A Russian math instructor is being accused of “preparing to organize mass disorder” and making “public calls for terrorist activity” via a series of online posts published to a Russia-based tech discussion platform on March 29.
Russian police identified Dmitry Bogatov by tracing the messages to his IP address, but the 25-year-old free and open source software advocate has denied writing the messages.
Many in the Russian media and blogosphere are speculating that the true author of the messages somehow assumed Bogatov's IP address, either through IP spoofing techniques or by using Tor, the anonymous browser.
Bogatov's arrest comes amidst an ongoing crackdown on Internet privacy in Russia, with lawmakers most recently proposing legislation that would make social media illegal for children under 14 and require adult users to verify their identities by passport.
Waltz with Bashirov
On March 29, someone with the username “Ayrat Bashirov” and Bogatov’s home IP address wrote a series of posts on the website sysadmins.ru, an online forum for systems administrators. One post called for protesters to go to an unsanctioned, anonymously organized—and ultimately under-attended—demonstration on April 2 with “rags, bottles, gas, turpentine, styrofoam, acetone.” Another post linked to the music video for Kanye West’s “No Church in the Wild,” or, as investigators put it, “a video recording with insubordination to the legal demands of the police, and mass disorder.”
It's unclear whether it was Kanye or the Molotov cocktails that did it, but the posts drew the ire of Russia's Investigative Committee, which on April 1 opened a case—without naming names—against the person posting as Ayrat Bashirov.
On the night of April 5, investigators came to Bogatov’s apartment where they seized his computer equipment. They took him into custody the next day. Some hours later, a judge denied the Investigative Committee’s request to hold Bogatov in custody, ruling that the charges were not serious enough to warrant his continued detention. Investigators then added a second and more serious charge of inciting terrorism, and he was brought back into court the following day. This time, a judge approved his detention for another 72 hours. On April 10, the court upheld the charges, formally arrested Bogatov, and ordered that he be held until his trial on June 8.
A flimsy case
The case against Bogatov appears to rest entirely on the fact that the offending posts were made from his home IP address.
Bogatov has a strong alibi for being away from his computer when at least some of the posts were published. Surveillance footage shows Bogatov and his wife leaving a supermarket four minutes before one of the posts was made on March 29. Given that the supermarket is half a kilometer from their home, it is unlikely that Bogatov could have made it home and posted online within four minutes.
Furthermore, since Bogatov’s detention, the profile for Ayrat Bashirov has remained active online, making numerous posts, commenting on his own supposed arrest, and even exchanging private messages with a journalist from Open Russia, saying that he is “of course not Bogatov.”
It appears likely that Bogatov was running a Tor exit node from his home computer. As a user on Geektimes pointed out (and as Tor's records confirm), several hours before Bogatov’s detention—likely around the time authorities were searching his apartment and seizing his computer equipment—an exit node that had been operating for more than a year and a half under Bogatov’s name went offline. The email address associated with the node matches the address listed on Bogatov's Github page.
More about Tor
The Tor network is a collection of servers located across the world, run mostly by volunteers. The network helps users connect to the Internet anonymously by sending traffic between at least three Tor servers, typically located in different countries, before allowing it to reach its destination. This makes it nearly impossible for anyone monitoring the Internet to understand where the traffic is coming from and where it is going. Tor “exit nodes” are the final set of servers used in the connection process. This is where a user’s traffic exits the Tor network and connects to the world wide web. When traffic sent through Tor reaches its destination, only the exit node can be traced.
Whoever was posting as Ayrat Bashirov clearly was—and still is—using either Tor or some other method, such as IP masking, which would allow the person posting as Bashirov to make it appear as if he was operating from Bogatov's computer, even when he was not. According to Bogatov’s attorney, the person has posted from more than one hundred different IP addresses across Russia and in Norway, the Netherlands and Japan.
It is possible that Bogatov was posting as Bashirov using Tor or another anonymization technique, and simply forgot to turn on the connection when some of the posts were made, revealing his true home IP address. But this seems less likely, given the grocery store footage, and the fact that Ayrat Bashirov remains active online.
Running an exit node can be a risky endeavor, especially in Russia, where in the past Tor has been targeted by proposed legislation intended to curb online anonymity. And regardless of location, Tor advises volunteers who choose to do so to take precautions, including not running it from their home internet connections. This would not be the first time that someone running an exit node has fallen under suspicion from law enforcement for criminal activities committed through their connection. A post on the forum toster.ru describes at least one instance of an exit node operator in Russia being questioned by police for a bomb threat sent from their IP address.
If this is indeed what happened with Bogatov, it remains unclear whether prosecutors are pursuing the case due to a poor understanding of how Tor works or for some other reason, such as to send a warning to the many Russians using Tor and other VPN services. Notably, the Investigative Committee’s interest in Bashirov’s posts came amidst an online crackdown leading up to demonstrations on April 2.
Bogatov’s case also raises questions about the future of Tor and VPNs in Russia. Last year, one of the largest VPN providers stopped providing Russian IP addresses after the government seized its servers when the company refused to comply with new laws requiring that they locate their servers on Russian soil. In the past, Russian lawmakers have discussed the idea of banning VPNs, and this January Roskomnadzor, the agency that oversees the internet in Russia, blocked one VPN service.
In the meantime, the hashtag #freebogatov has appeared on social media, and Tor advocates have launched an appeal to rename exit nodes in his honor.
Curiouser and curiouser, I have to wonder who’s at the bottom of this Bogatov mystery. It’s usually a distraught female ~ jealous of “her man’s” sideways glance at another female. She’d have to be computer literate. But she was with him at the grocery store . . . .
The remaining suspects are: 1.) the Russian Government trying to eliminate encryption on the net ~ OR ~ 2.) the American Government trying to perplex/torment the Russian Government into doing something against their own people ~ OR ~ 3.) a computer software giant wanting to eliminate competition ~ OR ~ 4.) all the Spy Agencies in the world trying to make their jobs easy/unconstrained by forcing foreign governments to write new laws that will eliminate encryptions.
The odds are Bogatov is a pawn in someone’s game. The odds are less than ZERO that Bogatov’s a terrorist if he’s truly a math teacher in Russia. Solve this mystery !