(Fwd) Russian FAPSI (NSA+FBI equivalent) wants lines to tap al

[Horns@t-online.de (Axel H. Horns)]

------- Forwarded Message Follows -------
To:            cryptography@c2.net, gnu@toad.com
Subject:       Russian FAPSI (NSA+FBI equivalent) wants lines to tap all ISP's
Date:          Wed, 19 Aug 1998 19:03:19 -0700
From:          John Gilmore <gnu@toad.com>

It seems that Russia's FAPSI has been learning a lot from the FBI and
"digital telephony".  They want ISP's to build wiretapping into their
networks, and even lease a line to FAPSI, capable of handling all
their traffic, at their own expense!  This is the same agency that
controls licenses for Russian citizens to use any kind of encryption.

There's a good collection of information in English on this proposal
at

 http://feast.fe.msk.ru/libertarium/ehomepage.html

I'll also enclose a longish news article that covers much of the
ground.

We sometimes forget that the terrible precedents for totalitarianism
that our own government is vigorously working on, are frequently
adopted and extended in societies with much less protection for
citizens.  However much we let the bastards get away with here, worse
bastards will get away with ten times that in dozens of countries.  If
we stop, and reverse, the trend here, it will tend to stop the trend
worldwide.

 John

Russian Legislation Strikes Fear on the Net
By Jeanette Borzo
http://www.thestandard.net/articles/article_display/0,1449,1300,00.htm
l

Russia's Libertarium site on the World Wide Web celebrated its fourth
anniversary this month. But site founder and coordinator Anatoly
Levenchuk, who himself is the proud owner of one of the first 150
Internet addresses handed out in the former Soviet Union, barely
noticed the anniversary this year, because he, like many Web users in
Russians, has other things on his mind. 

As early as this October, a new version of Russia's SORM ministerial
act, which stands for "system of efficient research measures", could
be approved by the Russian Ministry of Justice, according to sources
in Russia. Hatched between the FSB (a successor to Russia's KGB secret
police force) and the State Committee on Communications (Goskomsvyaz),
the so-called SORM-2 act would let the FSB boost its monitoring of
electronic-mail messages by digitally linking its offices with all
Internet service providers (ISPs) throughout Russia. 

"The Internet is a virtual land of freedom," said Levenchuk. "SORM-2
will be an invisible curtain between Russia and abroad, a curtain of
distrust. If we have uncontrolled Internet surveillance, it strikes
fear into my heart. SORM-2 will mean stealth eavesdropping that no one
can audit afterwards." 

It's not just the obvious issues of human rights and personal privacy
that has Levenchuk and many other members of the Russian Internet
community so preoccupied. Russian Web users are also concerned about
higher Internet access costs, a chilled ISP market with fewer players,
damage to a burgeoning electronic-commerce market in Russia and even a
further blow to the already ailing Russian economy. For companies
doing business in Russia, or outside of the country but with Russian
enterprises, SORM-2 could certainly change business practices
concerning electronic-mail communications as well as e-commerce
transactions. 

The Sorm Storm

As currently drafted, the SORM-2 act would require all Russian ISPs to
install a device that would connect the ISP to the security agency and
let the FSB eavesdrop on "all information (both incoming and outgoing)
belonging to subscribers of the network(s) in question," according to
a version of the proposed legislation posted on the Web. 

"The stress is not about SORM, but about transition from the
relatively controllable SORM-1, with warrants, to the uncontrollable
SORM-2," Levenchuk said. For FSB offices around Russia, "wiretapping
will be (only) as far away as a mouse click." 

Last week, the SORM-2 interagency act went to the Ministry of Justice
for approval. If the Ministry of Justice approves the draft, then all
that remains is for representatives from the FSB and the State
Committee on Communications to sign the act. "Ministerial approval
would be enough to enforce the act through regulation enforcement
(e.g., a licensing procedure)," said Maksim Otstavnov, editor of
Moscow weekly Computerra and head of the Civil & Financial Crypto Labs
at Moscow's Institute of Commercial Engineering (ICE). 

Although SORM-2 is not destined to be a law, per se, its approval will
ensure its enforceability, sources said. "SORM-2 is not a law it does
not have the review process of the Duma, the Senate and the
President's office," Levenchuk explained. While the Duma may
unofficially review the act, it will have no jurisdiction over whether
or not the act is signed by the necessary parties for enforcement.
However, "SORM-2 will act as a law to ISPs and they will not be able
to avoid this regulation," Levenchuk added. 

And under the SORM-2 act, there will be no way to ensure that FSB
officials obtain a warrant before monitoring communications, Otstavnov
pointed out. And it is this very lack of checks and balances within
the FSB that has Levenchuk worried. "SORM-2 means an uncontrolled and
unrestricted FSB," Levenchuk said. "It must not be one organization
that issues the warrant, applies the warrant, and carries out the
warrant by eavesdropping. The next thing they'll want to do is to act
as the judge in court." 

If the FSB has surveillance rights over society, I want society to
have surveillance rights over the FSB," Levenchuk explained. 

And in Russia, the Internet society concerns significant numbers:
Russia has 350 Internet service providers and 1 million people using
the Internet, according to former Soviet leader Mikhail Gorbachev.
Russia's number of users doubles every year, Gorbachev said during a
speech in June, adding that traffic volume on the Internet grew 26
percent in the first three months of 1998 over the volume measured in
all of last year in Russia. 

How Real Is The Threat?

At its least menacing, SORM-2 is no more than an FSB attempt to test
its power over the Internet community here. 

"It often happens with these organizations that they test the limits
of how far their authority can go," explained Robert Farish,
International Data Corp.'s research manager in Moscow. 

"Last year we had similar situations with FSB propositions (and the
FSB) had to step back under public indignation," said Michael Novikov
marketing manager for software developer Arcadia Inc. in St.
Petersburg. For example, Novikov explained, the FSB accused scientists
who were working with the Soros Foundation of stealing national
security secrets while they were selecting scientific projects for
grant support. Public reaction made the FSB back down. 

In particular, because SORM-2 would require ISPs to pay for the
surveillance devices, many say the proposal hasn't got a chance. 

"The ISPs themselves have to pay for this equipment and none of them
want to do that," said Farish. "They're not prepared to go out
shopping for equipment so that the FSB can snoop on their business."

And enforcing the SORM-2 act would require cooperation from more than
just Russia-based ISPs. "A great number of ISPs operating in Russia
are owned by foreign entities," said Drew Weeks, a Prague-based data
communications analyst who covers the Eastern European market for IDC.
"So ultimately there are some foreign fingers in the market that would
be adverse to that sort of monitoring, the FSB couldn't do it blindly
and get away with it." 

Still, ISPs may not have much choice in the matter, if they hope to
remain in business. "If an ISP does not fulfill the regulation, they
will not have their license renewed. They have no choice, deploy
SORM-2 and have a license, or don't deploy SORM-2 and have no
license," Levenchuk commented. 

Increasingly Cryptic

Under Presidential Edict No 334 of 1995, Russians are forbidden from
"manufacturing, selling and usage of encryption devices without a
license from FAPSI, the Federal Agency for Governmental Communication
and Information," according to Otstavnov, but Russia's encryption
edict gives no legal definition of "encryption" and so "most agencies
believe the edict covers only state secrets matters," he explained. 

Encryption licenses are not widely held among Russian encryption
users, many said, and if SORM-2 enters the Russian Internet market
through the front door, unlicensed encryption technology is likely to
storm through the backdoor. 

"The most likely effect (of SORM-2) would be a very significant
increase in the use of software encryption," said IDC's Farish. 

"After the media hype over SORM-2 one would be insane to send business
or personally sensitive data over the Net," said Otstavnov who added
that the SORM-2 initiative has worked already to boost the use of
encryption, the Russian PGP homepage
(http://www.geocities.com/SoHo/Studios/1059/pgp-ru.html) that
Otstavnov maintains has seen a tenfold increase in traffic in the last
month. 

Encryption, however, will hardly offer blanket protection for the
Russian Internet community. 

"Advanced users will ignore SORM-2 by using more cryptography, but
Russia isn't a country of only advanced users," Levenchuk said.
"Communication lines have two sides, and if someone is wire-tapped on
one side, then there is surveillance on those who correspond with
Russia too." 

(Shrinking) Market Forces

So while those selling encryption technology into the Russian market
would likely benefit from SORM-2, many others would undergo a host of
disadvantages at the regulation's hands. The violation of human rights
is the first concern about SORM-2 for Arcadia's Novikov, and market
damage follows as a close second. Novikov anticipates an increase in
ISP service prices in order to cover installation and maintenance
costs under SORM-2: ISPs in Russia expect the surveillance device to
cost $10,000 along with approximately $1,000 per month for the line to
the FSB. 

"The SORM-2 financial burden will be quite heavy for small ISPs," said
Novikov. "Also, ISPs will lose some corporate users" because of fears
over insecure data exchange, perhaps through the possibility that the
FSB would reveal or sell corporate secrets." 

"The first outcome will be rate increases," agreed Otstavnov. "ISPs
estimate SORM-2 costs at 10 to 15 percent of overall operational
costs." 

Also Russian Internet users may drop their Russian ISP in favor of a
non-Russian satellite service in order to avoid passing through
surveillance devices installed at Russian ISPs. But "just a very few
Russian Internet users could afford that," Novikov said, adding that
many students may have to give up the Web, as the cost of privacy
increases. 

"This additional investment will be paid from the pockets of users and
it will be a more expensive Internet in Russia, with fewer users,"
Levenchuk said. "ISPs will have to make additional investments to have
a license, and that means there will be fewer Internet providers
because it will be more expensive to establish Internet service." 

And as the ISP market shrinks, so is the level of market competition
likely to decline. "Right now the ISP market is rather competitive,"
Otstavnov noted. "Kicking out of smaller players would mean further
cost increases and a service quality drop." 

Novikov also expects SORM-2 to mean "heavy damage to the e-commerce
industry" as well as a general chill put on Russian Internet
development in general. Russian businesses may simply decrease their
use of the Internet, he added. 

Business users from abroad may shy away from working with Russian
enterprises, and Russian network managers will need to think twice
about corporate e-mail policies. "The writings of business people will
not be private, they will be sent to their correspondent and to
Federal Big Brother (as the FSB is often called in Russia)," Levenchuk
said. 

Internet growth in Russia may also be stunted. "Users will not trust
the Internet as a new media," Levenchuk said, adding that the FSB
threat will be much more real than the threat of hackers, which has
already got some potential Internet users worried. "The can trust
Internet with mythical hackers but they will not trust the Internet
with the legendary FSB." 

As a result, business may suffer.

"SORM-2 will be bad for e-commerce between Russia and other
countries," Levenchuk continued. "SORM-2 applies to every network,
including x.25 providers, not only to e-mail but to every online
communication including financial information and e-commerce. People
from abroad will be less trustful of Russia." 

SORM-2 may also have a wider impact on the economy. "This creates a
problem of trust for the Russian economy as a free-market state,"
Levenchuk said. 

So, for example, investments in the Russian telecommunications
industry might decline, Novikov said, as SORM-2 would mean "a
reduction of Russia-investment attractiveness, and possibly a decrease
of investment ratings." 

The Final Word?

Of course, if SORM-2 is approved it will be subject to legal
challenges, like all government regulations. For example, the
Parliament or civil claimants could challenge SORM-2 in court,
Otstavnov pointed out. 

Failing legal challenges, the government will still have to dominate
market realities in order to effectively enforce SORM-2. 

"I would doubt that the Russian government would be sophisticated
enough to carry out such a plan," said IDC's Weeks. 

And as many Russians know, the government doesn't carry out every act
it signs. 

"Just because something becomes law in this country doesn't
necessarily worry people," said IDC's Farish. 

Or, as Arcadia's Novikov put it, "It's a common Russian tradition -
not to follow the law."