U.S.-based tech giants appear set to silently ignore new Russian laws requiring them to hand over encryption keys for internet communications to state security agencies, those tracking the issue tell Cyberscoop.
Only two encryption providers appear to have publicly responded to the new legislation, known as ‘Yarovaya law,’ after the hardline lawmaker responsible for drafting it. One virtual private network provider, Private Internet Access, announced they were leaving Russia, while another, NordVPN, doubled down on their presence there, according to interviews and public statements.
But according to Eva Galperin, a global policy analyst for the Electronic Frontier Foundation, ‘the tech giants show no signs of complying — not Google, not Facebook, not Twitter.’
Galperin expects these large U.S.-based companies to treat the new law’s mandates as they did the data localization requirements Russia passed into law last year — which companies have basically ignored.
‘[Companies] are staying publicly silent and not complying with the data localization mandate,’ she told FedScoop. ‘None of those companies keep their Russian user data in Russia’ as the law supposedly requires, she added.
‘There’s no evidence they’ll do anything different’ with the new law — although the agency charged with enforcing the encryption mandate is the feared KGB successor, the FSB, rather than the Russian telecom regulator, which has enforcement authority under the data localization law.
She said that many providers — like messaging giant WhatsApp — used forms of encryption which made it ‘literally impossible’ for them to comply.
‘But that’s the point,’ she said. ‘There is no expectation on the part of the authorities that it is possible to comply. They know this … But it makes all the companies lawbreakers.’
The fact that pretty much any company providing state-of-the-art encrypted messaging will be in violation of the law is a ‘feature not a bug’ of the new law said Galpin. ‘It gives [the government] leverage.’
‘The companies for whom this is a real problem are the Russian telecom providers,’ she added, who face huge data retention mandates quite separate from the encryption requirements. ‘They have said [the law] will cost them trillions of roubles.’
One foreign company, Panama-based NordVPN, is ‘doubling down’ on it’s commitment to privacy and anonymity in Russia, according to Jodi Myers, the company’s head of public relations and marketing.
‘Our aim is to make this simple, for the less technical user,’ she said. But she added the firm was taking steps to ‘double encrypt’ traffic from its Russian users. ‘We do not have the key [to unlock their users’ encrypted internet traffic] and we do not store any customer data on our servers — not in Russia, not anywhere.’
So even if NordVPN’s servers in Russia were seized, the authorities would not be able to learn anything about their customers web-browsing habits from it, she said.
This didn’t stop authorities from seizing the servers of another ‘zero-log’ or no-data VPN provider Private Internet Access. The company said it was pulling out of the country after its servers were seized.