The Russian government introduces new rules for the use of instant messengers. Now only the person to whom the phone number linked to the service is registered will be able to use the account. This is stated in the message of the Cabinet, published on the official Internet portal of legal information.
The new order will come into force in 180 days. The head of Roskomnadzor, Alexander Zharov, in a commentary to Izvestia, said that this is necessary to create a safe communication environment for citizens.
“The possibility of anonymous communication in messengers complicates the activities of law enforcement agencies in the investigation of crimes,” Zharov emphasized.
According to him, now messenger administrators will check whether the user's phone number is really registered to the one who is in correspondence. The mobile operator has 20 minutes to respond. If the user's data matches the information in the company's database, identification will be considered passed. Otherwise, the service should refuse to provide the service.
In addition, mobile companies will be required to assign users a unique identification code, which will be automatically generated by the messenger. The press service of MTS told the publication that the operators would have to carry out technical improvements, since now the equipment does not meet the stated requirements. But the answer to a request from a messenger within 20 minutes, in theory, is feasible.
Why is it important
- On January 1, 2018, a law came into force in Russia obliging messengers to identify users by subscriber number. At the same time, after the entry into force of the law, the media wrote that it was not being implemented, since there were no by-laws prescribing the rules for identifying users.
- For violation of the law on the prohibition of anonymity in messengers for legal entities, fines of up to 1 million rubles are provided.
Roskomnadzor added BlackBerry Messenger (BBM), LINE, Imo.im messengers and Vchat audiovisual chat to the register of banned sites, Roskomsvoboda reported. The registry includes the portals of these messengers and a number of their IP addresses.
In Russia, access will be limited not only to the sites of these messengers, but also to their applications - they will be removed from application stores or blocked by telecom operators, said Vadim Ampelonsky, a representative of Roskomnadzor.
Blocking a mobile application along with a resource website is a simple task, says a person close to one of the operators, as a rule, modern applications access specific resources, blocking which blocks applications too. The regulator has experience in excluding a blocked resource from the Google and Apple stores. In January, the AppStore and Google Play removed the blocked LinkedIn app from their Russian stores.
The law obliges the organizers of the dissemination of information (including messengers) to provide, at the request of Roskomnadzor, their contact details necessary for entering into the relevant register, Ampelonsky explains: “Those who do not respond are blocked – in full accordance with the law.” To be included in the list of information organizers, the regulator asks the company to provide data about itself (not about users), says Ampelonsky, but does not disclose what kind of data it is.
From the moment the request is received, the company has five days to respond, he continues, if no response is received, the agency sends a notice of failure to fulfill the obligations of the organizer of the dissemination of information, the company is given 15 days to correct. Next comes blocking. What other messengers Roskomnadzor contacted, Ampelonsky did not say.
Amendments to the law "On information, information technologies and information protection" from January 1, 2017 oblige the organizers of the dissemination of information on the Internet to store in the territory of the Russian Federation information about the facts of receiving, transmitting, delivering and (or) processing voice information, written text, images , sounds, videos or other electronic messages of users and information about these users during the year, and the content itself - up to six months. Services are also required to provide this content at the request of the federal executive authorities and provide them with the ability to decode information.
In April, Roskomnadzor was the first to block Zello, an app for exchanging short voice messages. The company also did not provide information for inclusion in the register on time.
Blocked messengers are not among the popular ones in Russia (see chart). It is possible that this demonstrative entry into the register of messengers that are not the most popular in Russia, but well-known in the world, is necessary in order to force the more popular among the Russian audience and intractable, primarily Telegram, to cooperate, says Artem Kozlyuk, head of Roskomsvoboda. Telegram owner Pavel Durov has repeatedly stated that he has not cooperated and is not going to cooperate with the special services of either Russia or other countries. “But we will learn about this only after the fact that this messenger is entered into one of the two registers: the organizers of the dissemination of information with all the ensuing obligations to collect user data and provide it to the competent authorities or to the register of prohibited sites - under blocking. So far, apparently, the regulators are deciding how to put pressure on Pavel, ”says Kozlyuk.
It is paradoxical, but true: with all the variety of instant messengers, you usually don’t have to choose them - people just use the same things that their friends and acquaintances use. But what if secrecy is really important? In this article, we will go through the list of modern messengers and see what protection guarantees each of them has.
Recently, there was a poll on "Hacker" "", and the most popular answer (Telegram) was seriously alarming. How far has it gone if even the average Hacker reader has already lost touch with reality after the marketing headcrab attack (pictured)?
We have compiled a list of messengers to see how each of them is doing with security. The selection includes both popular and promising programs in terms of security. We warn you that we will delve into the technical side as much as necessary for the average user, no further.
In many ways, we repeated the path of the authors of a series of articles by the Electronic Frontier Foundation called Secure Messaging Scorecard, but chose other criteria - in our opinion, more important ones.
Criteria
FOSS
Is the source code of the messenger distributed under the terms of one of the free licenses? If yes, is it open source development? How closely do developers interact with the community? Are pull requests accepted? All this is important to consider when choosing.
Degree of centralization
One of three options is possible here:
Possibility of anonymous registration and use
For some services, the phone may be needed only to protect against spam during registration, therefore, it is very easy to use the services of renting numbers for SMS.
In other cases, the messenger is tightly tied to the phone. This is bad because if two-factor authentication is not enabled, then when you gain access to this number, you can log into your account and merge all the data. But even if two-factor is enabled, it still remains possible to delete all data from the account. And of course, this is, consider, registration with a passport (we use the realities of the Russian Federation, no others were brought in).
But it is not all that bad. There are instant messengers that allow you to register using a mailbox or a social network account. There are also those where an account can be created in the messenger itself without being tied to something.
Availability of End-to-End Encryption (E2EE)
Some messengers have this feature by default, others can enable it, but there are also those where there is simply no end-to-end encryption.
Synchronization of E2EE chats
Again, this feature is not yet found as often as we would like. Its presence greatly simplifies life.
E2EE Fingerprint Validation Notice
When starting E2EE chats, some messengers offer to check the fingerprints of the interlocutors, others do not offer this openly. But not all messengers have a fingerprint verification function.
Prevent taking a screenshot of a secret chat
Not the most useful feature, because to bypass the ban it is enough, for example, to have a second phone at hand.
Group E2EE Chats
E2EE group chats are usually not a necessary feature, but quite handy. The rule "more than two - speak out loud" should be left for children.
E2EE Fingerprint Verification Notice in Group Chats
When adding a new interlocutor with whom fingerprints have not been verified to a secret group chat, not all messengers offer to check his fingerprints. Because of this omission, the meaning of secret chats is lost.
Protecting the Social Graph
Some instant messengers collect information about the user's contacts and other data, for example, who the user called, how long he talked. There are on this topic.
www
We have selected only a part of the criteria that can play a role in choosing a messenger. There are others, but they are not always security related. A group of scientists from European universities put everything into order in Obstacles to the Adoption of Secure Communication Tools (PDF). It is also always useful to get acquainted with the results of an independent audit, if any. For example, in the case of Signal, such an audit was carried out (PDF).
Telegram
License: formally - GPLv3. However, an important part of the development is closed. If you look at the repositories, you can see that recently there has been some movement only in the web version. Alas, in this form it is rather an illusion of openness
Degree of centralization: centralized
No
Availability of E2EE: implemented, but as an addition. Chats are not encrypted by default.
Synchronization of E2EE chats: no. Secret Chat can only be used from one device, it will not be available from another device
no. Users can go to the settings themselves to compare prints
Yes, but it doesn't work on all devices
E2EE group chats: No
Social graph protection: No
The messenger, created by the team of Pavel Durov, is based on the MTProto correspondence encryption technology. At the moment, it is partially blocked on the territory of Russia, but this blocking is a separate topic for conversation.
Messenger is ambiguous. There is a lot of noise around him, but is he justified? There is no access to the sources, chats are not encrypted by default, there is no social graph protection (all your contacts are stored on Telegram servers), there are no group E2EE chats, E2EE chats are not supported in the desktop version of the program, only in the mobile version, the messenger is centralized, messages are stored on the server (and, as already noted, they are not encrypted), and with all this there is no possibility of anonymous registration.
If you want to use Telegram, don't forget to create secret chats to protect your correspondence. In the mobile version, for this you need to select the New Secret Chat command. Of the desktop versions, only a few support secret chats (for example, one of the two clients for macOS).
In a secret chat, messages are encrypted and are not stored on the messenger's servers. You also cannot take a screenshot of a secret chat, but nothing prevents you from taking a screenshot of such a chat.
signal
License: AGPLv3
Degree of centralization: centralized
Possibility of anonymous registration and work: no. Other than a phone number, there are no other options
Availability of E2EE: there is
Synchronization of E2EE chats: there is
E2EE Fingerprint Verification Notice: no. Users are prompted to scan QR codes from each other or compare fingerprints
Disable screenshots of secret chats: can be turned on or off
E2EE group chats: there is
E2EE Fingerprint Verification Notice in Group Chats: No
Social graph protection: there is
The Signal messenger was developed by the American startup Open Whisper Systems, where, apart from the two founders, only a few people work. To encrypt messages, a cryptographic protocol created specifically for it is used - Signal Protocol. It is used for end-to-end encryption of calls (voice and video), as well as regular messages. The Signal protocol has since been used by other messengers: WhatsApp, Facebook Messenger, Google Allo.
It would seem that in this case, any messenger can become as secure as Signal. But, as practice shows, no. Unlike Signal, where encryption is enabled by default, these messengers have it disabled. To enable it in Facebook Messenger, you need to activate Secret Conversations, and in Google Allo - Incognito Mode.
Although Signal is centralized, the code is open and distributed under a free license. Signal has support for E2EE group chats, social graph protection, and timed disappearing messages support.
However, do not confuse protection with anonymity. Signal is not anonymous: when registering, you must specify the phone number to which the messenger is linked. As for disappearing messages, this feature is also found in other instant messengers, for example, in Viber and Telegram (in the secret chat menu, you need to select the Set self-destruct timer command).
From January 1, 2018, new rules for the use of instant messengers will come into effect. All users will be required to provide their mobile phone number when registering and working with any programs that have the ability to exchange messages. These are the requirements of the Federal Law "On Information, Information Technologies and Information Protection". The initiators of the amendments were the deputies of three factions at once - "United Russia", "Fair Russia" and the Communist Party.
According to these changes, instant messengers will now have to:
Identify your users (that is, in fact, prohibit anonymous users from using services)
Disseminate publicly important information by decision of the authorities
Our main goal is to protect citizens, given the current situation, - says Marina Mukabenova, State Duma deputy from United Russia. – Terrorist groups can appear in such messengers and spam attacks can be carried out.
Messengers will have to block messages advertising terrorism, drugs and child pornography. And at the request of the authorities, disseminate socially significant information, for example, reports from the Ministry of Emergency Situations about an emergency worsening of the weather.
What will change for users
Now you can register in the services by e-mail address. That is, in fact, impersonal. But many instant messengers have already introduced authorization via SMS. From time to time, companies check if the user has changed their phone number - the user is prompted to enter their current number. After that, he receives an SMS with a confirmation code or link. From January 1, this authorization will become the rule for everyone.
Only users identified on the basis of the subscriber number and the corresponding agreement will be able to send instant messages, - explained Russian Prosecutor General Yuri Chaika.
Why is it for the state? To obtain, upon request, the personal data of a user against whom, for example, an investigation is being carried out.
What problems are possible
1. "Messenger" is a vague concept. Technically, this definition - "information and communication service" - includes not only Telegram and others, but also chats on websites (for example, with an online consultant) and in games. It seems that Roskomnadzor will decide who is subject to the ban - according to its instructions, companies will have to bring their services in line with the new requirements.
2. A SIM card can be issued to "left" people.
A lot of SIM cards are sold “in the black,” Roman Romachev, the general director of the R-techno business intelligence agency, gives an example. - In any market, you can buy a phone number that is registered to a legal entity. And the police aren't doing much about it yet. This business must be stopped, otherwise the terrorists will bypass the ban.
In addition, scammers can also use "dead souls" - issue a SIM card for the person who will never use it (for example, for a lonely old woman in the outback or for a homeless person).
3. Change account when moving?
Even legal users can have problems.
Binding to a phone number is a rudiment, - Evgeny Chereshnev, CEO of Biolink, is sure. - Firstly, the number is tied to the region - and these are additional problems with identification when moving. Secondly, it makes no sense for real criminals to use popular instant messengers - using open source technologies, anyone can create their own chat (meaning their own messenger - Ed.). Thirdly, it is not known what to do for foreigners who do not have Russian SIM cards and whose data is unknown to our operators. There is also a problem with the termination of numbers, when the number is not used for a long time, and it is transferred to a new owner. Having bought a new SIM card, the owner can receive along with it the entire load of accounts issued for it. Therefore, such black situations arise when, for example, an already deceased person “shines” online in the messenger.
4. You can make a "dummy" number.
Today there are many services that allow you to create virtual phone numbers. You can even create a number for just 10 minutes, after which it will be destroyed. But this time is enough for any intruders to send a lot of messages.
It is possible, of course, to oblige these services to report to the state, to transfer all data about each user. And if these are not Russian companies? Here already there is a mass of additional complexities.
5. This is not a panacea for drug dealers and terrorists.
Messengers themselves, for example, the same Viber and Telegram, cannot read the correspondence of users and track if there is something about drugs and terrorism.
There are two communication modes: regular chats using client-server encryption, and secret chats using end-to-end encryption and protected from man-in-the-middle attacks, Telegram explains. – In regular chats, messages are encrypted on the sender's side, pass through the server encrypted, and are decrypted on the recipient's side. That is, Telegram experts see that two people are communicating, but they do not know what these messages are about. In the secret chats mode, there is an additional option - visual keys that display encryption codes. Users can compare them and make sure that no one intercepted their correspondence. In such chats, messages cannot be forwarded, they are stored only on the devices themselves, and are deleted from them after a certain time.
Who will be punished and how
Fine for individuals - from 3 to 5 thousand rubles
Officials - from 30 to 50 thousand
Legal entities - from 800 thousand to 1 million rubles.
Messengers can be blocked - temporarily, until the violations are eliminated, or "for life".
But it makes no sense for large services to change encryption algorithms for the sake of Russian users. According to experts, the Russian audience of the same WhatsApp is no more than 2%. So it may be easier for companies to leave the Russian market than to change code and equipment for the sake of lawmaking frills.
SAID
“The level of Telegram’s cooperation with the authorities does not depend on jurisdiction and is built on the same principles everywhere. Unlike their Russian counterparts, Indonesian government services did not require us to access personal correspondence.
Throughout the world, including Russia, Telegram processes requests to remove publicly available illegal content containing terrorist propaganda, child pornography, etc. However, in no country do we release users' personal data to government authorities.
While a significant proportion of Telegram's audience comes from more conservative countries than Russia, only in Russia has Telegram been fined for failing to provide message encryption keys. This is the only such precedent in the 4 years of Telegram's operation in the global market."
HOW DO THEM
Mandatory identification works in other countries of the world as well. For example, in China, users of local microblogging are required to indicate their state identification numbers when registering. International services, such as Facebook or WhatsApp, are formally banned, but work there only through anonymizing applications. But since June 2017, a law has come into force in China that prohibits them as well.
There is a similar ban on anonymity on the Internet in Sweden. The local government introduced it back in 2011.
But the United States and Germany, on the contrary, defend the right to anonymity - at the level of litigation.
BY THE WAY
The head of Roskomnadzor said that anonymity on the Internet does not exist
The head of Roskomnadzor, Alexander Zharov, said that there is no anonymity on the Internet. According to him, modern technologies make it possible to identify a person by various direct and indirect identifiers: voice, face, online behavior, regularly visited resources and geolocation ()
Image caption Far from all messengers go to cooperate with Russian special services, but this puts them at risk of blocking
The Russian government has banned Internet messengers from disclosing any information about interaction with special services. Users of messengers that comply with Russian law will never know how often these services satisfy the curiosity of the FSB.
Messenger administrations (in the current law they are called the organizers of the dissemination of information on the Internet, ORI) must ensure "non-disclosure of any information about specific facts and the content of such interaction to third parties," follows from the text of a government decree dated January 18. The document was published on the official portal of legal information on Monday, January 22.
To transfer user data to special services, messengers must install special software and hardware. What exactly is not specified. By its decree, the Russian government forbade placing these funds outside the country.
The resolution directly concerns instant messengers that are registered in the Roskomnadzor's ORI registry. Among them are Telegram, Agent Mail.ru, Chinese WeChat, Russian social networks VKontakte and Odnoklassniki.
Not allowed to be transparent
International IT companies report on intelligence agencies' appeals in transparency reports published twice a year. So, the latest Facebook report refers to the second half of 2016, reports from Google, Twitter and Microsoft - to the first half of 2017. The Russian social networks VKontakte and Odnoklassniki do not publish transparency reports and refuse to provide them upon request.
The government has not determined the punishment for disclosing information about interaction with special services, said Daryana Gryaznova, a lawyer for the human rights group "Team 29".
"If the ORI refuses to comply with these requirements, there are formally no structures for which it can be held accountable - the Administrative Code establishes liability for the disclosure of information, access to which is limited by federal law, as well as for failure to fulfill the duties assigned by federal law (and here by-law act)," the lawyer said.
Gryaznova recalls that, in accordance with the law on operational-search activities, information about the forces, means, sources, methods, plans and results of such activities is a state secret.
"There is only one meaning - if the internal affairs bodies, the Federal Security Service and other bodies that carry out operational-search activities decide to read your correspondence, they will do it, and now they want to force representatives of instant messengers not to inform anyone about this," the lawyer sums up.
The government decree completely closes the transparency of law enforcement and any public control, says partner of the Center for Digital Rights, lawyer in the field of cyber law Sargis Darbinyan.
"Projects such as Ranking Digital Rights examine the reports of large IT companies and rank them based on the level of transparency. Judging by the position of the government, the work of such projects in Russia will be impossible, and the whole process will take place behind closed doors. This can be extremely bad affect the digital rights of Russian users," the expert believes.
Messengers must...
The Russian law on messengers came into force on January 1, 2018. According to it, messengers are required to identify users by phone number.
The law obliges messengers to provide the ability to send electronic messages at the initiative of the authorities, as well as to limit the transmission of messages that contain "illegal information." If the messenger fails to comply with these requirements, the law allows telecom operators to close access to the service by a court decision.
For violations of the law, messengers can be fined up to 1 million rubles.
