State of Surveillance

While digital surveillance may be justified in matters of national security, a balance must be struck between security and privacy, as well as between state interests and the rights of citizens

The enormous resources that Russian authorities spend to deploy total surveillance allow them to effectively prosecute political rivals, but do not protect society from tragedies like the recent terrorist attack at Crocus City Hall, in which hundreds of people were killed and injured and Moscow’s powerful facial recognition system failed to provide security. This incident brought Russian society back to the debate about the necessity and effectiveness of the surveillance system and the justification for its use.

Nevertheless, knowledge of the laws regulating the collection and processing of personal data, digital surveillance technologies, and law enforcement decision-making mechanisms can help individuals take steps to ensure their privacy and security, even in the face of total surveillance, and take advantage of existing opportunities to protect their rights.

This study provides a brief analytical overview of how the Russian state employs surveillance technologies in Russia. The study focuses mainly on aspects of legislation and law enforcement in the field of digital surveillance, as well as the position of law enforcement agencies and public authorities on this issue.

We conducted a detailed legal review of the existing legal framework governing the use of surveillance technologies by state authorities, as well as existing legal safeguards, transparency issues, and oversight mechanisms to prevent abuse.

In addition, we examined media information about leaks from government agencies and related organisations. Such information was not interpreted on its own; we compared it with other sources to infer its accuracy and credibility.

We also conducted a number of interviews with experts in electronic communications, information technology, and information security and law to verify the findings of the study.

In the full text of the study, which you will find below as a PDF file, we provide an overview of the laws authorising law enforcement agencies to resort to covert surveillance techniques and the use of related technologies. Then, we list a number of specific legal provisions under federal laws that shape the legal regime for various information service providers. Finally, we focus on the ongoing process of deploying facial recognition systems in public settings. Furthermore, we refer to relevant European Court of Human Rights (ECtHR) jurisprudence highlighting the problems with the Russian legal framework on the use of mass surveillance and the violation of the right to privacy.

We advise you to read the full text of the study. It will be of interest to journalists and human rights activists, digital rights researchers and activist communities. On this page, we will publish a summary of the findings and key messages.

Based on the study conducted, we note that state surveillance in Russia:

• Relies on technical infrastructure integrated into networks and on service providers as agents of state surveillance, which allows for mass surveillance of users.

• Is based on legislation with open-ended goals and wording, thus providing wide discretion to law enforcers, leading to abuse of power.

• Uses unaccountable surveillance of internet communications, violates the principle of proportionality as many aspects are classified, and does not allow for public oversight.

• Fails to provide effective remedies for those whose right to privacy has been infringed by public officials.

• Indiscriminately targets citizens as well as foreigners, including surveillance of migrant workers.

• Attempts to passport all internet users and de-anonymise them, including through the use of technological solutions.

• Has no legal regulation of biometric personal data for surveillance purposes, which blurs the boundaries between online and offline surveillance and makes the system unaccountable, prone to abuse, and corruption.

• Demonstrates a patent strategy by the authorities to disguise the use of facial recognition technology and other controversial practices with extremely vague language, and to conceal usage data by restricting access to internal documents and extending confidentiality and other protections to them.

There are special laws that regulate, for example, guarantees, the secrecy of correspondence, telephone conversations, postal and other communications, or the disclosure of personal data in the course of a trial, and so on. We describe them in detail in the research materials.

At the same time, Russian legislation in some cases provides the possibility of extrajudicial access to personal data for oversight and law enforcement agencies (eg prosecutor’s office, police, Federal Security Service [FSB]). Thus, the Federal Law "On Operational-Search Activities" directly grants the police and national security bodies the right to control communications, wiretap telephone conversations, access to computer information, and to withdraw information from communication channels. At the same time, according to the law, requests for such information constitute a state secret, and the recipient of such requests has no right to disclose its contents. In other words, people who have been monitored and about whom information has been collected will not be able to request information about operational and investigative measures taken against them.

State surveillance in Russia relies heavily on technical infrastructure integrated into networks and service providers as agents of state surveillance.

Currently, service providers (information dissemination organisers, hosting providers, social networks, classifieds sites) are forced to engage in practices that could be considered surveillance. New amendments to Russian legislation introduce requirements for all Russian online services to authorise users only using a cell phone number or through a state identification and authorisation system (eg Gosuslugi, etc).

With the adoption of the "Law on Bloggers" in 2014, and later in 2016 amendments to the legislation related to the "Yarovaya Package", some communication services classified by the authorities as information dissemination organisers became obliged to store their users' messages for six months and metadata for up to one year. Both types of data can be used to monitor users. However, while metadata provides mainly statistical and technical information about the user’s connection, device, etc., content data contains the messages themselves, which allows authorities not only to track, locate, or identify the person of interest, but also to use the messages as evidence against them.

We examined the records of information dissemination organisers from the relevant register of the Russian oversight agency. On that basis, we can conclude that Roskomnadzor (the Federal Service for Supervision of Communications, Information Technology, and Mass Media) interprets the law very broadly and includes in the register, without restrictions, any web resources or applications that allow their users to communicate with each other. For example, not only messengers, but also banking applications with a chat function are included.

Naturally, according to the law, information dissemination organisers are obliged to disclose information to law enforcement agencies. We elaborate in the study on what kind of information is collected and stored by information dissemination organisers, and therefore what data they hand over to the authorities upon request.

In the context of mass surveillance, it is particularly worrying that the authorities rely not only on regular requests for information, but also on technical infrastructure designed to intercept and extract data transmitted through telecommunications operators. Therefore, by law, the organisers of information dissemination are obliged to install equipment, software, and hardware, as well as to disclose encryption keys to the authorities.

In the study, we examine the current practice on how the organisers of information dissemination comply with their surveillance obligations. In particular, the degree of compliance depends on the location of the information dissemination organisers and their informal relationships with the authorities. Information dissemination organisers such as WhatsApp and Telegram do not comply with the law and are presumably unwilling to actively cooperate with law enforcement authorities. In contrast, VK (Vkontakte) and other information dissemination organisers whose legal entity is located in Russia are more willing to cooperate, sometimes ignoring procedural rules for processing legal requests for information from law enforcement agencies.

The latest amendments to the Law on Information Technologies, introduced in June 2023, establish new rules for hosting providers, who have so far generally managed to avoid compliance with the requirements imposed on information dissemination organisers. They too now have obligations that include, among other things, identifying users of hosting services and installing special surveillance equipment. The requirements apply to all hosting providers that have a connection with the territory of Russia, or process the data of Russian users, or receive money from Russian users, or provide hosting services in the Russian market. That is, services such as GoDaddy Inc. and Amazon Web Services must also comply with the rules. This contributes to the further development of the System for Operative Investigative Activities (SORM).

In the study, we specifically address SORM — the Russian state technical infrastructure for wiretapping of telecommunication channels, that is, the surveillance of subscribers receiving telecommunication services from telecom operators. It has survived several generations and now allows not only listening to telephone conversations in a mobile operator’s network, but also monitoring some virtual private network servers, Skype, communication data from encrypted messaging services (eg WhatsApp, Telegram, Signal), satellite communications, and so on. The latest modifications from September 2023 included VoWiFi (voice over WiFi) and WiFi Calling in the scope of surveillance.

However, the lack of regulatory safeguards, as well as the practical implementation of the system itself, contribute to abuse. Thus, a person subjected to surveillance by means of SORM has no opportunity to exercise his constitutional right to information, since information on operational and investigative activities is a state secret and the decision whether to disclose it or not is made by a law enforcement agency. The capability to wiretap communications using the system at any time makes the existing judicial oversight virtually non-existent, as FSB officers can use it when they like without obtaining court authorisation, unless they want to present data from SORM as evidence in a criminal case. Although, even then, they have a limited right to collect evidence without prior court authorisation.

According to one of our experts, SORM control panels installed on FSB premises also provide so-called root access to the system, which means that FSB agents can delete and even modify log data and the history of requests made by them, thus exacerbating the overall opacity of surveillance through SORM. This means that FSB agents can directly wiretap communications at any time without applying for court authorisation.

Different law enforcement agencies deal with the task of intercepting communications or gathering information about a person of interest in different ways. In the study, we describe three scenarios in which different agencies use the SORM infrastructure to fulfil their official digital surveillance missions or for corrupt purposes for personal enrichment.

We devote a separate section to analysing the practice of the ECtHR in cases related to SORM. In the case of Roman Zakharov v. Russia, the ECtHR unanimously recognised that the right to privacy guaranteed by Article 8 of the European Convention on Human Rights of 1950 had been violated. The Court found that domestic Russian legal norms regulating the interception of communications did not provide adequate and effective safeguards against arbitrariness and the risk of abuse.

According to the ECtHR, the risk of abuse inherent in any system of secret surveillance is particularly high in Russia, where the secret services and the police have direct access by technical means to all mobile telephone communications. Moreover, the effectiveness of the remedies available to challenge the interception of communications was undermined by the fact that they were only available to persons who could produce evidence of interception. Obtaining such evidence was impossible in the absence of any notification system or the ability to access interception information due to its classified status.

Another notable ECtHR case concerning the use of SORM by state authorities is Podchasov v. Russia (the Telegram encryption keys case), which dealt specifically with the legal requirements for organisers of information dissemination, namely, the requirement to install surveillance equipment providing access to data and to hand over encryption keys to the FSB.

Again, the ECtHR unanimously recognised that the right to protection of privacy guaranteed by Article 8 of the European Convention on Human Rights of 1950 had been violated. The Court noted that the challenged provisions pursued a legitimate aim, but the challenged legislation was not necessary in a democratic society.

There are currently no federal laws in Russia that explicitly regulate the use of facial recognition by authorities. Nor is there a federal facial recognition system. Right now, authorities appear to rely on a couple of exceptions to implement mass surveillance using artificial intelligence/machine learning technologies in conjunction with biometric data processing. These exceptions relate to counterterrorism and transportation security.

The lack of clear regulation of the use of facial recognition, its admissibility as court evidence, and the general lack of transparency of the relevant procedures contribute to the abuse of police access to the database and the existence of a hidden economy in data. Separately, politically motivated harassment through facial recognition can be singled out.

In the study, we collected several illustrative cases of unlawful interference in the personal life of citizens or harassment through facial recognition in Moscow.

In 2023, the ECtHR unanimously ruled in its Glukhin v. Russia judgment that the use of real-time facial recognition technology without the application of appropriate legally defined procedural safeguards and oversight mechanisms constitutes a violation of the right to privacy guaranteed by Article 8 of the European Convention on Human Rights of 1950.

The main problem with studying this aspect of digital surveillance is that the use of profiling and hacking cannot be comprehensively analysed. The reason for this is the lack of specialised regulations and official documents detailing these practices, which are mostly reported by insiders and experts.

To build a picture of the use of shadow surveillance in Russia, we relied on information obtained from experts. We collected data on current profiling practices in Russia, including both real classified cases run by law enforcement agencies and software solutions (public and private) developed specifically for information analytics or Open Source Intelligence (Medialogia, Oculus, Vepr, etc.). In the study, we describe unregulated parsing programs that extract information from the network, often protected by law, and subsequently disseminate it via Telegram bots ("God's Eye").

We address separately the issue of de-anonymisation of web users. In order to be able to identify internet users and punish them for their words, the Russian state aims to carry out digital passportisation of Russian society and mass de-anonymisation of internet users. Special software packages have already been developed or purchased to reveal the identity of the owners of anonymous Telegram channels, as well as to track groups and accounts in VK and de-anonymise Telegram users.

As for hacking, the legal grounds for this practice are established in Russia by the Federal Law "On Operational-Search Activities". In the study, we discuss the use of "black hackers" by government agencies and also the possible use of Elcomsoft and Cellebrite software tools.