Андрей Солдатов - The Red Web - The Struggle Between Russia's Digital Dictators and the New Online Revolutionaries

We met that day in the tower on Bloor Street. The group also included Masashi Nishihata and Sarah McKune from Citizen Lab as well as Eric King of Privacy International, the British organization concerned with privacy issues. Deibert showed us into the turret room under the ceiling of the tower, known to the staff as the Jedi Council. We joined the group to plan an investigation into Russian surveillance in the upcoming Olympic Games, scheduled for February 2014 at Sochi on the Black Sea.

The games were a showcase for Vladimir Putin. In 2007 he had personally presented, in English, Russia’s bid to the International Olympic Committee, and Russia won. In the years before the games Putin put the FSB in charge of providing security for the Olympics. In 2010 an FSB general, Oleg Syromolotov, was appointed as the chairman of the Russian group that would oversee security at the games. We described to the others at the meeting how Syromolotov, inside the FSB, was not in charge of counterterrorism operations, as might be expected; rather, he was a top counterintelligence officer at Lubyanka since 2000. He spent his entire career in the KGB and then the FSB, and for thirteen years he had directed FSB efforts to hunt down foreign spies. Now he was put in charge of providing security for a major international gathering that would host athletes, journalists, and political leaders from around the world. We told the group that Syromolotov’s appointment was significant. It could mean that Russia viewed the games as an opportunity to collect intelligence.

We obtained a PowerPoint presentation about security at the games that was primarily concerned with the communications challenges, and we found something revealing on its final pages, which we shared with our colleagues. The slides revealed how SORM—the black boxes of the FSB that were placed on all kind of communications connections—were being deployed to Sochi to cover all communications at the games. The next to last slide gave a list of the black boxes’ basic requirements, including that they should be able to “intercept all segments of the network,” that the fact of SORM’s presence there should be completely secret, that there should be an iron-clad system to avoid anyone discovering that they were being intercepted, and that they should be hidden from the personnel of phone companies and ISPs. We suggested to our colleagues that Russia was preparing to use surveillance of the same intensity that China had in the 2008 Summer Games in Beijing.

King, of Privacy International and a world-renowned expert in spotting the presence of surveillance equipment suppliers, had made it his passion to attend every expo on surveillance throughout the globe. He knew what SORM was about—he had come across this technology in Central Asia. He asked us, “What does it mean that it is being upgraded for the Olympics? Does that mean that SORM will be combined with deep packet inspection [the system of infiltrating the content of communications]? If they were used together, would that transform the targeted surveillance into mass surveillance? In other words, would it help to identify and track, say, activists by words they use?”

We just didn’t know. We thought there might be clues if we could find out what hardware and equipment was being used, but that would take some digging.

One thing we did know was that the FSB and Interior Ministry officials spoke openly and increasingly about their experiences in the 1980 Moscow Olympics more than three decades earlier. Officials had learned certain lessons about both surveillance and physical security of the Games. The lesson for surveillance was to monitor as much as possible; the lesson for physical security was to isolate the Games as much as possible.

In 1980 the Olympic Games were secured in a way that was only possible in the totalitarian Soviet state—Moscow was ruthlessly cleansed of any possible troublemakers, who were sent out of the capital, and the city stood empty for the two weeks of the competitions, surrounded by troops and with KGB officers at every corner. When some of the sporting events were underattended, the authorities just sent troops to fill the stands. The Moscow Olympics was surrounded by paranoia; the KGB prepared dozens of reports of foreign intelligence services’ “hostile intentions” to undermine the games.

We underscored to the group in Toronto that the appointment of Syromolotov, a top counterintelligence officer in the FSB, seemed to echo this Soviet-style approach. It was clear that in Sochi the authorities wanted to combine the KGB’s traditional methods with cutting-edge surveillance technologies.

Those who gathered in Citizen Lab’s tower that day knew how quickly the pace of electronic surveillance was growing in Russia. The FSB’s supervision of the Olympics security meant that all measures were to be carried out under a veil of secrecy. For years it had been impossible to obtain comments from the FSB; the press office was effectively shut off from journalists’ requests. Not only officials but also companies contracted by the authorities to provide security solutions were reluctant to talk.

Under the turret that day we acknowledged with the others that there were many unknowns. We felt that Russia was preparing something large and menacing in surveillance, but we didn’t know how it would be actually used, how it would work, and what was the goal for the FSB: to gather intelligence using interception and surveillance, to stop protesters from reaching the site of the games, or maybe to use the surveillance measures as a big stick to intimidate and frighten possible troublemakers?

We also wondered about the future of SORM and what the Russian authorities wanted to do after the games ended. Was Sochi intended to be a laboratory to be replicated all over the country? After all, many security measures, first tested in Moscow in 1980, were then introduced on the national level. Even the antiriot police units known as OMON, which had beaten protesters during the demonstrations in 2011–2012, were formed because of the Moscow Olympics. What kind of legacy would Sochi leave in terms of surveillance and control of information?

The information games were afoot.

Once we got back to Moscow we decided to make a point of examining all kinds of open sources, including technical documents published on the government’s procurement agency website, zakupki.gov.ru; Russian law requires all government agencies, including the secret services, to buy their equipment through this site. We also scrutinized presentations and public statements made by government officials and top managers of firms involved with the Olympics and security for the city of Sochi. We reviewed public records of government oversight agencies such as the telecoms watchdog Roskomnadzor. Soon we found out that our suspicions about upgrading SORM were correct.

The Russian Supreme Court keeps statistics about court orders issued for interception, but they are held deeply inside the court’s filing system and are not in the open. For years finding such information was impossible; members of parliament told us they could not get it. Then a lawyer gave us a hint on how to mine the data out of the computers. We followed the lawyer’s advice and discovered what we were looking for—the court’s statistics. We found that in six years Russia’s use of SORM had skyrocketed: the number of intercepted phone conversations and e-mail messages doubled in six years, from 265,937 in 2007 to 539,864 in 2012. These figures do not include counterintelligence eavesdropping on Russian citizens and foreigners, the area of Syromolotov’s department.

It was hard to find specific details about SORM deployment in Sochi, so we turned to the data of Roskomnadzor, the communications watchdog that was very busy making sure SORM equipment was properly installed in the Sochi region. We discovered that several local ISPs were fined for having failed to install Omega, the SORM black box recommended by the FSB. One document from Roskomnadzor showed that in November 2012 the ISP Sochi-Online was officially warned for “failing to introduce the required technical equipment to ensure the functioning of SORM.”