The Duma has passed a final draft of legislation that will require all websites to store any personal data about Russian users on servers inside Russia. If approved by the Senate and signed by Vladimir Putin (which is expected), the law would take effect in 2016, giving Internet companies about 17 months to establish an infrastructure on Russian soil. To learn more about the potential fallout of this new initiative, RuNet Echo has translated a column that appeared yesterday on TJournal.ru, written by Andrey Mima, who is a former staff member at Yandex and Vkontakte, and the cofounder of Qbaka, an “error-monitoring” company.
“Banning the Internet,” by Andrey Mima
It wasn’t so long ago that the law “blacklisting” websites sparked a loud public outcry in the Internet community and mass media. Today, you can barely find anything in the news about the law on servers and personal data. It seems that society has made peace with the inevitable regulation of the Internet, and the subject has ceased to be a hot-button issue in the midst of other events.
So much the worse for us, because amendments to the law on personal data could lead to far more serious consequences than blocking online extremism without a court order.
Formally, starting in September 2016, nearly the entire Internet will fall under the threat of being blocked. Under a banner of rescuing our transmissions from enemy intelligence agencies, the World Wide Web will find itself outside the law. Only the biggest Internet companies can afford to install new servers in Russia, though this law is directed squarely at such companies, says Vadim Dengin, the chair of the Duma’s information policy committee.
Besides Google and Facebook, there are a million smaller services that people around the world—including Russians—use every day. Hotel reservations, technical forums, dating sites, smart calendars, e-tickets for a water park in city X—the list goes on. All these websites store data about you: names, passwords, comments, photographs, and so on.
Under this draft law, personal data is considered “any information relating directly or indirectly to an identified or identifiable person.” Simply put, it’s any kind of information about you. This kind of information is stored on any website or mobile application that employs the concept of a “user.”
Users’ information is usually stored in a single database—storing accounts on different servers, spread out geographically, is a complicated and expensive engineering task. It’s not economical for Internet companies to move Russians’ data archives to separate servers in another country. This would require large spending on the work of programmers, system administrators, translators, and lawyers (and most likely it would require establishing an official legal presence inside Russia).
The biggest Internet companies, which already have representatives in Russia, tend to sort out these matters for themselves. They are interested, after all, in maximizing the speed of their services for users in Russia, and some of their servers are already based here.
A black hole
Only a tenth of the amendments to this legislation addresses the requirements about storing personal data in Russia. The other 90 percent describes the protocol for blocking websites that don’t obey the law. In other words, this has nothing to do with data protection, but everything to do with expanding the “blacklist” to any sites that store data outside Russia.
In practice, this affects all websites—Internet companies won’t buy servers in some unfamiliar country and change their entire database architectures at the whim of the Russian Parliament. Imagine if such a law appeared somewhere in Bangladesh, where the population is even greater than in Russia.
Formally, the decision to block a website requires a court order, but any user of a website has standing to file a claim that his or her personal data is being violated, meaning that difficulties with blacklisting any site aren’t expected.
The common practice for blocking websites gives rise to fears about the worst scenarios: decisions to blacklist might be chaotic and rushed. A ruling on one complaint by some judge in city X without the slightest clue about the Internet might be enough to block the website of a noncompliant major airline.
On the dangers of raw food
Right now, the amendments to the legislation are so “raw” that they’re unenforceable, whatever the authorities’ wish to implement them. On the Internet, it’s impossible to identify automatically who lives in Russia. Russians might register on sites while traveling abroad. No website asks users to prove where they are registered to live, and even Facebook and Google aren’t going to change their interfaces just for Russia. It’s impossible to tell apart a Russian citizen on vacation in the United States from an American citizen visiting Russia.
You might consider this good news: unrealistic laws are usually enforced selectively, through manual control.
Nobody in Russia wants to block the Internet, and these amendments will change almost nothing in our lives.
The amendments to the law are an instrument for pressuring a very specific set of large Western companies. Nobody will bother the small websites and mobile applications. Protecting data from Western intelligence agencies simultaneously means feeding these data to Russian intelligence.
We already know how our intelligence handles data, which we learned with the leak of personal data belonging to Yandex.Dengi users who donated money to RosPil. The FSB formally requested users’ data from Yandex, and then the data fell into the hands of people in no way associated with the FSB.
Of course, by 2016, Twitter and other large companies will have established servers in Russia, and the issue will be closed. But it’s entirely not okay that it required outlawing the rest of the Internet to achieve this. “Believe me, a majority of Russians want their personal data to remain in Russia,” said the author of this initiative, when he presented the bill to the Duma. And a majority of Russians believed him.