06/13/2018

Comment: further restrictions of digital privacy for Russian citizens

Comment: further restrictions of digital privacy for Russian citizens Data protection and compliance

The use of unregulated VPN solutions and proxy services has already been effectively criminalized within Russia: In order to be officially sanctioned, VPN operators must be able to block certain websites even within a VPN to comply with Russian Censorship laws. A blacklist of websites which fall under this category is maintained by the authorities. They contain any websites which host content that is deemed harmful or illegal. Any VPN operator is expected to enforce the blacklist for its users. They must also be able to share data about the users of the respective VPN service when requested by authorities, which many operators cannot provide because they do not collect this data. For several weeks, efforts have been underway in the Russian government to ban the use of encrypted messengers. The first target is the messenger service "Telegram" - ironically, Telegram has Russian roots. After the operators refused to hand over crypto keys to the Russian security authorities (and thus to open a back door for authorities), IP bans have already been used specifically to restrict the use of Telegram, albeit with limited success, as the authorities admit. Then the Russian authorities tried to put pressure on Apple and Google to remove Telegram from their local app stores. The procedure is similar to that already used for VPN technologies: the technology violates Russia's censorship laws. The line of argumentation is the same: the app is said to be used to plan and coordinate terrorist activities. Therefore, it must be controllable by the authorities. If one wanted to comply with Russian laws, VPN and encryption would not be banned per se, but rendered obsolete: authorities want to be able to clearly identify users despite encryption and anonymization, which completely goes against what encryption and anonymization are intended to prevent in the first place. Russian lawmakers want all messenger services to be associated with its user's telephone number, which in turn can be clearly tied to a user.

Making an example

In the past, we have already expressed serious concerns about this approach. These are now being confirmed - these events set another precedent for a ban on the protection of one's privacy. In Germany, too, advances have already been made to allow law enforcement authorities to monitor encrypted communication channels in justified cases and to read individuals' communication. The Bavarian police law explicitly provides for this, as does the draft police law for North Rhine-Westphalia. (Source in German). 

Let me make it very clear once again: Not only myself, but also numerous other IT security experts consider this procedure to be dangerous and not conducive to long term success - the aforementioned VPN legislation already faced harsh criticism from many sides for the same reason.

Chipping away at security in the name of security

There is no evidence whatsoever that criminal activity is declining due to increasing surveillance. In addition, measures such as the ban on encrypted communication have a lasting negative impact on the confidence and trust of citizens in their government in general and security authorities in particular. That makes it all the more important to discuss this approach loudly and, above all, publicly - but that is exactly what is not happening, although it would be vital right now. The fact that the public response to such advances seems so restrained (in relation to earlier discussions on similar topics) is alarming and seems to suggest that many have become tired of discussing the topic - one could even go so far as to say that one would rather accept a little more uncertainty if the subjective sense of security benefits from it. The fact that measures which are designed to systematically infiltrate people's privacy are almost invariably justified by alleged security concerns should raise doubts. It should also raise the question of who really benefits from these regulations. So far, laws on this matter have never been rescinded on grounds of the law being ineffective and not producing the intended results.