Photo: Niall Carson/PA Wire/PA Images. All rights reserved.“The one thing that compensates for the strictness of Russian laws is the lack of necessity to follow them”. The Russian writer Mikhail Saltykov-Shchedrin may have penned this aphorism in the mid-19th century, but it’s still relevant in 2018 – especially when discussing the specifics of doing business in Russia and interacting with the Russian government.
A recent practical lesson in this reality emerged when president Putin signed the Personal Data Domestication Law (PDDL) in 2015. The PDDL, effective from 1 September 2015, demanded that every piece of personal data of Russian citizens operated by any online service should be stored in a data warehouse within the Russian Federation’s geographical borders.
This is a quite remarkable (and typical) piece of Russia’s legislative absurdity. Imagine a small online store somewhere in France selling, for instance, carpets. It stores its customers’ data on a cloud service without even knowing the whereabouts of physical servers. In France? Iceland? Is the data somehow distributed throughout the globe by the hosting service provider? Even if the store managed to somehow separate its customers with Russian citizenship (and here don’t forget the homesick employees of the French embassy in Moscow ordering carpets from home, still not being subject to the PDDL), it is hard to imagine our hypothetical store would be capable to setup technical infrastructure to comply with the PDDL.
Of course, Russian legislators were not concerned with small online stores (though a verbatim reading of the PDDL leaves no chance of excluding them). The law is targeted at messaging services and social networks: Facebook, WhatsApp, Gmail, Skype and so on. Roskomnadzor (the Russian government internet censorship agency) has been very clear – Facebook and Google should move their servers to Russia, making their users data and, most important, messages subject to SORM, the internet surveillance system created and run by the Russian security services.
An online petition addressed to Google, Facebook and Twitter urging them not to comply with the PDDL and thus to protect privacy and data of their customers from the FSB was launched in summer 2015. It quickly collected over 50,000 signatures, and some of the best known Russian internet gurus among them. It’s hard to say whether the petition was effective or that the internet companies calculated their expenses for fulfilment of the PDDL, but the fact is three years later, in 2018, none of the major players (Viber being the only exception among messengers) agreed to follow the PDDL. No sanctions from Roskomnadzor followed, though it did threaten them on a number of occasions.
At the end of the day, Roskomnadzor are not fools: they are well aware of the risk of shutting down YouTube
Why so? Dura lex, sed lex, surely? The legislation could be perfectly absurd, yet still it might be hard for a western reader to imagine how a corporation (with all its lawyers and compliance departments) could just disobey it and walk away. But this is Russia – not a democracy, but an authoritarian regime. And there is no rule of law, but the rule of political momentum.
Shutting down Twitter in Russia, where politicians loyal to Putin have accounts and enjoy tweeting, or including Instagram on Roskomnadzor’s blacklist (which would imply an immediate block by any ISP in Russia), making million of young Instagram users unhappy just before the parliamentary and presidential elections – any decision of this kind has to be approved by the Russian president himself. No court and no other part of the regime would dare to take responsibility given the possible political consequences. Anything that could make people unhappy and drive them to the streets is decided by Putin. This is the way an autocracy operates.
Once you realise this fact, it’s easy to see why LinkedIn was selected by Roskomnadzor as the first victim of PDDL in summer 2016. Indeed, LinkedIn is still the only victim. It was selected by Roskomnadzor carefully: sure, it’s a big brand, with an even a bigger one behind it (Microsoft), but LinkedIn’s popularity in Russia has been limited to a small part of the white-collar audience working for or doing business with western companies. A rather small audience. And what’s more important: this is not the kind of audience that would march on the streets against internet censorship. LinkedIn was chosen to scare off larger players. On the technical and legal side, there was absolutely no difference between how LinkedIn and how Facebook stored and dealt with the personal data of their Russian users. The only thing that made a difference was politics.
Photo CC BY 2.0: Jason Howie/Flickr. Some rights reserved. This PDDL case has been an important lesson, and it’s a pity that not everyone has learnt it for good. In February, Alexey Navalny, the Russian opposition leader unlawfully banned from the presidential election, but who remains Putin’s most prominent and feared critic, published a video proving that Oleg Deripaska, a Russian oligarch with close ties to US lobbyist Paul Manafort, secretly met with Sergey Prikhodko, deputy prime minister of Russian government who oversees foreign policy. Indeed, the leaked conversation happened during a yacht trip off the Norwegian coast in August 2016. Several escort girls were also present.
This could be the missing link between Manafort and Putin – and perhaps it was, judging from the Russian government’s reaction. The day after Navalny’s investigation was published online on YouTube and Instagram, a court in the small southern Russian city of Ust’-Labinsk (which happens to be Deripaska’s hometown) decided that Navalny’s video violated the oligarch’s and deputy prime minister right to a private life (!). It ordered every instance of the video to be blacklisted by Roskomnadzor, effective immediately. This pace was record-breaking: usually any lawsuits relating to violation of an individual’s right to a private life take years. For instance, in summer 2016, the FSB leaked footage of Navalny fishing with his family on a lake. This surveillance video was included as part of a “documentary” on a state-owned TV-channel, and used as evidence that opposition leader spends his vacation in “too chic” a manner. The court is still due to set a hearing date.
But what does it mean when Roskomnadzor is required to block some video from the technical point of view? When a website is blacklisted, it is included on the registry of forbidden content, which Roskomnadzor updates several times a day and distributes among all Russians ISPs. The latter face huge fines or the revocation of their license if they fail to restrict access their customers’ access to every website included in the registry. If a website uses HTTPS, a secure connection protocol, though, the ISP doesn’t possess the information concerning which exact URL a user is trying to reach. Technically, in the Deripaska case, only two entries on Navalny’s blog have been included in the blacklist registry, but all the ISPs blocked the entire domain of Navalny.com (some of them even blocked all the subdomains, including the website of Navalny’s presidential campaign). They simply had no choice. Similarly, should any single YouTube video be included in the registry, YouTube will become inaccessible for customers of Russian ISPs on the same day. Should any Instagram story be put on the blacklist, millions of Instagram users will get angry. This is already politics.
Legal compliance shouldn’t be the only way of doing business in authoritarian states. Politics is another consideration. So is protecting your customers
Thus, having a valid (albeit speedy) court decision beforehand, Roskomnadzor immediately blacklisted navalny.com and a few dozen other websites which dared to publish Navalny’s investigation – but not the YouTube and Instagram videos with exactly the same information and mentioned in the same court decision alongside other “prohibited” URLs. At the end of the day, Roskomnadzor are not fools: they are well aware of the risk of shutting down YouTube – this kind of action nearly led to a coup in Brazil recently. Instead, Roskomnadzor started sending emails. They informed YouTube and Instagram that Navalny’s video is recognised as illegal in Russia and asked them to remove it voluntarily. YouTube contacted Navalny’s office and asked him to remove it. Navalny refused. Youtube refused also. Instagram took the video down without even attempting to contest Roskomnadzor’s email. Roskomnadzor threatened Google with sanctions because of YouTube’s disobeyal. Google ignored it.
A month later, the video (which has over seven million views) is still freely accessible on the YouTube. No sanctions were applied to Google. After two weeks of threats, Roskomnadzor officially admitted it is not considering shutting down YouTube in Russia. So Google, via YouTube, has outplayed internet censorship and once again, as in the case of PDDL, proven its readiness to put its customers’ interests first. Meanwhile, Facebook, in the form of Instagram, should be considered a company that is ready to help Putin clean up the Manafort mess by censoring material online.
Legal compliance shouldn’t be the only way of doing business in authoritarian states, where the regime can easily undertake unlawful actions to pursue political goals. Politics is another consideration. So is protecting your customers.