Sophos Cloud Optix
Russia’s parliament, the State Duma, has heard another internet freedom bill requiring foreign web firms to host any data on Russia citizens within Russia’s borders.
This would mean the likes of Google and Facebook would need to set up datacenters within Russia and redesign their operations so that individual user data would only be stored inside the country. Failure to do so could mean the site being blocked to prevent Russians using it.
If the proposal is accepted by the parliamentary process, it would give companies until September 2016 to comply.
The reasons behind the move remain a little vague, but Liberal Democrat politician Vadim Dengin, one of the bill’s main proponents, has been quoted by local press as claiming that data on Russians stored by web services “can be used against the country as well as against a specific individual”.
It seems likely that the bill is at least in part a response to the massive worldwide internet snooping carried out by the NSA and other intelligence agencies, aiming to minimise foreign spies’ access to information on what Russians are up to online.
But it will also give Russia’s own intelligence services much easier access to data on its own citizens, avoiding the need for complex and potentially controversial efforts to snoop on foreign-based datacenters.
Russia has been gradually chipping away at online freedom and anonymity for a while now, mainly in the name of combating extremism, but their efforts have been seen by many as attacks on dissenting voices opposed to the ruling regime.
Recent moves include requiring bloggers to register themselves and conform with openness requirements, and demanding internet firms share detailed information on their users with law enforcement whenever requested to do so.
A prominent Russian politician has also recently called for David Cameron-style web content filtering to protect sensitive Russian youth from decadent Western adult material, seen by many as a clear move towards censorship and another brick in Russia’s emerging China-style “great firewall”.
Last year’s Winter Olympics also saw an upturn in monitoring of foreign visitors to Russia and how they used the web and phones.
This latest move may well prove problematic for web firms, who would face the choice between the massive logistical effort and financial input required to relocate their data into Russian territory, and to filter the transfer, storage and analysis of data appropriately, or risk losing access to Russia’s huge online population.
Indeed much of the criticism the bill has so far faced from within Russia has been on economic grounds, arguing that the requirements of the bill would be too costly for internet firms to be workable.
The cost to Russia of further separating itself from the online world could be even higher though, both financially and socially, if it finds itself shut out of the ever-growing global digital economy thanks to its isolationism.
The cost to the world could be high as well, with Russia already a major source of online crime, recently cited by a leading UK police official as the biggest cybersecurity threat to Europe.
Hackers will always find a way around connectivity and anonymity hurdles put in their way, if there’s enough money to be made, and any further damage to international relations and impediments to tracking down crooks will inevitably lead to an increase in criminal activity.
The internet needs openness and freedom to do its job of connecting the world. Trying to fight its influence with censorship and regulation is not good for anyone.
Image of Russian flag on keyboard courtesy of Shutterstock.
So if I’m not in Russia, and I’m “friends” with someone in Russia so I can see their data (and the person wants it that way), the data’s going to be transferred outside of Russia. Does the bill even account for that?
Russia at the moment doesn’t seem to want its citizens to be friends with foreigners. It doesn’t want them to travel, and it doesn’t want them to work overseas.
For me, this is particularly scary as my best friend is Russian, and going home soon. It terrifies me to think of the hoops I might have to jump through if I ever want to see her again.
It doesn’t look like that from within Russia. Nothing is limiting my freedom or capability to communicate \ connect \ travel how I want.
So your opinion of a person who has no clue about what is going on (or not changing at all lol) isn’t really worthy.
It says “stored”, so technically it would just mean you access the data from Russia. Although “stored” could just be John’s interpretation and it covers send/receive too?
It kind of makes sense. Keep user’s data in the user’s country, so it abides by the laws of their home. Problem is, if the NSA and the likes want it they will get it. No matter where it’s stored… even a great firewall could be physically bypassed, if not broken through.
good point, Russian govt doesn’t get the point of cloud technology
Can you actually blame russia for wanting systems holding data about their citizens to be situated inside their own country. Isn’t this exactly what many western enterprises are doing before trusting cloud providers with sensitive customer data? ( demanding it be hosted onshore and in county) Maybe it isn’t practical, but props should go to Rrussia for trying.
What happens if a company stores user data encripted and protected the way the __data can’t be accessed__ even by company employees? In this case a __web firm just doesn’t know___ is this a data on Russia citizens.
I’m working for the company that intends to be a game changer with the way of storing data I described above.
To me it’s not clear what should we do about this law.
In your case – data availability is the problem.
How can you ensure that data will be always accessable to user? What if goverment of your country will decide that it is forbidden to provide services to the specific country? Will you comply with your local regulation?
If data will be hosted locally in Russia, you will not have an ability to restrict access to it.
Yeah, if FaceBook wants to be based in the US, and complies with Russian law, all the US needs to do is say, “Route some of your backups here or we’ll fine you whatever,” and that’ll be that.
Hard to fault a major national government from doing this. The US probably would if we thought we could get away with it or word the law in a way that matters.
It was only a matter of time that some government would respond in kind.
Unfortunate as it only lead to a less open internet.
I’m sure the NSA is already registering and incorporating a dummy “social media” company and would be glad to install servers in Russia and have their people manning the keyboards. This is like a dream come true for them.
I hear that this has been pulled forward to be effective on 1st September this year?