- ‘Star Trek: Discovery’ unmasks the time-traveling Red Angel Thursday 8:30 PM
- Everyone is making memes of Meghan McCain saying ‘my father’ on loop Thursday 8:11 PM
- Irony of Georgia’s sperm-reporting bill flies by anti-abortion advocates Thursday 7:11 PM
- Sex scandals are consuming the K-pop industry Thursday 5:44 PM
- Trump supporters are abandoning Fox News over network’s latest hire Thursday 5:20 PM
- QAnon is attacking a random woman in a disturbing and dangerous way Thursday 4:59 PM
- Google celebrates Bach with AI-powered, music-making doodle Thursday 4:53 PM
- RIP: The best free trial in all of streaming entertainment Thursday 2:19 PM
- Which ‘Florida Man’ are you? Thursday 1:06 PM
- Hundreds of millions of Facebook passwords were accessible to employees Thursday 12:55 PM
- ‘Bitch I’m Bella Thorne’ morphs into TikTok dyslexia meme Thursday 12:17 PM
- Marvel is auctioning props and costumes from Netflix’s ‘Defenders’ franchise Thursday 12:12 PM
- Net neutrality advocates plan online watch party for the ‘Save the Internet’ Act Thursday 12:01 PM
- Tim Cook turns his iPad meme into an AirPod meme Thursday 11:46 AM
- Auschwitz Memorial asks visitors to stop taking playful photos at Holocaust site Thursday 11:33 AM
Russia begins collecting encryption keys while internet companies, like Facebook, stay silent
So far, WhatsApp, Viber, and Telegram haven’t said a public word.
The FSB announced the capability on its website but the actual order, which would detail the process, was not made public.
One month ago, Russia passed a sweeping surveillance bill requiring encryption backdoor access for the state, among other expansive new spying rules. The legislation specifically pointed out apps like WhatsApp (which is owned by Facebook), Viber, and Telegram. Noncompliance can result in a fine of 1 million rubles—or $15,000—but it’s not clear how frequently that punishment can be levied.
WhatsApp, Viber, and Telegram representatives have repeatedly declined to comment on the new backdoor law in Russia.
Russia’s new surveillance reality is one of the most extreme moves in a global debate over encryption, privacy, and surveillance. What makes it even more incredible is the utter lack of transparency from the Russian government and businesses in the country.
“It’s important, but we don’t know what FSB actually suggested yet,” Anton Nesterov, a Russian technologist, explained to the Daily Dot in an email.
Actually, no one seems to know what this new law means in the slightest. Or, more accurately, the people who do know are keeping mum.
To illustrate just how much we don’t know, Nesterov has a long list of technical and legal questions he wants answered on the law:
In a way that it’s written in the law, it’s a disaster, and brings a lot of questions. Should SSL keys be shared? Ok, we can share SSL keys, but what about PFS?
Should it never be enabled, or we should patch openssl to keep track on session keys and then send billions of them to FSB? What about payment systems? I’m not sure if it’s allowed by Visa/MasterCard rules to share encryption keys with a third party.
How can leaks be prevented? Passing keys allows authorities not only to decode transmitted everyone’s information, including people who wasn’t original target [sic], but also to perform active attacks, which can be a major problem.
Should we share keys at request or at the time we started using it? What’s kind of transmitted data covered by this law? All kinds of data? Should we also share SSH keys, giving direct access to servers? Should we share VPN keys used by companies to connect to their internal networks?
These are the questions which should be answered by FSB decree, it’s internal documents and practice.
The one organization that did provide comment on this situation struck a defiant tone. Tor, the American-based and funded anonymity network, is decentralized around the globe.
“We encourage people to try anonymous, decentralized services based on
Tor, like OnionShare to share files, or Ricochet for instant messaging,” Tor representative Kate Krauss told the Daily Dot after the law was passed. “There is no data to retain and no central server to hack. Both are super easy to use and have a lot of fans.”
The new “anti-terrorism” legislation was signed into law earlier this month by Putin.
Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.