Russia’s surveillance expansion isn’t really about telecoms anymore — it’s about building a parallel ‘SORM’ inside every major company in the country
In late May, the newspaper Kommersant published an article reporting on the “expansion of the list of data that telecom operators are required to collect and transmit to law enforcement agencies” through SORM.
Meduza
75
6 мин чтения
0 просмотров
Why are we talking about SORM again?
In late May, the newspaper Kommersant published an article reporting on the “expansion of the list of data that telecom operators are required to collect and transmit to law enforcement agencies” through SORM.
The Sistema Operativno-Razysknykh Meropriyatiy (System for Operative Investigative Activities). It is a complex of hardware and software that gives Russia’s Federal Security Service (FSB) access to phone calls, SMS messages, internet traffic, and other data.
Physically, it takes the form of a server with a dedicated communication line that connects directly to FSB equipment. To prevent anyone from “tapping into” this line and intercepting transmitted data, the connection can be protected with a special VPN.
Journalists and the experts they consulted reached that conclusion after reviewing a recently published Digital Development Ministry order.
The story spread through the news media (Meduza included). It turns out, however, that this “expansion” won’t grant the FSB anything new about Russian telecom subscribers.
An expansion that adds nothing? How’s that possible?
Over the past few days, we looked more carefully at the Digital Development Ministry’s documents and found that telecom operators already transmit all the data journalists flagged to the FSB anyway:
passport and address data
taxpayer identification numbers (INN)
bank account details
IP addresses
domain names
login names
geolocations
organizational information
All of this can be found in another current ministry order, dated October 29, 2018, No. 573.
Why this new government order now?
The new rule goes further than traditional telecom carriers. It applies to any operator of a proprietary communications network holding its own block of IP addresses, known in networking as an autonomous system number.
An autonomous system number (ASN) is described in the order as the “unique identifier of a set of communication facilities and other technical devices” on the internet.
A regional internet registry assigns an ASN to a specific organization’s network, meaning a single organization can hold multiple autonomous system numbers. ASNs are used to route internet traffic between different networks: using its ASN, an organization announces its IP address ranges to other participants and indicates through which network those addresses can be accessed.
In addition to telecom operators, this category may include:
major IT companies (including social networks, messengers, and streaming services)
hosting providers and data centers
major corporations (like Gazprom)
banks
research institutes and universities
Russia’s 2019 “sovereign internet” law first brought these operators under FSB oversight. Amendments passed in 2023 raised the bar further, requiring companies to hold onto records of user interactions with their systems for three years.
So this new Ministry of Digital Development order basically widened the net on what data all these companies have to collect?
No. The order cannot, in this case, change the list of information transmitted to the FSB at all. That list was defined almost three years ago by a Russian government decree and has not changed since. It was approved at a higher level than any individual ministry, so the Digital Development Ministry can neither ignore it nor amend it independently.
Owners of technological communication networks are required to store and transmit for three years:
information about all paid services provided to users, and information about payment for those services
information about all user actions within the organization’s information system (such as registration, authorization, orders, and requests for reference information)
detailed information about users (from registration data to their location)
all information automatically transmitted during interaction between the organization’s information system and the user’s device (at the network protocol level)
Then it makes even less sense why the Digital Development Ministry issued this order at all!
We actually found an explanation: without the order, organizations lacked the technical procedures needed to transmit all required data to the FSB. That, at least, is the explanation set out in the summary report accompanying the draft order, published in spring 2024.
The document provides detailed specifications for server software that owners of technological communication networks are required to use in coordination with the FSB. Various intermediaries who develop and sell SORM hardware and software systems to businesses also use these specifications as a reference.
The order’s specifications are nearly identical, minor differences aside, to those in a 2023 Digital Development Ministry document on the installation of SORM equipment by hosting providers. They also match a 2026 Transportation Ministry draft order that would require freight forwarding companies to install data collection equipment.
Why would “freight forwarders” need to collect clients’ data?
We don’t know, but the requirement may be tied to the threat of wartime sabotage. Ukrainian intelligence used a long chain of intermediaries in the October 2022 bombing of the Crimean Bridge — people who said they had no knowledge of Kyiv’s plans — including Oleg Antipov, the owner of a logistics company, who was ultimately sentenced to life in prison along with other defendants in the case.
Does this mean every industry will now have to implement its own version of SORM?
Not yet. But beyond telecom operators, the following organizations now must — or will soon be required to — install their own technical systems for FSB access:
information dissemination organizers (social networks, messengers, etc.)
hosting providers
owners of technological communication networks with their own autonomous system numbers
freight forwarding companies
The same company may fall under several of these categories at once. A major social network, for example, is simultaneously considered both an information dissemination organizer and the owner of an autonomous system number. Many hosting providers and telecom operators also have their own IP address ranges.
It’s unclear whether such an organization would be required to install several different SORM systems. Based on the Digital Development Ministry’s response during discussions of the draft order, the final decision will rest with the FSB’s regional office, with which the organization must coordinate its SORM implementation plan.
Anton Nesterov, a researcher of internet censorship and mass surveillance, suggested in comments to Meduza that system duplication would most likely not occur, despite some differences in the requirements for telecom operators, hosting providers, and information dissemination organizers:
This can be handled with a software module, so they won’t install a separate box. By agreement with their [FSB] supervisor, all requirements simply need to be met.
But will everyone eventually be required to monitor their clients?
That remains unclear. The authorities may not take things to that extreme — especially since last year’s amendments to the FSB law already give the agency the power, as of April 1, 2026, to demand and obtain, at no cost, copies of any databases owned by organizations.
The only exception to this rule covers databases the FSB already receives through SORM.
Federal Security Service offices shall have the right to receive, free of charge, copies of databases (or portions thereof) belonging to organizations and containing information necessary to fulfill the obligations assigned to those offices. […] The provisions of this part shall not apply to databases accessed using equipment and software-technical means employed for the conducting by authorized state bodies — which carry out operative-investigative activities or ensure the security of the Russian Federation, in cases established by federal laws — of measures to fulfill the tasks assigned to them.
