The issue of data privacy is becoming a source of increasing individual and corporate unease with wide political ramifications. To that end the European Union’s General Data Protection Regulation (GDPR), which comes into force in less than two months, will attempt to harmonize and enhance data protection standards across the continent.
Around the world governments actively monitor Internet communications. Here I examine Russia’s System for Operative Investigative Activities (SORM) that the government employs for the purposes of lawful interception of various IT and telecommunication systems.
The original version of SORM was introduced in 1995, and allowed the Federal Security Services (FSB) to monitor phone calls and the Internet activity of users, despite the limited reach and functionality of Internet services at that time.
SORM-1 was represented by special hardware furnished by the FSB that telecommunication operators were mandated to adopt within their infrastructures. The arguments used in favour of SORM-1 were around maintaining security in the public interest, at a time of considerable unrest in the country.
As information technologies have matured in Russia, so have the technologies utilized by the government to oversee and, where the need arises, tame them. In 1998 a new version of SORM was released (SORM-2). This time it was required that SORM-2 be installed on the servers of Internet service providers, thus providing the FSB with oversight over all transactions passing through these servers.
Subsequently, the scope of SORM-2 was further expanded to encompass monitoring of social networks and forum traffic. All operators were required to integrate this fully at their own cost. In addition, more governmental institutions and security agencies, apart from the FSB, were given leave to exploit the information-gathering-potential of SORM-2 (including the Police, Customs Authorities, Presidential Security Services and others).
In 2014 the most recent version of SORM was deployed pursuant to a ministerial order issued by the Russian Ministry of Communication, with less than a one year deadline imposed for implementation. SORM-3 covers a wider range of online resources and activities, which may be subjected to targeted surveillance. These include, but are not limited to, users’ phone numbers, unique media access control addresses, as well as email addresses accessed from, for instance, mail.ru, yandex.ru, rambler.ru etc.
Notably, SORM-3 resorts to a very comprehensive data processing protocol called Deep Packet Inspection (DPI), in which the content of each piece (packet) of data is thoroughly scrutinized, and rerouted accordingly.
Ordinarily, in order to acquire specific data, the governmental agency in charge requires a court order. But operatives are under no obligation to present this to a raided party. Refusal to divulge data in the absence of a court order will get you nowhere. Moreover, while the court order is required to seize the content, metadata (the description and ancillary context of the data in question) may be collected in its absence.
In 2015 the lawfulness of SORM was raised by the European Court of Human Rights in Zakharov v Russia. The Court held that SORM potentially violates Article 8 of the European Convention on Human Rights (a right to respect for private and family life), concluding that given the significant risk of SORM being misused, the Russian state had failed to provide adequate safeguards to eliminate its potential arbitrariness, as well as failing to arrange for suitable measures to prevent unwarranted scrutiny.
At present, Russia is not the only county introducing far-reaching control of its IT and Telecommunication platforms. Systems that bear resemblance to SORM are already operating in the Europe Union with the European Telecommunications Standard’s Institute’s (ETSI) specifications, and in the United States through the Communications Assistance for Law Enforcement Act.
Although targeted surveillance plays an important role in the prevention of crime, including terrorism, the full scope of governmental surveillance technologies are not clearly defined, either in Russia, or in other countries.