New York Times exposes Russia's surveillance supply chain expansion & raises global human rights concerns
“Cracking Down on Dissent, Russia Seeds a Surveillance Supply Chain”, 3 July 2023
As the war in Ukraine unfolded last year, Russia’s best digital spies turned to new tools to fight an enemy on another front: those inside its own borders who opposed the war.
To aid an internal crackdown, Russian authorities had amassed an arsenal of technologies to track the online lives of citizens. After it invaded Ukraine, its demand grew for more surveillance tools. That helped stoke a cottage industry of tech contractors, which built products that have become a powerful — and novel — means of digital surveillance.
The technologies have given the police and Russia’s Federal Security Service, better known as the F.S.B., access to a buffet of snooping capabilities focused on the day-to-day use of phones and websites.
President Vladimir V. Putin is leaning more on technology to wield political power as Russia faces military setbacks in Ukraine, bruising economic sanctions and leadership challenges after an uprising...
The effort has fed the coffers of a constellation of relatively unknown Russian technology firms. Many are owned by Citadel Group, a business once partially controlled by Alisher Usmanov, who was a target of European Union sanctions as one of Mr. Putin’s “favorite oligarchs.” Some of the companies are trying to expand overseas, raising the risk that the technologies do not remain inside Russia.
The firms — with names like MFI Soft, Vas Experts and Protei — generally got their start building pieces of Russia’s invasive telecom wiretapping system before producing more advanced tools for the country’s intelligence services.
Simple-to-use software that plugs directly into the telecommunications infrastructure now provides a Swiss-army knife of spying possibilities, according to the documents, which include engineering schematics, emails and screen shots.
These technologies complement other Russian efforts to shape public opinion and stifle dissent, like a propaganda blitz on state media, more robust internet censorship and new efforts to collect data on citizens and encourage them to report social media posts that undermine the war.
The authorities are “essentially incubating a new cohort of Russian companies that have sprung up as a result of the state’s repressive interests,” said Adrian Shahbaz, a vice president of research and analysis at the pro-democracy advocacy group Freedom House...
Beyond the ‘Wiretap Market’
Over the past two decades, Russian leaders struggled to control the internet. To remedy that, they ordered up systems to eavesdrop on phone calls and unencrypted text messages. Then they demanded that providers of internet services store records of all internet traffic.
The expanding program — formally known as the System for Operative Investigative Activities, or SORM — was an imperfect means of surveillance. Russia’s telecom providers often incompletely installed and updated the technologies, meaning the system did not always work properly. The volume of data pouring in could be overwhelming and unusable.
At first, the technology was used against political rivals like supporters of Aleksei A. Navalny, the jailed opposition leader. Demand for the tools increased after the invasion of Ukraine, digital rights experts said. Russian authorities turned to local tech companies that built the old surveillance systems and asked for more.
The push benefited companies like Citadel, which had bought many of Russia’s biggest makers of digital wiretapping equipment and controls about 60 to 80 percent of the market for telecommunications monitoring technology, according to the U.S. State Department.
“Sectors connected to the military and communications are getting a lot of funding right now as they adapt to new demands,” said Ksenia Ermoshina, a senior researcher who studies Russian surveillance companies with Citizen Lab...
The new technologies give Russia’s security services a granular view of the internet. A tracking system from one Citadel subsidiary, MFI Soft, helps display information about telecom subscribers, along with statistical breakdowns of their internet traffic, on a specialized control panel for use by regional F.S.B. officers, according to one chart.
Another MFI Soft tool, NetBeholder, can map the locations of two phones over the course of the day to discern whether they simultaneously ran into each other, indicating a potential meeting between people.
A different feature, which uses location tracking to check whether several phones are frequently in the same area, deduces whether someone might be using two or more phones. With full access to telecom network subscriber information, NetBeholder’s system can also pinpoint the region in Russia each user is from or what country a foreigner comes from.
Protei, another company, offers products that provide voice-to-text transcription for intercepted phone calls and tools for identifying “suspicious behavior,” according to one document.
Citadel and Protei did not respond to requests for comment. A spokesman for Mr. Usmanov said he “has not participated in any management decisions for several years” involving the parent company, called USM, that owned Citadel until 2022. The spokesman said Mr. Usmanov owns 49 percent of USM, which sold Citadel because surveillance technology was never within the firm’s “sphere of interest.”
VAS Experts said the need for its tools had “increased due to the complex geopolitical situation” and volume of threats inside Russia. It said it “develops telecom products which include tools for lawful interception and which are used by F.S.B. officers who fight against terrorism,”...
No Way to Mask
As the authorities have clamped down, some citizens have turned to encrypted messaging apps to communicate. Yet security services have also found a way to track those conversations, according to files reviewed by The Times.
One feature of NetBeholder harnesses a technique known as deep-packet inspection, which is used by telecom service providers to analyze where their traffic is going. Akin to mapping the currents of water in a stream, the software cannot intercept the contents of messages but can identify what data is flowing where.
The new tools have alarmed security experts and the makers of the encrypted services. While many knew such products were theoretically possible, it was not known that they were now being made by Russian contractors, security experts said.
Some of the encrypted app tools and other surveillance technologies have begun spreading beyond Russia. Marketing documents show efforts to sell the products in Eastern Europe and Central Asia, as well as Africa, the Middle East and South America.
For the makers of Signal, Telegram and WhatsApp, there are few defenses against such tracking. That’s because the authorities are capturing data from internet service providers with a bird’s-eye view of the network. Encryption can mask the specific messages being shared, but cannot block the record of the exchange.
“Signal wasn’t designed to hide the fact that you’re using Signal from your own internet service provider,” Meredith Whittaker, the president of the Signal Foundation, said in a statement. She called for people worried about such tracking to use a feature that sends traffic through a different server to obfuscate its origin and destination.
In a statement, Telegram, which does not use end-to-end encryption on all messages by default, also said nothing could be done to mask traffic going to and from the chat apps, but said people could use features it had created to make Telegram traffic harder to identify and follow. WhatsApp said in a statement that the surveillance tools were a “pressing threat to people’s privacy globally” and that it would continue protecting private conversations.
The new tools will likely shift the best practices of those who wish to disguise their online behavior. In Russia, the existence of a digital exchange between a suspicious person and someone else can trigger a deeper investigation or even arrest, people familiar with the process said.