Get the latest updates as we post them — right on your browser

. Last Updated: 07/27/2016

State Snoops on Coded Data

The networks are abuzz with outrage at a remarkable new presidential decree on data encryption that appears to return to the KGB of old its right to snoop on anyone sending any form of electronic data.

In blunt terms, Decree No. 334 issued April 3 declares illegal any encryption software or hardware device not approved by the Federal Agency for Governmental Communications and Information, or FAPSI. This organization was formerly a department of the KGB.

The edict gives no indication as to what methods of encryption (if any) are authorized by FAPSI. Nevertheless it immediately instructs all commercial banks to conform to the decree in their dealings with the Central Bank and instructs the Customs Committee to ban the import of "encryption facilities" that lack a FAPSI-approved licence.

Data encryption is any method that renders data not readily readable. Broadly defined, this can include simple archiving programs, or even the password protection software used on computer networks. As a matter of course, most users sending binary files by e-mail will use a simple encryption program.

At its most sophisticated, encryption is the elaborate encoding of data that makes it impossible to decode if intercepted or stolen. It is still not possible for products of this nature to be exported from the United States to Russia (or anywhere else in Europe).

If this decree is enforced it raises some very unpleasant questions. FAPSI seeks to control the approval of all encryption equipment used in Russia in the name of national security and what the decree describes as "intensifying the struggle against organized crime."

There appears little logic in this claim since if criminals really wanted to transmit encoded data they would need to be very stupid if they used an officially endorsed method to do it. Who sends a coded message in the knowledge that the enemy has already broken the code?

What the decree does not mention is any procedure to prevent the possible "backdoor" decryption (or decoding) of data by the law-enforcement bodies themselves. There are many cases of government data falling into the hands of criminals. If FAPSI wishes to have access to any data transmitted in Russia this could mean that this information might not only be watched over by the government but could fall into the hands of criminals.

Under these conditions many of us should start to feel uncomfortable about Decree No. 334.

Every commercial bank must file regular reports to the Central Bank of Russia as well as transmit very large amounts of data in the course of its daily business. If enforced, no Russian bank would be able to guarantee its customers confidentially of their account information.

Providers of electronic mail and data-communications services would likewise not be able to guarantee any customer the confidentially of the data they send.

Under these conditions no on-line service in Russia would be able to be involved in any kind of financial transaction.

There have been a thousand articles like this one on different Russian laws but, as everyone knows, life always goes on regardless. Draconian measures are usually followed by panic, confusion, reflection and then avoidance.

However, in this case the very existence of the decree is problematic for some companies. There are now a reasonable number of major software companies involved in development work in Russia.

The situation is sensitive since the 1993 Law on Intellectual Property in Russia is still virtually impossible to enforce. Should your work get into the wrong hands there is not a lot you can do about it.

This decree sends a signal to the world computer software industry that the Russian government now plans to make the protection of a company's own intellectual property its business.

Given the KGB's history of respect for intellectual property, FAPSI in this role is like a fox in charge of a chicken coop.

Robert Farish is the editor of Computer Business Russia fax: 198-62-07, Internet e-mail: