The Russian State Duma Committee on Information Policy has amended a draft law on the sovereign RuNet (Russian internet) which will require all traffic to be encrypted using government-controlled encryption tools.
According to RBC (Google Translate link), this draft law is intended to keep the Russian internet online in the event of external attacks but many experts are concerned that it will make it easier for Russian authorities to decrypt internet traffic and access private messages.
The amendment specifically references online messaging services and says that ORIs (companies that manage messaging services) have to allow additional encoding of electronic messages with government-approved encryption tools.
Russia’s telecommunications watchdog Roskomnadzor currently lists over 170 companies in its registry of ORIs including:
- Mail.Ru Group
- Opera
- Sberbank
- Telegram
- Vimeo
- Yandex
In practice, all the companies listed in Russia’s ORI registry and any other large Russian internet companies will have to implement encryption that’s been approved by the Russian government if this draft law passes.
The draft law will also require internet browsers to start using Russian government-backed root certificate authorities. This is something China has tried in the past with its CNNIC (China Internet Network Information Center) Certification Authority. However, its root certificates were removed by both Google and Firefox in 2015 when it was discovered that the CNNIC was issuing certificates to a company that was creating fake Google pages which were presumably being used to spy on Chinese users who were attempting to access Google.
If this draft law passes, it could negatively impact Russian citizens in a number of ways. First, Russian authorities are likely to hold the decryption keys to all internet traffic and communications which will allow them to spy on citizens, potentially engage in mass surveillance operations, and censor information on the internet. Second, government provided encryption tools are closed and so are more likely to have undiscovered security flaws which leave citizens more susceptible to hacks, data leaks, and other forms of cybercrime.
According to Karen Ghazaryan, general director of the Internet Research Institute, it’s likely that only domestic companies will comply with this law if implemented:
There are quite a few foreign companies in the ORI registry, so the requirement to use domestic cryptography will also affect them. But there is a suspicion that not a single foreign player will do this, and even if it is decided, it will not be able to implement Russian cryptography due to export restrictions.
This draft law is the latest in a series of attempts by the Russian government to clamp down on the internet. Last week, Russia asked 10 leading VPNs to comply with its list of banned sites and the country is also planning to disconnect from the global internet in order to test its web traffic filtering system.