8 декабря 2023

The OID register — a surveillance database

НАСТОЯЩИЙ МАТЕРИАЛ (ИНФОРМАЦИЯ) ПРОИЗВЕДЕН, РАСПРОСТРАНЕН И (ИЛИ) НАПРАВЛЕН ИНОСТРАННЫМ АГЕНТОМ «РОСКОМСВОБОДА» ЛИБО КАСАЕТСЯ ДЕЯТЕЛЬНОСТИ ИНОСТРАННОГО АГЕНТА «РОСКОМСВОБОДА». 18+
How it works and what data it collects.

What’s an OID?

An OID is an organizer of information dissemination. According to legislation, the definition encompasses any internet resource designed to receive, transmit, deliver and/or process electronic messages from Internet users.

In practice, the concept of an OID is interpreted quite broadly to include any websites with methods of bilateral user-administrator communication (e.g., reviews, newsletter subscriptions, comments). As a result, social networks, websites, messengers, file-sharing platforms, dating sites, food delivery services, taxi services, media outlets (if they have a commenting function), and even mailing services can all be classified as OIDs. All OIDs are listed in the OID register.

Here at Roskomsvoboda, we conduct open public monitoring of the websites and online services included in this register.

 

How do they end up in the OID register?

Owners of resources with a communication function must notify the authorities themselves. If the owners fail to do so, Roskomnadzor may issue a corresponding demand, which must be fulfilled within 10 days.

Whilst Roskomnadzor is charged with administering the demand, it is upon the request of a federal executive body engaged in operational and investigative activities or ensuring national security (e.g., FSB FSO, SVR), that the demand is actually created.

 

What happens if a resource isn’t submitted to the register?

In such a case, fines will be imposed in the following amounts:

-        For individuals: from 1000 to 3000 rubles

-        For officials: from 10,000 to 30,000 rubles

-        For legal entities: from 100,000 to 300,000 rubles

However, if the resource has still not been entered into the register, Roskomnadzor can issue another fine or file a lawsuit to block the site until it has been registered.

 

What must OIDs do?

OIDs are responsible for:

-        Retaining data on the transmission of messages by users for one year

-        Storing the content (texts, photos, audio) of these messages for six months

-        Providing all data to employees of the FSB upon their request

-        Decoding electronic messages if they are encrypted

The availability of constant uninterrupted access to the data must be ensured using special infrastructure that the OIDs must install at their own expense.

 

Is that why you call the OID register a “surveillance” database?

Yes, due to the collection of data and its provision to the FSB upon their request. Additionally, OIDs with built-in messengers are required to identify each user through their phone number.

 

Is it possible to log in to an OID without handing data over to the FSB?

There are fines for this too:

-        For individuals: from 3000 to 5000 rubles

-        For officials: from 30,000 to 50,000 rubles

-        For legal entities: from 800,000 to 1 million rubles

 

Is it possible to be removed from the register?

Yes. We come across such cases on a regular basis.

Exclusion from the register is legally permitted in cases of:

-        A Russian legal entity or foreign organization classified as an OID ceasing operations

-        Death of an individual entrepreneur or citizen who was classified as an OID

-        The transfer of the rights held over an information resource

-        The termination of activities which ensure the functioning of the information resource

 

What if you just remove all forms of communication between users?

This seems logical, but it doesn’t always work. The publication “Panorama” managed to get removed from the register using this method, but many others don’t succeed.

 

What is the purpose of the OID register?

The government asserts that it uses the register in its fight against crime and terrorism.

However, Roskomsvoboda’s lawyers note that the register proves useless in the fight against common crimes (robbery, assault, abuse). Typically, such crimes aren’t premeditated, meaning that their details are not discussed in advance via online correspondence. A characteristic of some violent crimes is that the intent to commit them can arise suddenly, hence there is no prior discussion among participants using OIDs in such cases.

“Those who commit crimes of recklessness cannot discuss details due to the spontaneity of the incident. And those who carefully plan intentional crimes might not do so through communication via OID services. The very existence of OIDs, SORM, and other surveillance tools, forces some criminals to become increasingly cautious and resourceful”, experts note.

According to lawyers, it could theoretically prove useful in the case of terrorists, but again, only if they communicate via these platforms and without the use of any encryption methods. “In addition, it’s necessary to determine the effectiveness criteria: is it more important to prevent criminal activity or to catch the perpetrators after the crime has been committed? If the latter, then experience shows that criminals are most often caught with the help of surveillance cameras”. It’s the correspondence from the messengers which are actually used to further investigate the crime after it’s been committed, namely to identify and locate other perpetrators.

 

What resources are currently in the register?

At the time of publication, there are currently 398 resources listed in the register. Among them are major enterprises like the social network VKontakte, Yandex and its varying services, the Mail.Ru Group holding, Rambler, liveinternet.ru, Sberbank Online, Tinkoff Bank, the portal Pikabu, Aeroflot, the automotive site Drom.ru, the domain name registrar Reg.Ru, the online dating sites Mamba and Wamba, among others.

 

Do foreign resources get included?

Yes. For example, the Swiss messenger Threema (which refused to cooperate with the FSB), file-sharing platforms Depositfiles, Turbobit, Hitfile and Wayupload, the world’s largest dating site Badoo, the web browser service Opera, video hosting platform Vimeo, the Chinese messenger WeChat, job search service HeadHunter, Huawei mailing service, encrypted mailing services Startmail and Mailbox (which were blocked for refusing to cooperate), and others.

Some foreign companies that have recently entered the surveillance register are Mega, PUBG, MediaFire and BigoTV.

 

What if Russian services also refuse to cooperate?

There have been such cases. Telegram is also included in the register but refused to provide encryption keys to the FSB, after which attempts were made to block the messenger. We all still vividly remember the outcome of the “Telegram vs. Roskomnadzor” standoff.

 

Original in Russian

Translation by Sasha Molotkova

Контакты

По общим вопросам

[email protected]

По юридическим вопросам

[email protected]

Для СМИ

Телеграм: moi_fee
Signal: moi_fee.13

18+

23 декабря 2022 года Минюст включил Роскомсвободу в реестр незарегистрированных общественных объединений, выполняющих функции иностранного агента. Мы не согласны с этим решением и обжалуем его в суде.