline surveillance and makes the system untraceable and susceptible to abuse and corruption." This applies in particular to the increasing use of automated facial recognition, which is integrated into one in three video surveillance cameras. Profiling and hacking on behalf of the state could not be comprehensively analyzed, as there is also no specific legislation or official documents on this, and we have to rely on insider and expert testimony. The European Court of Human Rights (ECtHR) has already repeatedly criticized problems in the Russian legal framework surrounding mass surveillance and deep intrusions into the right to privacy.

(anw)