Russia’s Federal Security Service now has a means to collect encryption keys from internet companies that will decode otherwise unreadable data on the internet, it announced on Tuesday.
The FSB announced the capability on its website but the actual order, which would detail the process, was not made public.
One month ago, Russia passed a sweeping surveillance bill requiring encryption backdoor access for the state, among other expansive new spying rules. The legislation specifically pointed out apps like WhatsApp (which is owned by Facebook), Viber, and Telegram. Noncompliance can result in a fine of 1 million rubles—or $15,000—but it’s not clear how frequently that punishment can be levied.
WhatsApp, Viber, and Telegram representatives have repeatedly declined to comment on the new backdoor law in Russia.
Two weeks ago, Russian President Vladimir Putin ordered the FSB to produce the “encryption keys.”
Russia’s new surveillance reality is one of the most extreme moves in a global debate over encryption, privacy, and surveillance. What makes it even more incredible is the utter lack of transparency from the Russian government and businesses in the country.
“It’s important, but we don’t know what FSB actually suggested yet,” Anton Nesterov, a Russian technologist, explained to the Daily Dot in an email.
Actually, no one seems to know what this new law means in the slightest. Or, more accurately, the people who do know are keeping mum.
To illustrate just how much we don’t know, Nesterov has a long list of technical and legal questions he wants answered on the law:
In a way that it’s written in the law, it’s a disaster, and brings a lot of questions. Should SSL keys be shared? Ok, we can share SSL keys, but what about PFS?
Should it never be enabled, or we should patch openssl to keep track on session keys and then send billions of them to FSB? What about payment systems? I’m not sure if it’s allowed by Visa/MasterCard rules to share encryption keys with a third party.
How can leaks be prevented? Passing keys allows authorities not only to decode transmitted everyone’s information, including people who wasn’t original target [sic], but also to perform active attacks, which can be a major problem.
Should we share keys at request or at the time we started using it? What’s kind of transmitted data covered by this law? All kinds of data? Should we also share SSH keys, giving direct access to servers? Should we share VPN keys used by companies to connect to their internal networks?
These are the questions which should be answered by FSB decree, it’s internal documents and practice.
The one organization that did provide comment on this situation struck a defiant tone. Tor, the American-based and funded anonymity network, is decentralized around the globe.
“We encourage people to try anonymous, decentralized services based on
Tor, like OnionShare to share files, or Ricochet for instant messaging,” Tor representative Kate Krauss told the Daily Dot after the law was passed. “There is no data to retain and no central server to hack. Both are super easy to use and have a lot of fans.”
The new “anti-terrorism” legislation was signed into law earlier this month by Putin.
H/T Slon