General Information Policy Provisions
In principle, a handful of laws define the primary concepts of information policy in Russia. The constitution and the presidential decree "On the Concepts of National Security of the Russian Federation" provide basic guidance on this issue. The following laws: "On Security," "On Government Secrets," "On Information, Informatization and the Defense of Information," "On Participation in International Information Exchanges," "On Proper Security of Programs for Computers and Databases," and "On Copyright and Interfacing Laws" form the core of legislative efforts in information policy.
The constitution guarantees Russian citizens the right to freedom of thought and speech as well as a free press. Article 29 addresses the right to information, stating "Everyone has the right to freely seek, receive, transfer, produce and distribute information by any legal means." Information technology is not specifically addressed; it is encompassed within general provisions on information. There are some exceptions to information access, however. Information used to promote the violent overthrow of the state, foment ethnic or religious conflict, or violate privacy rights of other citizens is not protected under the constitution. These exceptions are not substantial barriers to free information access. Based solely on constitutional guarantees, information policy in Russia is quite open.
The federal law "On Information, Informatization and the Defense of Information" addresses government responsibilities for information provision. It indicates that the government is obligated to develop and protect information resources as well as establish conditions for their distribution. Regarding information technology, the government is charged with the task of developing policies that reflect the "contemporary world development of information technologies." The law also defines a term frequently encountered in information policy documents: informatization. In this law, and presumably other government documents, informatization is: "an organized socioeconomic and scientific-technical process of creating optimal conditions for the satisfaction of information needs and the realization of the rights of citizens, organs of government power, organs of local self-government, organizations, [and] community groups on the basis of the formation and use of information resources." In other words, it focuses on the technical process of information provision.
Five of the remaining six documents are focused on information security issues. While interest in information security seems to pervade Russian government approaches to new technology, IT is rarely mentioned in information security laws. The reason for its absence is that much of the key security legislation was written before the expansion of electronic communication in the mid-1990s. Although the legislative base of Russian information policy recognizes the rights of citizens to access and distribute information, it also emphasizes the legitimate right of the state and commercial organizations to protect secrets. The substantial focus on information protection implies that access can be subordinated to security.
In late 1999, there were also plans to add to this legislation and to attempt to regulate the Internet. The initial draft of the bill "On the Introduction of Changes and Additions to the Russian Federation Law 'On the Media'" identified information transferred across computer networks as a form of mass communication. It was therefore subject to the regulations outlined in the draft law. The bill passed the first reading in the Duma (three readings are necessary for passage) in 1998 and has not yet been subjected to further debate. It was subsequently edited to exclude all references to computers and computer networks. While references to the Internet have been removed, the initial draft of the bill shows that there is interest in regulating on-line communication. In addition, the government plans to begin developing legislation requiring registration for mass media web sites.
There are a number of ancillary laws that also have a substantial affect on information technology. Below, I will focus on the key policies that have an impact on Russian information policy but are not part of the main information policy legislation. In particular, I will address the introduction of the System for Investigations and Field Operations (SORM). The legal basis for this monitoring hardware was introduced into Russia not through main information policy legislation, but through security legislation and ministerial decrees. In addition, I will discuss the emergence of information technology crimes in the Criminal Code of the Russian Federation.
SORM and Information Policy
One of the main information security controversies in Russia revolves around the introduction of SORM. This system theoretically provides Russian security services access to electronic communication and data about on-line habits. Many legal acts have been published to further define and implement the system. The system itself is not fully operational, however.
The interest expressed by Russian security organs in the potential threats caused by the Internet is not unique. United States government institutions have debated Internet content and the use of filtering software, encryption, and the influence of electronic communication on government archives. Governments generally retain the right, in principle, to monitor activities that threaten national security. Recently, an Australian publication printed a story (on-line) about an official who allegedly admitted that the governments of Australia, the United States and United Kingdom have a cooperative agreement to monitor e-mail and other forms of communication. The system developed for these purposes is dubbed Echelon. The accuracy of reports on Echelon is, however, a matter for debate (Some Russian officials mentioned it to me during discussions about SORM. Despite the secrecy surrounding Echelon in the West, it is considered to be an example of monitoring efforts in place outside of the post-Soviet region.).
In this context, Russian government efforts to monitor on-line communication are probably not unique. Given that all governments are interested in developing techniques to identify potential threats, characterizing variation among information security strategies becomes more challenging. However, for both established and new democracies, there are important questions to address. What kind of legislative guarantees exist to ensure that individual rights to private communication will not be abused? What kind of oversight is in place to monitor the use of the equipment? How reliable are the legislative guarantees and oversight mechanisms? Also, to what degree is the policymaking and regulatory process transparent? While these questions are important for all states to address, they are particularly acute in Russia. Both legislative and real guarantees of information access are necessary to strengthen democratic institutions.
According to plans, monitoring hardware is to be placed at communication stations (including ISPs) with a direct line connected to the Security Service. While the constitution and various forms of information legislation guarantee the right to private communication, any individual or group theoretically could have its communications or on-line activities monitored. In fact, no government can completely ensure that all civil servants will abide by the existing laws. Only strong oversight mechanisms can undermine the threat to bureaucratic abuses. While the consent of a judge is officially required for SORM to be utilized, the oversight mechanism to ensure that the system is not used for political or other purposes is unclear. Thus, the reliability of oversight processes is questionable.
The official materials mandating SORM's installation also have not been published fully. Because Russian law requires all legislative acts to be registered and published before they can be enforced, the secrecy of the system has been cause for protest. Plans for the development and installation of the system have been presented on the Internet by civil liberties groups, but the government itself has refused to publish some of the pertinent legislative materials. The government argues that the unpublished documents are instructions, not laws, and are therefore not bound by registration and publication requirements. The development of SORM, nevertheless, has not been fully transparent.
The initial law providing legislative support for SORM is the "Law on Operational-Search Activities in the Russian Federation." The law was put in place on March 13, 1992, and outlines an assortment of activities that can be monitored to undermine criminal activity. Information transferred along telecommunication lines is specifically mentioned as an activity covered under the law. Although the law forbids the information gathered on the basis of the law to be used against individuals or organizations for slanderous purposes, the system has raised fears of government violations of privacy rights among civil libertarians.
The 1992 law established the legal framework for the system. The initial announcement of its implementation was outlined in a Ministry of Communication decree that was first published in 1992 and amended in 1995. The decree "On the Use of Means of Communication to Facilitate Investigative Activities of the Ministry of Security of the Russian Federation" indicates that communications business owners must provide equipment and maintenance for the system.
A large number of official documents have been generated subsequently.
The volume of materials on SORM is a testament to the importance of information
security in the legislative approach to information technology.
SORM legislation is a mixture of laws, decrees, ministerial letters and
resolutions that outline the requirements of SORM step-by-step. The
following materials have been obtained through various databases as well
as the Moscow Libertarium. Some have been published, others
have not. All documents are encoded in Win-1251 unless otherwise noted.
There are other laws, bills and technical instructions available at the
Moscow Libertarium.
These documents provide examples of the information security concerns that
form the foundation of information policy in Russia.
The introduction of SORM has met resistance from some ISPs. In a well publicized case in Volgograd, the director of Baiyard-Slaviya Communications refused to sign the agreement allowing the Federal Security Service to place SORM on his premises. The director challenged the legality of SORM and also changed the passwords of his subscribers so that the Federal Security Service could not access account information. Ultimately, the efforts were in vain; the company was forced to go out of business because it lost the bulk of its subscribers.
The debate about the system seems to be concentrated among those in the Internet community who are interested in civil liberties issues. A number of Internet users that I spoke with in Russia were unaware of SORM-s existence (this includes professionals in the IT community). Even representatives of regional ISPs indicated that they were not sure if SORM was operational. They recalled signing an agreement to install SORM if asked, but they said that no hardware had been placed on their premises (one representative indicated that he believed SORM was installed at the local telephone company). A Russian NGO representative told me that Russian citizens are used to the idea of monitored phone conversations because of their experience with the Soviet system. Thus, the idea of government monitoring on-line communication does not seem alien to them.
In November 1999, the State Communications Committee was transformed into the Ministry of Communications. At a press conference, the Minister of Communications indicated that stricter controls should be developed for the Internet. The FSB, along with the Ministry of Communications, is in the process of developing a new version of SORM (SORM-3) and it is likely that installation of monitoring equipment at ISPs will accelerate.
The most notable aspect of SORM is not that it exists, but the process
by which it has been introduced. Governments are responsible to protect
national security interests and public safety and sometimes monitor communication
to achieve these ends. In Russia, SORM has not been developed in a
wholly open manner, it is physically installed for the security services
at communication stations and can be used to regularly monitor Internet
traffic without clear oversight. Because of the large amount of data
that is transferred electronically, it is unlikely that security services
can cast a wide net to inspect communications. However, information
about individuals can be obtained and the potential for its misuse is substantial.
Information Technology Crime
The official intent of SORM is to facilitate crime fighting efforts in the Russian Federation. While the emergence of computer crimes has been used as a justification for SORM, criminal elements have in fact recognized the spread of technology as an opportunity to develop new techniques to commit illegal acts. In some cases, the crimes are not new; only the techniques are new. In other cases, new technologies have spawned modern forms of illegal activities.
Technological advances have allowed criminals to commit standard crimes using new technologies. For example, there was a rash of thefts in Moscow during summer and fall 1999 that involved automatic teller machines (ATMs). Credit card and bank card numbers and codes were acquired and used to steal money in Russia and abroad.
Another example of traditional crime using computer technology is that of Vladimir Levin, a Russian computer specialist. He used his technical expertise to redirect funds from Citibank clients in various countries. This is another aspect of the introduction of technology into standard criminal acts; the victims were from all over the world. Levin stole money from Argentina, Canada, Hong Kong, New Zealand and other states. He redirected the funds to various countries as well, including Israel, Netherlands, Russia, and Switzerland (íÉÆ×ÍÒÀ Ë èÏËÆÐÒÀ 1998).
Other crimes are products of the information age. In October 1999, two residents of Rostov-na-Donu were arrested for selling CD-Roms containing viruses. The viruses were not hidden in the CDs, but were the main contents. The accused indicated that they understood the dangers of spreading viruses, but that there was a demand for them. They were charged with violating Article 273 of the Criminal Code of Russia which forbids the creation, use or distribution of dangerous computer programs. The newspaper article further alerted readers to the grave threat to Russian security posed by computer viruses (æÒßÒÀ× 1999).
The Criminal Code contains three articles that directly address computer crimes. Article 272 covers unsanctioned access to information. Improper access, alteration or blockage of information in computers carries a fine and/or imprisonment up to two years. The same crimes committed by conspirators (a group that commits the act with planning) carries a more serious sentence (up to five years in prison). Article 273 of the Criminal Code was mentioned above. It covers the production and distribution of dangerous computer programs. If it is the result of negligence, the crime carries a penalty of up to seven years. Article 274 of the Criminal Code involves improper exploitation of computer networks. It can carry a penalty of up to four years in prison. Other articles of the Criminal Code can be applied to information technology crimes, but do not specifically address the misuse of technology.
The introduction of SORM and Articles 272-274 of the Criminal Code show that technology change has affected information policy as well as the approach to law enforcement and crime.
Document posted 1/15/00
Sources in Russian:
íÉÆ×ÍÒÀ, î.ô. Ë è.ð. èÏËÆÐÒÀ. 1998. ëÐÃÒÆÏ×ÚËÕ Í×Í ÒÞÓÅÍÖ ÔÆ×ÀÒÀÒÌ Ñ×ØËÖÜ. ïÒÈÍÀ×: ÿÅÎËÒÈ.
íÉÆÉÝËÐ, à.ä. Ë à.÷. ïËÐ×ÅÀ. 1998. íÒÏÔÙÂÖÅÆÐÜÅ ÔÆÅÈÖÉÔÎÅÐËÕ Ë ËÐÃÒÆÏ×ÚËÒÐÐ×Õ ÞÅÑÒÔ×ÈÐÒÈÖÙ. ïÒÈÍÀ×: ðÒÀÜÌ âÆËÈÖ.
æÒßÒÀ×, ÷ÐÐ×. 1999. "ôÆÅÈÖÉÔÎÅÐËÅ XXI ÀÅÍ×." ðÒÀÜÅ ËÑÀÅÈÖËÕ. (21 ÒÍÖÕÞÆÕ 1999ÒßÒ ßÒÄ×).