Several months ago, the FSB sent a request to Yandex to provide keys for decrypting data from users of the Yandex.Mail and Yandex.Disk services, told RBC a source in the IT market and a source close to Yandex. Both interlocutors of RBC claim that over the past time, Yandex has not provided keys to the special service, although according to the law, no more than ten days are given to this. Earlier, due to the refusal to share the keys in Russia, the Telegram messenger was blocked by a court decision.
Why “Yandex” is not ready to transfer the keys and how it will turn out for the company, RBC understood.
Why the FSB demanded keys from “Yandex”
Yandex.Mail and Yandex.Disk are located in the register of information dissemination organizers (ORIs), that is, Internet sites where users can exchange messages. According to the so-called law of Spring, from July 20, 2016, the Center for Operational and Technical Events of the FSB may require any service from the ORI registry to transmit to it “the information necessary to decode received, transmitted, delivered and (or) processed electronic messages of Internet users”.
The FSB did not respond to a request from RBC. In the case of Telegram, which was blocked in April 2018, law enforcement agencies wanted to get the keys to decipher the correspondence of users who were suspected of organizing terrorist acts in the St. Petersburg metro. In turn, Telegram founder Pavel Durov refused to transmit information, motivating it with privacy protection and privacy policy.
What answered "Yandex"
The representative of the press service of "Yandex" told RBC that the company "works in full accordance with the current legislation." He refused to answer questions about whether Yandex really received a request from the FSB to provide encryption keys and did not transfer them.
According to a source of RBC in the IT market, at Yandex, they believe that the FSB interprets the provision of the “Spring law” too widely. “The special service requires the company to provide session keys, which, in fact, give access not only, for example, to messages in the mail, but also allow you to analyze all traffic from users to the Yandex-based services in the RID registry. Not to mention that decrypting all traffic during a user session carries significant security risks, ”he says. Information about the fact that the FSB requires session keys from the company was confirmed by the second interlocutor of RBC, who is close to an Internet holding.
The session key is an encryption key that is used only for one connection between the user and the server, that is, one session, Leonid Evdokimov, a former developer of The Tor Project, explained. “In the case of Yandex.Mail, it is generated when the user first enters the mail.yandex.ru page, and stops its operation depending on the settings after a while, after the user either closes the Yandex.Mail tab “Either close the browser completely or turn off the computer,” he says. This key encrypts not only user messages, but also all metadata (when, who, from what IP address entered the account, etc.), as well as the username and password that the user sends to Yandex servers during the authorization process. "Therefore, the transfer of the session key of a user to special services may allow them to acquire the username and password from the user’s mailbox," says Evdokimov. He agrees with the thesis of the interlocutor of RBC about a possible reduction in the level of security in case of decryption of user traffic. “The very idea of a session key is that it is not saved. This ensures the security of data transmission, since in the case of their interception the attacker will not be able to decipher them. In this sense, storing and transferring session keys creates certain risks, ”he noted.
Cisco Systems information security consultant Alexey Lukatsky confirms that “the session key in any case encrypts the username and password that the user sends to the server during the authorization process, so that the transfer of such a key to the FSB can give access to the user's authentication data.” He pointed out that Yandex uses the Single Sign-On system, in which, after logging in to Yandex.Mail, you can switch to Yandex.Music, Yandex.Disk and any other service without re-authentication. “The encryption key when switching to different services should be your own, but if this is not the case, then this is an architectural problem that can open access to data in different Yandex services. Then it is not safe to transfer the session key, of course, ”argues Lukatsky.
Leonid Evdokimov believes that session keys not only allow access to data, but also analyze user behavior itself. For example, in Yandex.Disk, having seized a session key, you can see who downloaded what data, he noted.
According to the interlocutor of RBC, close to Yandex, the company is concerned that cooperation with the FSB may lead to an outflow of users, loss of market share and, as a result, substantial monetary losses. “Foreign companies, such as Google, the FSB does not force such cooperation, so Yandex sees a threat to its competitive position here,” he says.
What threatens "Yandex" failure
Failure to provide encryption keys within the prescribed period is a violation of the current Administrative Offenses Code. According to the law, the FSB must draw up a report on an administrative offense and, if the court finds “Yandex” guilty under Article 13.31 of the Administrative Code, can impose a fine of up to 1 million rubles to the company, explained Sarkis Darbinyan, partner of the Center for Digital Rights.
According to him, if the company does not provide encryption keys after that, Roskomnadzor will issue an order for it to eliminate the violation, the execution of which is given for at least 15 days. “In case of non-fulfillment of the prescription, Roskomnadzor, in theory, may apply to the court with a demand to block services on the territory of Russia, the encryption keys from which they refuse to provide. In any case, such a procedure was used in the story of Telegram blocking, while the law does not directly indicate the powers of Roskomnadzor and the FSB in this situation, ”says Darbinyan.
However, he considers unlikely the development of events to block Yandex’s services in Russia, as was the case with Telegram. “Rather, they will bargain for a long time and eventually come to some kind of compromise. The state has a strong lever here. If Yandex doesn’t go on a dialogue at all, I admit that for the purpose of intimidation, they can restrict access to its services for a day or two - and this will immediately lead to large losses for the company. But it will be just a nightmare if the secret services start blocking the services of the largest Russian Internet company on an ongoing basis, ”says Sarkis Darbinyan.
According to SimilarWeb, the number of visits to Yandex.Mail in April 2019 was 432 million, and Yandex.Disk reached 27.32 million.
According to the law “On operational investigative activities”, the FSB has for many years been able to access telephone conversations of citizens or request correspondence from Internet companies, but for this it needs to receive a court order. According to the Judicial Department at the Supreme Court of Russia, in 2018, the Russian courts granted 828.5 thousand applications of law enforcement agencies to restrict the constitutional rights of citizens to privacy of correspondence and control their telephone conversations. Another 6.6 thousand such requests were rejected.
“Obtaining encryption keys and subsequent access to the correspondence for the FSB is a more convenient scheme than going to court, asking for a resolution and only then requesting the correspondence, as it worked before. I see no logical and understandable reasons, except for a possible reduction in the speed of information exchange (that is, no need to wait for a court order) and potential interception of sessions to extract data and other actions to bypass standard procedures, ”Leonid Evdokimov said.
Who else may require encryption keys
The ORI registry currently includes more than 170 services, including Tinder, VKontakte, Odnoklassniki, BlaBlaCar, Badoo, Vimeo, etc. At any of these services, the FSB may at some point require you to provide keys for decrypting user correspondence .
Interlocutors RBC is worried about the inclusion of the Sberbank Online service in the ORI registry in January 2019, which is a remote banking service system for Sberbank customers.
The inclusion of Sberbank Online in the ORI registry looks rather strange, although it is understandable from the point of view of legislation, explains Alexey Lukatsky. Much depends on how the functions of protecting financial transactions and the built-in messenger are separated in this service, because of which, in fact, the service got into the Roskomnadzor registry. “If they are encrypted with different keys, then everything is more or less in order. If not, the transfer of encryption keys from such a “sensitive” service is legally understandable, but from a security point of view, a very dubious decision, ”the RBC source said. The representative of the press service of Sberbank declined to comment.