In early 2014, the Winter Olympics were in full swing in Sochi, on the Black Sea, offering President Vladimir Putin the opportunity to show off the glory of his beloved Russia. Government authorities left very little to chance, running the event with an iron grip. The Guardian reported that as part of that effort, the Russian security service, the FSB, would be conducting “some of the most invasive and systematic spying and surveillance in the history of the Games.”
For Western readers, the story may have come as a surprise. But Russian journalists Irina Borogan and Andrei Soldatov have spent their careers reporting on the FSB, and they obtained a PowerPoint presentation detailing its surveillance capabilities at Sochi. As they explained in their book, The Red Web: The Struggle Between Russia’s Digital Dictators and the New Online Revolutionaries, the authorities had used a system called, in translation, System for Operative Investigative Activities, or SORM.
SORM has been used in Russia since 1995. The first generation SORM-1 tapped telephone communications; SORM-2 was designed for Internet and VoIP traffic. According to a report by Privacy International, SORM-3, introduced in 2014, captures information from all communication media and stores it for three years.
To siphon off all this data, telecoms and Internet service providers must install SORM-enabling “black boxes” on their networks. (Exactly how these boxes work remains murky. “We’re getting better at understanding how it works technically but it’s still very unclear,” says Edin Omanovic, research officer at Privacy International.) A warrant is required for the FSB (and, since 2000, other government agencies) to access the data, but it’s not obligated to show this warrant to the provider being served—meaning telecoms and ISPs don’t know what data is being examined. Irina Borogan adds that there is little oversight. “This system provides a lot of possibilities for abuse because the secret service does not need to show this court form for interception to anybody except their own superiors,” she says.
For the authorities, SORM-3 offers remarkable power, even in a country where widespread surveillance has been normalized. But it’s also offered an opportunity, however slim, for activists who would like to see that surveillance restricted. A newly formed nonprofit, The Society for Defending the Internet (OZI), has seized on one aspect of the system and hopes to leverage it into future challenges to the Kremlin’s surveillance regime—by making authorities pay for the bill for SORM-3.
“The secret service does not need to show this court form for interception to anybody except their own superiors.”
Led by Leonid Volkov and Sergei Boiko, the group is planning a class-action suit against the FSB. Volkov’s a leading voice in Russia’s movement for a free and open Internet; he also managed the Moscow mayoral campaign of Alexei Navalny, a regular thorn in the side of the Kremlin and founder of the Anti-Corruption Foundation. “SORM by itself is legal in Russia,” he explains, “It’s part of the governmental investigation procedures, but there is a law about governmental investigations that all the expenses for investigations should be carried by the government.”
So far, Volkov says, two providers have joined the suit (he’s only going to announce the names after filing the official paperwork), and he’s hoping to get ten to join. Volkov says ISPs spend about 30 percent of their budgets on SORM installation and maintenance. Meanwhile, according to figures obtained by Borogan and Soldatov, warrants for phone and email interceptions more than doubled between 2007 and 2012 (not including nebulously defined “counterintelligence eavesdropping”).
The providers ultimately pass on that cost to their customers, Volkov says, and they’re afraid to refuse the government, which ultimately decides who gets to provide Internet service. “Everyone knows that if they tried to sue FSB about the legality of SORM payments [their licenses] would just be revoked,” he says.
Borogan says broad legal action against Russia’s surveillance regime is likely to fail. One relevant example is the case of Zakharov v. Russia. Last December, the European Court of Human Rights ruled that mobile phone surveillance of Roman Zakharov, an editor at a publishing company, violated Article 8 of the European Convention of Human Rights—respect for one’s “private and family life, his home and his correspondence.” The ruling called for greater transparency for Russian citizens about government surveillance. “The domestic law must be sufficiently clear to give citizens an adequate indication as to the circumstances in which and the conditions on which public authorities are empowered to resort to any such measures,” it read. Yet within days of the ruling, the government swiftly passed a law allowing it to overrule international court orders to “protect the interests of Russia.”
Volkov understands the difficult environment in which OZI is maneuvering. The hope is that a targeted approach could reduce some of the financial burden and fear for ISPs. Only then will it be time to consider a more all-out challenge. “We have to wait for this first and then we will decide on what we’ll do on the legality of SORM itself,” he says.
“Most people in Russia know that your communications aren’t safe but they consider the situation as normal. This is Russia.”
Challenging SORM opens up a larger debate about Russian surveillance, which has gone largely unreported, says Privacy International’s Omanovic. Surveillance is deeply woven into the fabric of the Russian Internet, aided by regulations like the “blogger law” that requires sites with more than 3,000 daily readers to register with the government. Similarly, a proposed data localization law would obligate tech companies to store data on Russian users within the country’s borders; Soldatov, co-author of The Red Web, sees it as less a legal maneuver than a way to force tech companies to negotiate with the Kremlin.
Meanwhile, the government has cracked down on bloggers. Rafis Kashapov criticized the Crimean annexation and received a three-year prison sentence. Daria Poludova, another activist, was sentenced to two years in prison for social media posts lambasting Putin’s government. The prison sentences sent a clear message: We’re always watching what you’re doing.
“Most people in Russia know that your communications aren’t safe but they consider the situation as normal. This is Russia,” says Borogan with a dry laugh. “But it should be changed. I have noticed recently that opposition politicians and people involved in some kind of citizen activities have become more worried about the safety of their communications and started to use encryption.”
Volkov believes the OZI lawsuit can hasten a change in public opinion. But he needs more providers to join the fight. Otherwise, the challenge to the Kremlin’s surveillance regime may simply be the story of a few rebels, as Volkov puts it, “dying bravely.”
GIF by Bruno Moraes