Under surveillance: Russian secret services to eavesdrop on WhatsApp and Viber
Russian secret services started eavesdropping on and reading WhatsApp and Viber. According to a CrimeRussia source, required arrangements have been made with owners of the messengers.
All the secret services in the world (including Russian ones) want to know everything about us. Eavesdropping on telephone conversations is a pretty ordinary thing these days, but the technologies are developing, and new ways of communication – IP telephony, chats, and messengers – replace the old ones. Special agencies are making efforts to gain control over the new communication methods – slowly but steadily. Since November 2016, the Federal Security Service (FSB) of the Russian Federation can intercept information sent via popular messengers – WhatsApp and Viber. Now their data centers include servers connected to the LESS (Law Enforcement Support System). The Ministry of Internal Affairs (MIA) of the Russian Federation does not have access to that system yet – but FSB operatives can use its possibilities for solving high-profile crimes and in their struggle against terrorism and corruption.
Similar systems have been used in our country since 1996 for eavesdropping on cell phones. Special equipment allowing law enforcement authorities to get access to conversations of any client in real-time mode has been installed with each mobile operator. From the legal point of view, everything is perfectly clear. In addition to Article 23 of the Constitution of the Russian Federation allowing to restrict the right to privacy of correspondence, telephone communications, etc. under an order of a court of law, the rights and freedoms of man and citizen may be limited by the federal law to the extent when it is necessary in order to protect the constitutional order, morality, health, rights and legal interests of other persons, safeguarding of national defense and state security. In other words, the law enforcement authorities have a great room for maneuver in terms of justification for eavesdropping and other operations. The direct telephone tapping requires a court order, but obtaining other information (e.g. outgoing calls) does not. In addition, FSB or MIA operatives must only obtain an order, but they do not have to present it to the communications service provider – who, in turn, has no right to request it without holding a state security clearance.
Due to the growing number of Internet users, so-called LESS-2 has been established in the 2000s to allow access for special services to all the Internet traffic going through a provider. Officially such means are justified by the struggle against extremism and terrorism, but we often hear about using such covert means against the opposition. For instance, a ‘leakage’ of Boris Nemtsov’s telephone conversations via Life on the eve of mass protests in 2011 (nobody ever explained how the media outlet had got these records) or an audit of contributors to the election campaign of Alexey Navalny during the mayoral elections in Moscow in 2013. The contributions had been made via Yandex.Money electronic payment service. The Prosecutor General’s Office of the Russian Federation has found that IP addresses of more than 300 contributors were located abroad, which was against the law. It is necessary to note that a foreign IP address does not necessarily belong to a foreign citizen. It is also unclear how the Prosecutor General’s Office has got this information. According to Asya Melkumova, a representative for Yandex, the Prosecutor General’s Office had never addressed them in that regard.
However, the efficiency of LESS-2 was low due to the huge volumes of encrypted data transferred through providers – it was necessary to analyze too much unrelated information, and more precise data selection queries were required.
Facebook data center
So, it was decided to use a different approach. On July 31, 2016, Prime Minister Dmitry Medvedev signed a decree requiring social networks, forums, and any communication portals available for the public to install equipment and software allowing the secret services to collect information about activities of their users automatically. The epoch of LESS-3 has begun.
However, messengers installed on smartphones were still out of control because they functioned ‘above’ the infrastructure of mobile operators. The transmitted information could be intercepted, but it was almost impossible to decipher it. So, hacker attacks were the only solution. For example, this happened with the Telegram correspondence between Georgy Alburov, a staff member in the Anti-corruption Foundation, and Oleg Kozlovsky, Director of Obraz Budushego (Vision of the Future) non-governmental organization. In the end of April 2016, the public activists have stated that their accounts had been hacked. According to Alburov, the FSB could do this through MTS.
By the way, foreign special services make no secret that they use same methods to obtain required information. For example, FBI attempted to get information from the iPhone of one of the terrorists, who murdered 14 people in California in December 2015. Apple refused to cooperate at that time, and the FBI had to use hackers. Some companies openly offer software to hack electronic data storage devices and information transferred via Internet and stored there. For instance, ElcomSoft (a Russian company, by the way) produces inter alia various ‘tools for criminalists’ allowing to get access to data stored in telephone memory or cloud drives, generate passwords to files, etc. Such products are available not only to secret services – everybody can buy those on the company web site.
However, all these methods could not guarantee 100% efficiency; therefore, the Russian law makers and enforcement authorities have engaged into a real ‘battle’ with owners of the messengers to make them ‘cooperate’.
On September 1, 2015, amendments to the Federal Law “On Personal Data” have come into effect. According to these amendments, all personal information of Russian users must be stored in Russia. Any Russian or foreign company intending to work with Russian users must ensure recording, systematization, accumulation, storage, and specification of their personal information using databases located in our country. International companies had been facing a difficult dilemma: either to lose the Russian market or sustain reputational losses.
Ultimately, most companies decided not to sprinkle ashes upon their heads, and six months later, it became known that Google and Apple have started transferring personal data of their Russian users to servers located in Russia. Facebook declined to do this. There is no information available with regards to other major international providers; however, as of today, all the foreign companies continue their operations in Russia – i.e. some agreements acceptable for everybody have been reached.
This means an inevitable trend for all of us: pretty soon, no one would be able to guarantee privacy to anyone.
For example, for a long time, Skype was considered one of the best-protected VoIP services. There were no cases of deciphering and/or interception of Skype data officially confirmed by the developer up until 2008, when Austrian law enforcement authorities have announced at a meeting with providers that they had performed a “legitimate interception of IP traffic”. A similar statement has been made by the Australian police. It also became known due to a media leak that Digitask is developing a program to intercept online communications as per order of a Bavarian ministry. Swiss authorities have announced a possibility to eavesdrop on Skype as well. In Russia, proposals to ban Skype had been made on a regular basis due to alleged security threats linked with its encryption of conversations and non-connection to LESS. In 2010, new LESS solutions, able to locate and intercept Skype traffic (but not decipher it), have been proposed. But Microsoft has made everybody’s lives easier by purchasing Skype in 2011. Since then, all the transmitted information is being analyzed at Microsoft servers. In July 2012, it was reported that Microsoft might allow special services to eavesdrop on Skype conversations and provide access to personal correspondence in the framework of a new policy of full cooperation with the law enforcement. In 2013, it became known that not only can the Russian secret services wiretap Skype conversations, but also identify the location of Skype users.
Another VoIP for smartphones – Viber – has relocated, as required by the law, all the personal information of Russian citizens, including phone numbers and nicknames, to Russia in 2015.
Facebook Messenger and the most popular in the world WhatsApp messenger (1 billion users), also belonging to Mark Zuckerberg since recently, use the end-to-end encryption, which, according to the developers, ensures that only the communicating users can read the messages. But this works only if the user turns this function on and the unencoded correspondence is not stored on the Google Drive or iCloud.
According to IT security experts, currently, one of the safest messengers is Telegram, a project by Pavel Durov, founder of VKontakte social network. In his interview to the New York Times, he told that the idea to create this app has come to him in 2011, during the SWAT standoff at his home. When they left, he immediately wrote to his brother Nikolai and realized he doesn’t have a safe means of communications with him. To prove the safety of his product, in the end of 2013 he made a risky PR move by offering everybody to hack his personal correspondence in Telegram for a reward or $200 thousand. No one had ever claimed that prize.
Amid the statements about the national security, the Russian authorities understand very clearly who has the ‘keys’ unlocking the correspondence. Therefore, this spring, a proposal has been made to prohibit Russian officials and military servicemen from using Gmail.com mailboxes and popular messengers (WhatsApp, Viber, Telegram) for work-related correspondence.
Finally, to close down the topic once and for all, a new bill developed by Deputy Irina Yarovaya and Senator Viktor Ozertsov, also known as Yarovaya’s Package, has been introduced in spring 2016. It includes inter alia a requirement for “organizers of information distribution in the Internet” to store all the information passing through them for 1 year. Should a messenger, social network, mail client, or web site enable data encryption, its owners must assist the FSB in deciphering any information requested by the law enforcement authority. Refusals shall be punishable by a fine of 800 thousand to 1 million rubles. On July 7, 2016, the package with some amendments has been signed by President Vladimir Putin.
The amendments empowering the Government to obligate communications service providers to store records of telephone conversations, SMS, and Internet traffic of users for up to 6 months are coming into effect on July 1, 2018. According to the amendments, the above-mentioned information must be stored only in Russia. However, on July 19, 2016, Anton Belyakov, a Member of the Council of the Federation, has introduced a bill postponing these amendments until 2023.
In the end of this summer, information about another bill intended to eliminate the anonymity of messenger users has surfaced. The bill has been produced by the Media-Communication Union uniting communications service providers and media holdings. According to the Media-Communication Union, Internet messengers (organizers of instant exchange of messages) must sign agreements with communications service providers by 2017. Under these agreements, each messenger has to send information about its users to the communications service provider – who, in turn, shall cross-check it against its own information about the users and notify of all discrepancies.
Finally, to enable the secret services to use all these new legal powers, Con Certeza company, specializing in development of technical means for Law Enforcement Support Systems (LESS) working with networks maintained by communications service providers, has started this fall searching for a contractor to research possibilities to intercept and decode traffic of popular messengers: WhatsApp, Viber, Facebook Messenger, Telegram, and Skype. And apparently, positive results have been received – at least, for several such messengers.
Viktor Zakharchenko, who is accused of embezzlement of 4 million rubles (~70.000 USD) from the funds of the bank Moskovskoye Ipotechnoye Agentstvo (Moscow Mortgage Agency), was placed under house arrest.
Officer of the FSB in Moscow and the region Pyotr Koryugin participated in the extortion of 2 million rubles ($34.800) from an Azerbaijani citizen, and he warned a drug dealer about a forthcoming search for 300.000 rubles ($5200).