Given all the discord and conflict between Russia and Ukraine over the past year, one would expect Ukrainian officials to be very, very careful about their information security. But this is not so. It turns out that over 20% of Ukrainian government servants and state institutions are using free email accounts provided by Russian companies and hosted on Russian servers.
Why is this an issue? Using Russian email services grants the Russian security services and law enforcement easy access to Ukrainian official communications. With Ukraine struggling to win the open information war with Russia in the media, such negligence in internal government communications is surprising.
Ukrainians in general do not seem to see any problems with using Russian Internet services. According to research conducted by Ukrainian bank PrivatBank, 64% of its Ukrainian clients use Russian email services, 14% prefer Ukrainian, and another 14% use Gmail. Ukrainians also favor Russian social networks, with about 27 million Ukrainian accounts in VKontakte and about 11 million in Odnoklassniki.
All your emails belong to the FSB
A group of journalists from the Ukrainian investigative website texty.org.ua decided to draw the attention of Ukrainian officials to the potential dangers of using Russian email services—and to play a prank on the bureaucrats to raise awareness of the issue. Texty.org.ua had previously analyzed an open database of thousands of Ukrainian state and government emails (it only accounts for 2-3% of the total number), and compiled a list of all .ru-based emails they found—around 1700 of them.
Ivanna Kobeleva, a reporter for texty.org.ua, then selected 1159 .ru email addresses from the list and decided to check whether they were actually active, and whether their Ukrainian owners realized the precarious position their electronic communications were in. She created a fake email inbox for “FSB (Russia's Federal Security Service)” and sent unsuspecting Ukrainian state servants the following email.
От имени ФСБ Российской Федерации благодарим Вас за то, что пользуетесь электронной почтой на российском почтовом домене.
Вся информация с Вашей электронной почты доступна Федеральной службе безопасности России.
В 2014 году ФСБ получило возможность по упрощенной процедуре официально получать данные с серверов любых интернет-служб, находящихся на российской территории. Все российские почтовые домены контролируются ФСБ.
На днях Роскомнадзор получил право проверять личную переписку пользователей социальных сетей, среди которых – “Одноклассники” и “ВКонтакте”, электронную почту и мессенджеры Агент.Mail.ru, ICQ, а также блог-платформы.
Спасибо за сотрудничество!
Директор Федеральной службы безопасности Российской Федерации
On behalf of the FSB of the Russian Federation we want to thank you for using email services with Russian domains.
All the information from your email inbox is available to the Federal Security Service of Russia.
In 2014 FSB was granted simplified access to the data on servers of any Internet service located on Russian territory. All Russian email domains are under FSB control.
Recently Roscomnadzor was granted the powers to track personal messages of Russian social media users. Among them are: Odnoklasniki, Vkontakte, messengers like ICQ, Agent.Mail.Ru and blog platforms.
Thank you for your cooperation!
The head of the Federal Security Service of Russian Federation
To the dismay of the journalists, the parody “FSB” email received only 173 replies. Most of them were automatic messages that the email address was no longer active, along with a handful of replies providing a new email contact, and a few automatic receipt notices. The fate of most of the addresses remains a mystery.
But there were a few more personal (and clearly human) responses from Ukrainian officials, though some of them were quite baffling. For example, an email from an archival department of a local council in the Cherkasy region replied (hilariously) with “Thank you for your cooperation.” Another local council in the Chernihiv region said they were “always happy to cooperate,” though the reply came not from their old (Russian) inbox, but from a new (Ukrainian) one.
A handful of official contacts were a bit more critical of receiving an email from “the FSB.” A pension fund office in the south eastern Kyrovohrad region wrote back: “I don’t give two sh*ts. Without respect, Dmytro.” Another regional pension fund office in the western part of the country replied: “This is a spoof. Glory to Ukraine!”
The prank, which involved impersonating another country's secret service, is certainly unethical, but that seems to be part of the idea. It is eerily reminiscent of cases when state officials resort to impersonating activists to gain access to their networks and personal information—exactly the scenario the prankster journalists are hoping to avoid by raising Ukrainian authorities’ awareness.
What can Russia really access?
The Russian Federal Security Service already has simplified access to data transported by Russian ISPs and Russian Internet companies working with user content. On April 8, 2015 similar powers were granted to Russia's Internet regulator Roscomnadzor, giving its employees power to track the personal messages of Russian social media and email users. This includes email services in the .ru domain, Odnoklassniki, Vkontakte (both popular Russian social network websites), instant messengers such as ICQ and Agent.Mail.Ru, and many Russian blog platforms.
The resolution, part of an “anti-terrorist” legislation package signed by Prime Minister Dmitry Medvedev, grants Roscomnadzor these “simplified information access” privileges as a step towards “protecting the rights of Russian citizens.” The changes allow Roskomnadzor to track received, sent, and delivered messages, as well as to analyze information about the sender. Another bonus is access to logs of users’ private actions online—that is, records that would normally be visible only to the users themselves. At the same time, Roskomnadzor emphasized that the legislation only grants them access to the metadata, but does not allow them to read the content of e-mails and online messages. To do that, they would need an official request from law enforcement forces engaged in an investigation.
The point of the texty.org.ua experiment, according to the journalists, is to continue raising awareness of the dangers of lax information and communication security policies of the Ukrainian state. With that in mind, they published the list of all .ru-based emails that belong to Ukrainian officials and implored their readers to write emails to at least some of them asking the owners to change their email providers and be more aware about who might be tracking their email exchanges. While this may generate some improvements, state officials and government bodies on all levels in Ukraine abandoned free web-based email altogether. Making every official use only government-provided email services and beefing up their security might be the best way to mitigate potential embarrassing information leaks.