State Duma proposes to penalize those who refuse to decipher their traffic. Update: amendments accepted
Most recently, the Minister of Communications and Mass Communications of the Russian Federation, Nikolai Nikiforov, spoke of the impossibility of monitoring and censoring messages in Internet messengers and closed social network groups: “This is technically impossible due to the fact that this traffic is encrypted.”
And now ITAR TASS writes about a new edition of edits to the anti-terrorism law , where it is proposed to introduce responsibility for the failure to decrypt the transmitted traffic. :
Vadim Dengin, the first deputy chairman of the State Duma’s Information Policy Committee, interprets the concept of “information dissemination organizers” very broadly:
The proposal was made by State Duma Deputy, Chairman of the Duma Committee on Security and Anti-Corruption Irina Yarovaya and member of the Federation Council Viktor Ozerov.
At the same time, which is typical for such initiatives, no technical details of how and at whose expense this is supposed to be carried out were announced.
')
Update:
The State Duma postponed consideration of the anti-terrorism package of draft laws to June 24. A proposal for the transfer was made by the Deputy Chairman of the Committee for Security and Anti-Corruption Ernest Valeev during the morning discussion of the working order of the Chamber
“We can say with confidence only one thing - the costs of Internet companies will increase. Internet companies will have to increase the number of servers and think about rebuilding the internal infrastructure. Reducing the data retention period from 3 years to 6 months will only reduce additional costs, but will not cancel the fact of new costs, ”a Yandex representative said.
The company noted that in the current version of the draft law, the regulation of the Internet industry will lead to an excessive restriction of the rights of both businesses and users. “This is about strengthening regulation for the sake of safety. Control procedures should put everyone on an equal footing. In the current version of the draft law, there will be no equal conditions, or forcing them will force some of the players to leave Russia, which will negatively affect the industry, ”the press service explained.
According to representatives of "Yandex", the order and the volume of storage of messages of users remain unclear. The press service also stressed that it is not clear for the company what the legislator understands coding.
And now ITAR TASS writes about a new edition of edits to the anti-terrorism law , where it is proposed to introduce responsibility for the failure to decrypt the transmitted traffic. :
Failure by the organizer of disseminating information on the Internet to provide the federal executive body in the field of security with the information necessary to decode the received, transmitted, delivered or processed electronic messages "is proposed to be punished with a fine for citizens in the amount of 3 thousand to 5 thousand rubles for officials - from 30 thousand to 50 thousand rubles, for legal entities - from 800 thousand to 1 million rubles
Vadim Dengin, the first deputy chairman of the State Duma’s Information Policy Committee, interprets the concept of “information dissemination organizers” very broadly:
“This is including instant messengers, most likely. It is also social networks, special mail servers, mail resources that are encoded and contain a large number of visitors participating in this process. ”
The proposal was made by State Duma Deputy, Chairman of the Duma Committee on Security and Anti-Corruption Irina Yarovaya and member of the Federation Council Viktor Ozerov.
At the same time, which is typical for such initiatives, no technical details of how and at whose expense this is supposed to be carried out were announced.
')
Update:
The State Duma postponed consideration of the anti-terrorism package of draft laws to June 24. A proposal for the transfer was made by the Deputy Chairman of the Committee for Security and Anti-Corruption Ernest Valeev during the morning discussion of the working order of the ChamberUpdate:
Yandex’s position on data storage and traffic decoding laws
“We can say with confidence only one thing - the costs of Internet companies will increase. Internet companies will have to increase the number of servers and think about rebuilding the internal infrastructure. Reducing the data retention period from 3 years to 6 months will only reduce additional costs, but will not cancel the fact of new costs, ”a Yandex representative said.
The company noted that in the current version of the draft law, the regulation of the Internet industry will lead to an excessive restriction of the rights of both businesses and users. “This is about strengthening regulation for the sake of safety. Control procedures should put everyone on an equal footing. In the current version of the draft law, there will be no equal conditions, or forcing them will force some of the players to leave Russia, which will negatively affect the industry, ”the press service explained.
According to representatives of "Yandex", the order and the volume of storage of messages of users remain unclear. The press service also stressed that it is not clear for the company what the legislator understands coding.
Update:
Official position of RAEC on the “Spring bill” (No. 1039149-6 - second reading)Requirements for the disclosure of keys for decoding messages leads to the creation of threats to the security and privacy of citizens, creates threats to businesses and puts Russian companies in an unequal position, and creates threats to national security.
At the same time, these measures will not affect the availability of encryption tools for attackers.
Full text
On Amendments to Certain Legislative Acts of the Russian Federation regarding the establishment of additional measures to counter terrorism and ensure public safety.
The essence of the bill
The draft law, in particular, establishes additional requirements for telecom operators and organizers of information dissemination in the Internet information and telecommunications network related to the storage of user data.
Telecommunications operators and organizers of information dissemination are obliged to store on the territory of the Russian Federation for three years information on the facts of reception, transmission, delivery and / or processing of voice information and text messages, including their content, as well as images, sounds or other messages of users of communication services and provide the authorized state bodies carrying out operational investigative activities or ensuring the security of the Russian Federation, the specified information, information about users Lyakh communication services and on services rendered communications and other information necessary to perform their tasks of these authorities, in the cases established by federal laws.
In the second reading of the bill, an amendment was adopted, obliging the dissemination of information to decode the messages of users.
The organizer of information dissemination on the Internet is obliged to use additional coding of electronic messages for receiving, transmitting, delivering and (or) processing electronic messages of Internet users, and to the federal executive body in the field of security information necessary for decoding received, transmitted, delivered and (or) about ops emails.
The essence of the sectoral problems associated with the theme of the bill
The international security standards currently used in information systems on the Internet cannot be unilaterally replaced by other standards. Payment systems, for example, are obliged to comply with PCI DSS, the disclosure of keys automatically leads to the exclusion of such systems from international exchange.
In most encryption standards, the storage of user keys is not provided, that is, without changing the algorithm, it is impossible to decode messages. For example, in the modern implementation of the HTTPS protocol, the session key is generated using the Diffie-Hellman algorithm and is never sent over the network, and as a result, even having gained access to the server's private key, it is impossible to recover the session keys that were used to encrypt the content being sent. Session keys of all participants in the messaging process are deleted immediately after the session. For services that use the connection directly between users for transferring, storing or encrypting information (the so-called p2p services), the concept of an operator is not defined and there is no subject with a collection of keys, which also questions the possibility of technical application of this measure of the draft law.
If the algorithm changes, cybersecurity threats arise for business, citizens, and the state, since the creation of such means of access is actually embedding a deliberate vulnerability into the system.
Creating special encryption access keys jeopardizes national security due to the possibility of hacking by foreign intelligence services, as evidenced by the facts in the press about the activities of the American and Chinese intelligence services.
The adoption of this bill threatens communication secrets and carries enormous risks of confidential information leaks. In the light of recent precedents with leakage into the network of personal data of citizens of Turkey and the Philippines, this initiative can cause reputational and material damage to both Russian companies and ordinary citizens of the Russian Federation. 1.2. The requirements of the Bill unreasonably restrict the rights of citizens, established by Art. 23 of the Constitution of the Russian Federation, according to which everyone has the right to privacy, personal and family secrets, protection of his honor and good name. Everyone has the right to confidentiality of correspondence, telephone conversations, postal, telegraph and other communications. Restriction of this right is allowed only on the basis of a court decision. The draft law seriously restricts these constitutional rights, since disclosure of keys simultaneously allows intercepting messages of all users of the Internet service.
At the same time, these measures will not affect the availability of encryption tools for intruders. Strong encryption is currently available to anyone (for example, Signal is an open source project that allows end-to-end encryption of github.com/WhisperSystems messages).
Russian companies will be placed in unequal conditions:
Firstly, activity in international markets will be extremely difficult, since the bill applies to all users, which may violate the laws of other countries and the international obligations of the Russian Federation (for example, the convention on automated processing of PD).
Secondly, foreign companies may refuse to comply with these requirements, since they are contrary to the laws of the countries where they are registered, which will worsen the position of Russian companies in the domestic market.
Thirdly, other states (for example, China) may make similar demands on the disclosure of keys to Russian companies.
Conclusions and official position of RAEC on the draft law
As indicated in the decision of the Constitutional Court of the Russian Federation dated November 26, 2012 No. 28-P, the Provisions of Part 3 of Art. 55 of the Constitution of the Russian Federation, considered in conjunction with its articles 8, 17, 34 and 35, contain requirements according to which all possible restrictions by federal law of the rights of legal entities, business freedom and regulation of their responsibility should be based on general principles of law, meet the requirements justice, to be adequate, proportionate and necessary for the protection of constitutionally significant values, including the rights and legitimate interests of others; such measures are permissible if they are based on law, serve the public interest and are not excessive.
Requirements of the Draft Law on the long-term storage of a vast array of information will be required from organizers of information dissemination on the Internet, which in fact can be recognized as any Internet resources, huge costs (for the construction of data centers, other infrastructure, etc.). Such expenses can be overwhelming for small Internet projects as well as for large resources, through which a huge amount of information passes.
In addition, the Draft Law creates, in essence, unequal conditions for Russian and foreign Internet services, since the possibility of applying the rules proposed by the draft law, or the sanctions for non-performance, is doubtful.
The adoption of the draft law in its current form may entail the withdrawal from the Russian market of a large number of players and the general degradation of the Internet industry. At the same time, as indicated above, the deputies who introduced the draft Law do not provide any justification for such serious restrictions on the rights of law-abiding business.
Requirements for the disclosure of keys for decoding messages leads to the creation of threats to the security and privacy of citizens, creates threats to businesses and puts Russian companies in an unequal position, and creates threats to national security.
At the same time, these measures will not affect the availability of encryption tools for attackers.
The essence of the bill
The draft law, in particular, establishes additional requirements for telecom operators and organizers of information dissemination in the Internet information and telecommunications network related to the storage of user data.
Telecommunications operators and organizers of information dissemination are obliged to store on the territory of the Russian Federation for three years information on the facts of reception, transmission, delivery and / or processing of voice information and text messages, including their content, as well as images, sounds or other messages of users of communication services and provide the authorized state bodies carrying out operational investigative activities or ensuring the security of the Russian Federation, the specified information, information about users Lyakh communication services and on services rendered communications and other information necessary to perform their tasks of these authorities, in the cases established by federal laws.
In the second reading of the bill, an amendment was adopted, obliging the dissemination of information to decode the messages of users.
The organizer of information dissemination on the Internet is obliged to use additional coding of electronic messages for receiving, transmitting, delivering and (or) processing electronic messages of Internet users, and to the federal executive body in the field of security information necessary for decoding received, transmitted, delivered and (or) about ops emails.
The essence of the sectoral problems associated with the theme of the bill
The international security standards currently used in information systems on the Internet cannot be unilaterally replaced by other standards. Payment systems, for example, are obliged to comply with PCI DSS, the disclosure of keys automatically leads to the exclusion of such systems from international exchange.
In most encryption standards, the storage of user keys is not provided, that is, without changing the algorithm, it is impossible to decode messages. For example, in the modern implementation of the HTTPS protocol, the session key is generated using the Diffie-Hellman algorithm and is never sent over the network, and as a result, even having gained access to the server's private key, it is impossible to recover the session keys that were used to encrypt the content being sent. Session keys of all participants in the messaging process are deleted immediately after the session. For services that use the connection directly between users for transferring, storing or encrypting information (the so-called p2p services), the concept of an operator is not defined and there is no subject with a collection of keys, which also questions the possibility of technical application of this measure of the draft law.
If the algorithm changes, cybersecurity threats arise for business, citizens, and the state, since the creation of such means of access is actually embedding a deliberate vulnerability into the system.
Creating special encryption access keys jeopardizes national security due to the possibility of hacking by foreign intelligence services, as evidenced by the facts in the press about the activities of the American and Chinese intelligence services.
The adoption of this bill threatens communication secrets and carries enormous risks of confidential information leaks. In the light of recent precedents with leakage into the network of personal data of citizens of Turkey and the Philippines, this initiative can cause reputational and material damage to both Russian companies and ordinary citizens of the Russian Federation. 1.2. The requirements of the Bill unreasonably restrict the rights of citizens, established by Art. 23 of the Constitution of the Russian Federation, according to which everyone has the right to privacy, personal and family secrets, protection of his honor and good name. Everyone has the right to confidentiality of correspondence, telephone conversations, postal, telegraph and other communications. Restriction of this right is allowed only on the basis of a court decision. The draft law seriously restricts these constitutional rights, since disclosure of keys simultaneously allows intercepting messages of all users of the Internet service.
At the same time, these measures will not affect the availability of encryption tools for intruders. Strong encryption is currently available to anyone (for example, Signal is an open source project that allows end-to-end encryption of github.com/WhisperSystems messages).
Russian companies will be placed in unequal conditions:
Firstly, activity in international markets will be extremely difficult, since the bill applies to all users, which may violate the laws of other countries and the international obligations of the Russian Federation (for example, the convention on automated processing of PD).
Secondly, foreign companies may refuse to comply with these requirements, since they are contrary to the laws of the countries where they are registered, which will worsen the position of Russian companies in the domestic market.
Thirdly, other states (for example, China) may make similar demands on the disclosure of keys to Russian companies.
Conclusions and official position of RAEC on the draft law
As indicated in the decision of the Constitutional Court of the Russian Federation dated November 26, 2012 No. 28-P, the Provisions of Part 3 of Art. 55 of the Constitution of the Russian Federation, considered in conjunction with its articles 8, 17, 34 and 35, contain requirements according to which all possible restrictions by federal law of the rights of legal entities, business freedom and regulation of their responsibility should be based on general principles of law, meet the requirements justice, to be adequate, proportionate and necessary for the protection of constitutionally significant values, including the rights and legitimate interests of others; such measures are permissible if they are based on law, serve the public interest and are not excessive.
Requirements of the Draft Law on the long-term storage of a vast array of information will be required from organizers of information dissemination on the Internet, which in fact can be recognized as any Internet resources, huge costs (for the construction of data centers, other infrastructure, etc.). Such expenses can be overwhelming for small Internet projects as well as for large resources, through which a huge amount of information passes.
In addition, the Draft Law creates, in essence, unequal conditions for Russian and foreign Internet services, since the possibility of applying the rules proposed by the draft law, or the sanctions for non-performance, is doubtful.
The adoption of the draft law in its current form may entail the withdrawal from the Russian market of a large number of players and the general degradation of the Internet industry. At the same time, as indicated above, the deputies who introduced the draft Law do not provide any justification for such serious restrictions on the rights of law-abiding business.
Requirements for the disclosure of keys for decoding messages leads to the creation of threats to the security and privacy of citizens, creates threats to businesses and puts Russian companies in an unequal position, and creates threats to national security.
At the same time, these measures will not affect the availability of encryption tools for attackers.
Update:
The State Duma adopted the anti-terrorism "package Spring"Deputies of the State Duma adopted the adjustment of the anti-terrorist package of the head of the Duma security committee Irina Yarovoy (United Russia). Final amendments were distributed to parliamentarians a few minutes before the discussion. The rules regulating missionary activity turned out to be corrected. Also , the storage period for Internet providers has been reduced from three years to one year.
...
Messengers and social networks obliged, when using additional message coding, to provide the FSB with keys for decoding them . For failure to comply with the requirement will be imposed a penalty.
Read more
In the third reading, the State Duma adopted the counter-terrorism package of Irina Yarovoy. 287 deputies voted for the draft in the third reading, against —147, one abstained. As reported by “Kommersant” on June 24, by the second reading, its text was being finalized this morning. The norms regulating missionary activity were changed: first of all, its definition was changed. Now it is proposed to understand missionary activity as “the activity of a religious association aimed at disseminating information about its dogma among non-members of this association” in order to involve them. A norm appeared in the bill that missionary activity on behalf of a religious organization has the right to conduct its leader, a member of a collegial body and a clergyman of this organization.
In addition, the deputies banned missionary activity, which is aimed at violating public safety and order, extremist actions, coercion to destroy the family, and inclination to suicide. For violation of the law threatens a fine: for citizens - from 5 thousand to 50 thousand rubles, for legal entities - from 100 thousand to 1 million rubles. Previously, Russian organizations criticized these amendments to the Law on Freedom of Conscience (see Kommersant of June 23).
According to the adopted bill, telecom operators will have to store information on the facts of receiving and transmitting calls, text messages, photos, sounds and videos in Russia for three years, and the storage period for the contents of conversations and correspondence will be up to six months. Earlier, Irina Yarovaya agreed to shorten the period for storing information on receiving, transferring information from three years to one year for Internet companies, and the period for keeping correspondence to 6 months. About this in his recall requested the Russian government. The order, timing and amount of information storage will be established by the government of the Russian Federation
In addition, telecom operators will have to provide information on users and the services rendered to them upon the request of law enforcement agencies. Messengers and social networks obliged, when using additional message coding, to provide the FSB with keys for decoding them. For non-compliance with the requirement, a fine will be imposed: for citizens it will be from 3 thousand to 5 thousand rubles, for officials - from 30 to 50 thousand rubles, for legal entities - from 800 thousand to 1 million rubles.
Earlier, the Duma security committee excluded from the draft regulation on the ban on leaving the Russian Federation convicted under a number of articles of the Criminal Code, as well as an amendment on deprivation of citizenship for committing a series of actions, such as working in international organizations in which the Russian Federation does not participate (see . "B" from June 21). These norms contradicted the Constitution of the Russian Federation and other federal laws.
In addition, the deputies banned missionary activity, which is aimed at violating public safety and order, extremist actions, coercion to destroy the family, and inclination to suicide. For violation of the law threatens a fine: for citizens - from 5 thousand to 50 thousand rubles, for legal entities - from 100 thousand to 1 million rubles. Previously, Russian organizations criticized these amendments to the Law on Freedom of Conscience (see Kommersant of June 23).
According to the adopted bill, telecom operators will have to store information on the facts of receiving and transmitting calls, text messages, photos, sounds and videos in Russia for three years, and the storage period for the contents of conversations and correspondence will be up to six months. Earlier, Irina Yarovaya agreed to shorten the period for storing information on receiving, transferring information from three years to one year for Internet companies, and the period for keeping correspondence to 6 months. About this in his recall requested the Russian government. The order, timing and amount of information storage will be established by the government of the Russian Federation
In addition, telecom operators will have to provide information on users and the services rendered to them upon the request of law enforcement agencies. Messengers and social networks obliged, when using additional message coding, to provide the FSB with keys for decoding them. For non-compliance with the requirement, a fine will be imposed: for citizens it will be from 3 thousand to 5 thousand rubles, for officials - from 30 to 50 thousand rubles, for legal entities - from 800 thousand to 1 million rubles.
Earlier, the Duma security committee excluded from the draft regulation on the ban on leaving the Russian Federation convicted under a number of articles of the Criminal Code, as well as an amendment on deprivation of citizenship for committing a series of actions, such as working in international organizations in which the Russian Federation does not participate (see . "B" from June 21). These norms contradicted the Constitution of the Russian Federation and other federal laws.
Source: https://habr.com/ru/post/358164/
All Articles