These days, telecommunications companies in Russia are key players in the government’s increasingly sophisticated internet censorship and surveillance apparatus. Authorities have broad discretion to block a wide array of online content without a court order and without explanation. Telecom operators are obliged to monitor the government’s “blacklist” and to immediately block access to banned content. Tens of thousands of domains and web pages are blocked in Russia today as a result. On the surveillance side, telecom operators are obliged to cooperate with law enforcement authorities and install so-called SORM equipment that provides Russian Federal Security Service (FSB) with direct, real-time access to users’ communications.
Earlier this year, I worked with two Russian internet rights NGOs (Roscomsvoboda and Internet Protection Society) to evaluate public disclosures and practices of the four major Russian telecom operators (also known as the “Big Four”): MTS, Beeline, Tele2 and Megafon. Our goal was to assess how transparent these companies are about the policies and practices affecting their users’ digital rights.
We used the Ranking Digital Rights Corporate Accountability Index methodology as a starting point and tailored it to the Russian context. We selected certain indicators and elements from the Index methodology that in our view were most relevant for the scope of our analysis. Like the Index evaluation, our research was based exclusively on documents that the companies and their holding groups make publicly available. In addition, we conducted technical tests to evaluate how companies implement these policies in relation to content blocking.
Unfortunately, our findings were disappointing:
- None of the telecommunications operators informed users that their equipment is connected to the FSB terminal, which “mirrors” all the traffic transmitted to and from their users.
- None of the operators published any information about government requests for user information. However, since authorities have direct access to communications data through SORM, Russian companies may not be aware of the frequency or scope of user information accessed by authorities. Still, there is no law preventing Russian telecommunications companies from disclosing their processes for responding to government demands for user data in the case that these requests are made. (This lack of transparency is very different from the practices of mobile operators in the U.S. and Europe—for example, AT&T, Telia Company, Vodafone, and Telefónica—which regularly publish such information as part of their transparency reports. AT&T and Vodafone, for example, each disclose their process for responding to government requests as well as a commitment to carry out due diligence on each request before responding.)
- Despite their central role in restricting access to online content, none of the four operators we evaluated publicly described how they restrict access to reported content, how users can appeal their actions, or how many websites have been blocked. With the exception of MTS, the companies disclosed very minimum information to their users about their reasons for blocking access to specific content.
- Our technical tests demonstrated that excessive blocking, e.g. by IP address, is very rare. All four companies use some variation of “deep packet inspection” when blocking their users’ access to online content.
- On a positive note, all four companies educate their users about cyberthreats and publish educational materials describing how users can protect themselves against these risks.
Our assessment of the four major Russian mobile operators complements the Index evaluation of two Russian internet companies, Yandex and Mail.Ru, which found that these companies also disclose very little about policies related to users’ freedom of expression and privacy.
While Russian internet and telecommunications companies operate in a restrictive legal and political environment, these companies can still be more transparent about policies affecting their users’ human rights. As our research shows, the country’s four biggest telecommunications operators could disclose more about their policies for handling government requests to restrict content and to hand over user data.
The full text of our study can be found here.