State Duma, the lower house of parliament, in session in Moscow, Russia on April 19, 2016.

© 2016 Reuters

(Moscow) – Russia’s new counterterrorism legislation would unjustifiably expand surveillance while undermining human rights and cybersecurity.

On July 7, 2016, President Vladimir Putin signed into law two sets of legislative amendments after they were rushed through parliament without adequate debate or scrutiny. The amendments are commonly referred to as the “Yarovaya Law,” after their key author, Irina Yarovaya, a leading member of the ruling “United Russia” party. They include numerous deeply disturbing provisions that severely undermine the right to privacy and are particularly detrimental to freedom of expression on the Internet. The new regulations will take effect on July 1, 2018. Russia should repeal the new law, Human Rights Watch said.

“Russia’s new counterterrorism law takes Big Brother surveillance to a whole new level,” said Cynthia Wong, senior Internet researcher at Human Rights Watch. “No digital communication would be safe from government snooping, no matter how innocuous or unrelated to terrorism.”

The legislation requires telecommunications and Internet companies to retain copies of all contents of communications for six months, including text messages, voice, data, and images. Companies must also retain communications metadata for up to three years, which could include information about the time, location, and sender and recipients of messages. All information must be stored inside Russian territory.

Internet and telecom companies will be required to disclose communications and metadata, as well as “all other information necessary,” to authorities, on request and without a court order. The law increases penalties for companies that fail to disclose requested information, with fines of up to approximately US $15,000. It is unclear whether regulations apply to foreign Internet companies or only to domestic providers. 

These provisions expand already broad and troubling requirements to store user data locally. Federal Law No. 242-FZ requires certain service providers, foreign and domestic, to store all personal data of Russian citizens in databases located inside the country. This law was passed in 2014 and went into effect on September 1, 2015.

Equally troubling, the new counterterrorism law also requires Internet companies to provide to security authorities “information necessary for decoding” electronic messages if they encode messages or allow their users to employ “additional coding.” Since a substantial proportion of Internet traffic is “coded” in some form, this provision will affect a broad range of online activity. At a minimum, it could require companies to hand over encryption keys. The day the counterterrorism bill was signed into law, President Putin ordered the Federal Security Service to define the list of technologies that must comply and set the procedure for disclosing such decryption keys within two weeks.

The new provisions would broadly undermine privacy and other human rights. The data retention and localization requirements would intrude on the privacy of every Russian phone and internet user, even though the vast majority are under no suspicion of wrongdoing. It would also create vast stores of sensitive data and grant access to security agencies without judicial oversight. With legal protections for privacy already extremely weak in Russia, these provisions could greatly increase the information available to security services about every user’s communications, online activities, and movements. The anti-encryption provisions would also endanger activists and journalists who rely on encrypted messaging applications to communicate securely. 

It is unclear how the law would apply to companies like the messaging service WhatsApp that do not maintain copies of encryption keys, which has become an increasingly common cybersecurity best practice. However, if interpreted broadly, the provision could force companies to redesign existing technology and build back doors into encrypted services to comply. It also raises questions about how companies can operate in Russia without effectively serving as an “on demand” government surveillance network.

The government maintains that the law is necessary to combat terrorism in Russia. However, these provisions would ultimately jeopardize security, while being ineffective at preventing terrorists from using encryption, Human Rights Watch said. Internet and telecommunications companies increasingly encrypt their services to protect users against cybercriminals and other malicious actors who seek to steal their information. In the digital age, sensitive data is routinely shared electronically, from financial information and commercial trade secrets to e-commerce transactions and medical information. The counterterrorism law would force companies to weaken the security of their services, leaving Russian users and businesses vulnerable to unauthorized spying, data theft, and other harms.

In contrast, independent research has concluded that terrorists and other determined malicious actors would still be able to shield their digital activity from security services. A recent global survey of encryption products conducted by preeminent digital security experts shows that a range of tools made by companies outside Russia, and not subject to Russian law, would still be available to bad actors.

The data retention provisions are also out of step with international practice. For example, they go far beyond what was required under the European Union Data Retention Directive, which only applied to retention of metadata by telecom companies for up to two years. The Court of Justice of the European Union later invalidated the EU Directive as an unjustifiably broad infringement of the right to privacy.

The “Yarovaya Law” contains other troubling regulations that encroach on freedom of conscience, freedom of association, and other rights. The law bans proselytizing, preaching, praying, or disseminating religious materials outside of “specially designated places,” like officially recognized religion institutions. It criminalizes “the failure to report a crime” with little specificity on when such a reporting requirement would apply. It increases penalties for vaguely defined “public justification of terrorism” online and penalizes “inducing, recruiting, or otherwise involving” others in mass unrest.

“Russia’s new amendments will undermine the security of ordinary Internet users and intimidate online critics of the government into silence,” Wong said. “They won’t be effective at countering terrorism and never should have been signed into law.