88 comments

[ 3.2 ms ] story [ 159 ms ] thread
That's gonna be a deal breaker for global trade if after LinkedIn, FB gets banned. What remains is Google?
LinkedIn and Facebook aren't getting banned. They have the option of complying with local operating requirements (Store data about Russian residents in Russia), or not operating.

This is not a particularly draconian, onerous, or unreasonable requirement. (And is no different from that of the EU, sans safe harbour.) Other tech companies have been able to meet it.

> Companies ranging from Alphabet Inc.’s Google to Alibaba Group Holding Ltd complied

In the EU, even without the Safe Harbor, personal data was allowed to be transferred with a series of other agreements -- including explicit consent. That means that a user who didn't want their information kept in the EU, could arrange to have it stored elsewhere.

Do you know if this possibility is available in the Russian situation?

How did Google comply? There are no datacenters in Russia and it shut down the only engineering office there.

https://www.theguardian.com/world/2014/dec/12/google-closes-...

It's always possible to store your data in the Russian equivalent of AWS. (Even if your web application and its secret sauce is running out of your own data center.)
I know how Google infrastructure worked up to a couple of years ago, including user-specific storage. What you describe would be a very large undertaking across a large number of projects. Due to legal restrictions, Maps has something ad-hoc just for South Korean tiles, which is a much simpler problem. Not only it's extremely clumsy, it also adds a lot of limitations:

https://stackoverflow.com/questions/31568460/google-maps-sty...

https://www.theverge.com/tech/2013/10/13/4835026/why-google-...

The utopian period of the web is ending. The future web will be much more balkanized and militarized. In the race between the web's competing revolutions of democratization of information vs mass surveillance and control, surveillance and control will win out as linear scaling, distributed, crowdsourced, democratic power won't be able to keep up with exponential scaling, centrally controlled, capital intensive, machine learning enhanced, mass control.
You could argue it already ended with the corporatists' "Web 2.0". And PRISM.

The only real difference now is that its entering the public's consciousness, and the ground is rife for authoritarians to present non-ideal solutions.

> You could argue it already ended with the corporatists' "Web 2.0". And PRISM.

What's more, FB and Co are to blame for these shutdowns of communication channels. Had we kept our communication decentralized governments would have a much harder time identifying communication services.

> The utopian period of the web is ending. The future web will be much more balkanized and militarized.

You could say that. I'd flip it around and say "It's amazing the world wide web has survived intact as long as it did, given the vastly different political ideologies in the world."

Quite frankly, I consider it a small miracle we're all still using the same internet that's been around over 20 years.

I absolutely think the future of the internet is regional/national versions of the internet, with limited/censored connectivity to other regions/nations. If not for political reasons, then because it's becoming too easy for nations to conduct devastating attacks on critical infrastructure without ever setting foot in the target country. [0] [1]

If you're the target of a coordinated cyber attack against your infrastructure, and the remediation choices are either a complete overhaul of your infrastructure (on a software and physical level) or disconnection from the internet, I predict many nations will choose to voluntarily disconnect themselves from the internet.

[0] https://www.wired.com/2016/03/inside-cunning-unprecedented-h...

[1] https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/

Maybe we need several internets, at least if people and organisations insist on putting their critical infrastructure on there.

A critical one, with infrastructure and balkanisation and an off-switch for each region, a commercial one for people to do their online shopping and banking and whatever and an utopian one where information is free and the past still alive. Maybe the third one should be more hidden. (Just one proposed division.)

Of course there are several problem here, like how to deal with government censorship. I just think we should be open and proactive about changing the basic infastructure so we can keep the cool and still be safe even with all the cyber going on.

add: Sorry for throwaway, using a public airport computer in the middle east, don't need it connected to my account.

Interesting idea: Can there be multiple "Internets"?

Wouldn't they just be networks, then? There can only be one Internet, because of the definition of Internet!

"The global computer network providing a variety of information and communication facilities, consisting of interconnected networks using standardized communication protocols"

I have hope that general AI will be a democratizing force again.

Having something that can be taught by a human and trained with messy real world data, rather than vast data sets and specialized computer scientists, will make a huge difference.

I'd like it to general intelligence augmentation[1] so we aren't creating more agents with their own goals.

I'm not sure what the future looks like then. With my futurist monocle on you could imagine most SaaS being disrupted. You still want to send messages, but those can be encrypted and the IA manages the encryption for you, so you don't have to. Searching still seems pretty likely to be centralised although different communities might run their own if IA makes that sort of thing easy.

[1]: https://improvingautonomy.wordpress.com/2017/08/22/a-possibl... and obviously https://waitbutwhy.com/2017/04/neuralink.html

don't give up just yet... if we can get those low earth orbit satellites into place - broadcasting lte or 5g globally for anyone... it'll be pretty hard to block?
For decades, any time internet censorship came up, there was always someone who quoted John Gilmore's "The Net interprets censorship as damage and routes around it."

What happened? Did you all give up? Is the utopia really over? You're just gonna let it fall into disrepair and die?

Back in the day, when utopia was being built, they designed things to be decentralized and self hosted. Like smtp, nntp, ldap. Think about that when you complain about Facebook (glorified, centralized ldap) being blocked.

Does Russia even have laws?
This is probably just Russian auditors starting to actually look at big companies' implementations of 242-FZ. There was precious little guidance given on exactly what a kosher implementation would be, so devs pms and lawyers just get together and make a good faith effort at it.

Best guess from me is that auditors are disagreeing with that first round good faith effort from Facebook.

My guess at the original purpose of 242 fz: This has absolutely nothing to do with the balkanization of the web, and everything to do with Russian law enforcement wanting a physical location they can easily roll into with a warrant. Nothing else really made sense to me at the time.

Source: worked at big company on 242 fz compliance when it was about to hit.

Edit: I remembered the ordering of number-letter incorrectly

There was precious little guidance given on exactly what a kosher implementation would be, so devs pms and lawyers just get together and make a good faith effort at it.

I imagine that in Russia and similar countries, lack of guidance is by design. If you don't tow the FSB line, don't pay the bribes or if someone else wants your business, you've broken the law by not implementing federal law zxy52n.

Edit: USA places a gazillion requirements for businesses (especially banks all over the world) so what Russia is doing is nothing extraordinary, on itself. They have their own FB so I doubt they'll miss much even if FB was banned tomorrow.

Well to be fair, even the US doesn't always given an abundance of guidance on everything. For a random example, up until irs notice 2014-54, it was a bit shady exactly how you could get away with roth ira backdoor from your 401k.

I lack enough info and context to say where this particular law lies.

True, but the idea is that in USA eventually you can go to an independent court and sort it out. or the agency will explain it more--something that applies to everyone.
You say that is the idea. It is indeed an idea.

Is it the reality?

large companies absolutely do take the government to court. Smaller ones, maybe, if ACLU etc help them.

But yeah, any problem can be solved in court by an non-corruptible judge. If he isn't then the appeals court is

Provided you're rich enough to bankroll the judiciary action and the adverserial shakedowns. Which would also typically mean you don't care that much about the outcome of the trial, if you've got that much cash to throw around.
Yes, but in the USA you don't have to be an oligarch. Even double-digit millionaires have effective access to the legal system.
It didn't keep Shkreli out of trouble though.
Well he did break quite a few laws and was an ass about it. Access to courts doesn't mean to ignore the laws. And he was guilty of poking the bear or something...

If he was in Russia he would have been warned to pay Igor and to stop making fun of the regime. Given his attitude, he might have been somewhere in Siberia, pulling his hair out.

And would the world be a worse place for that...
>USA places a gazillion requirements for businesses (especially banks all over the world) so what Russia is doing is nothing extraordinary, on itself.

i really doubt that you have ever dealt with any Russian legal/compliance/etc process, be it a personal or a business issue. As i have been there and done that, i can tell you it is night and day difference between US and Russia here.

"Nothing personal, just business" - this is how it works in US, and "Nothing business, everything is personal" - this how it works everywhere in Russia.

"Nothing personal, just business" - this is how it works in US, and "Nothing business, everything is personal" - this how it works everywhere in Russia.

More or less that's what I said.

In Russia, no but am very familiar how Russia-like countries work. A phone call to the right person or cash solves you issues. Or you can bang your head against the wall

I am working in the US, and because of that no bank in my homecountry is willing to touch me with a 12ft pole. They will literally not allow me to have an account because FACTA is too much of a bother.
Providing physical access for law enforcement has nothing to do with it. It's more like a part of a kafkaesque process to overpower corporations, one step in a long-term strategy to force surveillance and censorship on all communication channels.
It's more about corruption than forcing surveillance, IMO. Corruption in Russia works approximately like this:

1. The legal rules for operating any business are intentionally set at a very complex and onerous level.

2. Unofficial license to flout those rules is sold through bribery or otherwise supporting the corrupt actors in Russian government. These bribes are necessary for business to function, because otherwise it's impossible to operate legally.

3. When someone refuses to play bribes or otherwise bow to the will of the corrupt actors, the unofficial license to flout those rules is rescinded and the persecution of that person is entirely within the "rule of law".

I don't remember the exact specifics, but this was used pretty much exactly against a Russian oligarch who refused to sell his multi-billion dollar business below market price. He was investigated and prosecuted for some sort of crime, because everyone is always guilty of some sort of crime, because the only way to run a profitable business is to break the law and pay for the privilege of doing so.

It’s difficult to parse out the difference here. The need to physically roll in is both the stick they’re using and the means with which they’ll retain control.

Naturally, facebook doesn’t have much to stand on here. Russia of course has control of ingress they’ve been ratcheting up.

I ran that very same project for a large tech company as well and our assessment was the same as yours. Intent is not having to deal with other countries authorities when making information requests.

Oh, and the guess-what-they-really-want-so-we-can-even-comply-at-all game was fun here, as well. We made a genuinely good-faith effort in no small part because the Russian market does really matter to us. I think/hope it'll hold up.

Sidenote: There's a similar (in hilarity not content) guesswork coming up with the new EU privacy regulations (GDPR and the new e-privacy regulation that isn't done yet). Sigh.

Out of curiosity, how do you determine whether a particular user is within the scope of this law, or not?

(The problem with the law is that, by the literal meaning of its wording, it is applicable to all Russian citizens anywhere in the world, not just in Russia proper.)

Geo-IP minus any cases of "we know they're not Russian" due to accounts/etc.

In other words: as conservative as possible heuristics.

Edit: Clarification. Simply having an account on some website is obviously not what I meant. I meant cases where we legitimately have and are allowed to use (see GDPR consent requirements wrt what you can and can not do with PII under EU regulations) users' PII to decide this.

Is there a case where "you know they're Russian", but geo-IP doesn't support that?
What I wrote earlier ought to be symmetrical. But in practice, having certainty is exceedingly rare. It's not like we require passports for our service.

What I meant is more that simply because an existing customer uses the services while travelling on Russia, we don't just move all data there.

I have no problem with countries demanding that their citizen's data be stored within their borders and subject to their laws alone. As a Canadian, I take it as a given that any data of mine or about me that's stored on American soil is to be considered as-good-as-public, thanks to their alleged willingness to go so far as to steal sensitive data and share it with competing American interests. [0]

0: https://google.com/search?hl=en&q=nsa+handed+trade+secrets+t...

Out of interest, would you be happy with this if you had no option, and such storage was obligatory? I.e., to be hypothetical, suppose a resident of Canada who did not want their personal information kept within Canada because they were under surveillance from the United States, and they knew that Canada shared information with the U.S. government. Would you approve of a law that gave that person no choice in where they stored their personal data?
Not the parent, but in my view, this wouldn't be significantly different than the world outside the Internet. A citizen and their possessions are rarely if ever outside the legal jurisdiction of the nation they are a part of. I do not see why the Internet should be any different than this.

If there is a problem with the government, the solution needs to be to fix that government, not try to evade it or operate outside of it.

I'm not sure your metaphor works, even as a description of the current state of affairs. I can send my possessions anywhere I want, and I'm not limited in where I keep my possessions. We don't generally place bans on moving legal possessions.
I don't know if I agree. There are import and export restrictions and most countries require you declare on a customs form the contents of packages shipped outside of the country. When you travel, you're expected to bring anything you take with you back, and declare anything you bring in that you didn't take out.

In addition, from a more realistic/practical scenario, most physical possessions are not useful outside of your legal jurisdiction in that you cannot easily use them yourself.

And there's a significant issue with digital assets (as with money, in fact), that large companies shift them over international borders in order to evade the law, that simply doesn't exist in the physical possession space.

For example, I believe it's been accused that some tech companies shift user data overseas explicitly so that they can then deny fulfilling legal warrants on the grounds the data is not stored in the same country, or any number of tax evasion schemes designed to store and transfer money through countries with favorable tax laws.

Sorry, but that makes no sense at all. I have packed all my things - truckloads of them - and moved to a different country several times in my life. It was never an issue, legally speaking.

Yet, because I am still a Russian citizen, this law effectively requires Facebook to store my personal data on Russian servers. Including such data that has been generated in the last several years of me living elsewhere (which is, in fact, all of it - I didn't even have an FB account until I moved).

How does this make any sense?

The funny thing is that we already have national TLDs. And many of them require that a person or company is a citizen/resident of the nation before they can register an address there.

but the gTLDs were in a sense in legal limbo for a long time. On paper they were always US controlled, but anyone anywhere could register there.

But then more recently we have seen sites takes down by the FBI and similar even though both the physical servers and the owner are located abroad. This simply by having the registrar reassign the DNS entry to an FBI page.

What do you propose to do for dual citizens?
The US didn't and doesn't pursue corporate espionage at a government level. The Clinton administration was presented with the idea, but the question about what company would be given the information wasn't clear since, unlike many countries, the US has no real government controlled industry.

This is covered in books like "Cyberspies: The Secret History of Surveillance, Hacking, and Digital Espionage".

Did you leave out the <sarcasm> flag somewhere? The Boeing-Airbus case had probably the highest 'household recognition' among examples of US intelligence working in corporate interests, but it was far from an isolated incident.

https://www.ft.com/content/e86fdad0-42d9-11e3-9d3c-00144feab...

A lesson was learnt in 1994 when France lost out on a big aerospace contract for Airbus in Saudi Arabia to Boeing and McDonnell Douglas, apparently after a phone call by the then prime minister Edouard Balladur, in which he discussed the terms Airbus had offered, was intercepted by US intelligence.

Uhh, France's corporate espionage dwarfs this "apparent" episode, whose evidence is apparently a throwaway line in a FT article?

Your source: a random line in an article about an episode that occurred 23 years ago during the Clinton administration. My source: a well researched book covering the entire history of modern espionage with a significant portion dedicated to corporate espionage, with specific mention of the Clinton administration's handling of this topic.

Does anyone know how they identify Russian citizens?
Depends on the particulars of the company. If I know anything about risk-averse corporations, most of them would rather err on the side of considering you a Russian citizen.
As a first approximation they could be looking at what IP you connect from. unless it is coming from a known TOR exit point (and famously Facebook even operates an .onion address) or some VPN, that would give an indication what nation you reside in.

After that i guess they would look at what data you have given them.

The legal advice we got when we implemented things for this regulation was to go with geo-ip. And then people travel and you have profiles spanning across borders. (Or VPNs, or...)
They want all the data cloned in Russia so that they can spy on Russians and non Russians alike.

Better to just say good bye to Russia and let them kick dirt.

> They want all the data cloned in Russia so that they can spy on Russians and non Russians alike.

So, the Russian equivalent of what the NSA has been doing the last 20 years?

I find it far more likely that this is a sensible move to protect the data of Russian citizens from the US, who have shown time and again that they can't be trusted in these matters.

Yes, that seems to be the reasoning for EU privacy regulations (GDPR) as well.
I'm surprised people are defending this law. I mean, Facebook is a US company but the law applies to every country, right? Not that US privacy practices should be defended, it just seems like knee-jerk anti-American sentiment.
The difference is that NSA tries to keep things secret, because they knew that what they were doing is wrong, and that citizens won't like it if it comes out, it's going to be challenged in courts etc.

In Russia, there's a public law that mandates ISPs to install surveillance equipment that federal law enforcement agency can use basically at will (for now, they still need technically warrants, although in practice it's impossible to enforce; next year, a new law comes into force that removes the requirement for a warrant). And another public law, which requires ISPs to block websites according to a list that is maintained by the government.

> it's going to be challenged in courts etc

How are those challenges going? Any courts out there overruling FISC?

> In Russia, there's a public law that mandates ISPs to install surveillance equipment that federal law enforcement agency can use basically at will

It's public law that created FISC(FISA @ 1978) and it's public law(Patriot Act, third party doctrine) that gave them the power to authorize the NSA's surveillance.

Well, last time this came up, we did get legislation that did something. Not anywhere as much as it should have, but there's that, at least.

Ditto FISC - it might be rubber-stamped warrants, but at least there's a warrant, by an actual judge.

The practical degree of Internet surveillance, and, - especially! - censorship is still vastly lower in US than it is in Russia.

I can see both sides here, on one side - CIA/NSA has hands in facebook data, on the other hand FSB/GRU want same access to this data. This is a battle for our data, (which we give away "for free").
Ok, I think that FB will comply. They did a lot to be present in China, so they will do same here.

But I have one simple question: Should be data of Crimean users stored in Russian or not?

One way to soften the political blow of that question would be to store Crimean user data in Crimea.
Let's go one step further, and store data about individuals in their own homes.
Given that Crimea is now part of Russia, this would mean storing it in Russia.
There are Russian forces in Crimea sure, but so are US forces in South Korea, or in Afghanistan if you prefer active combat. Doesn't mean they're US territories.

Most countries see Crimea as part of Ukraine. [1]

--

[1] https://en.wikipedia.org/wiki/United_Nations_General_Assembl...

What do the people of South Korea, Afghanistan, and Crimea think?
There're millions of people living in all these places and it's a typical mistake to think that they have the same uniform opinion. You can take any subset from the population and create an illusion that they all support or reject something, like US forces presence. I see this in news every time I open them or watch TV.
As far as Crimea, it's difficult to say precisely.

They had a referendum in 2014, but that was then, and it was hardly an open and transparent one (armed Russian soldiers occupying the entire peninsula, no international observers admitted).

Ideally, we'd need to hold a new fair referendum to find out. The problem is that even talking about holding one is in violation of the Russian laws on separatism, punishable by up to 5 years in jail. Conveniently, the corresponding bill was signed into law at the end of 2013, shortly before Crimea was annexed. And yes, people have actually been jailed over this.

(Having said that, if there actually was such a fair referendum, I would bet on them staying in Russia. But the percentages would probably be lower than last time.)

Neither EU or US think so, and might to hit FB with sanctions.
"Given that Crimea is now part of Russia"

Only according to Russia and its friends. In the eyes of international community it's disputed territory at best or occupied part of Ukraine for most.

The eyes of the international community don't matter a whole lot here when it's the Russian police who will come knocking on the door with(out) a warrant.
And to add one to your simple question: What if you run a service where you don't know where users are from? (Facebook knows a lot! It's a terrible example in this context.)

The best answer we got from the lawyers was "geo-ip". Alas, given that it has both plenty of false-positives and false-negatives (and people travel), it might as well mean violating privacy laws in both Russia and whichever-other-country.

Good times were had.

I believe facebook banned users from Crimea. So is Google and other US corporations.
All Crimean traffic now has Russian IPs.
Yeah, next logical step is for Zuckerberg to learn Russian and ask Putin to name his next child.
There is an inevitability about it. The desire for people to people connection and a global consciousness was there but most idealists would have realized it's a fantasy and parochialism and nations states are not going away.

It's easy for us to be blase about it but if it were Russian and Chinese companies vacuuming up our data and not afraid to share it with their governments, there would be end of the world hysteria by media, academics and commentators about 'our freedom', the american way, and how awful these totalitarian countries were.

Now since its us caught with our pants down with draconian surveillance, secret courts, secret orders and collaboration with little to no pushback from the loudest defenders of freedom more interested in posturing and feeling smug than defending any values they articulate, other countries need to wisen up and protect their citizens and their interests.

Anything is better than leaving it to US based companies with an insatiable appetite for user data and vested in spying on everyone all over the internet with zero constraints or sense of either corporate and individual ethics for the thousands of engineers involved in this, supported by an of control unrestrained surveillance culture in government.

This happens the day after Facebook embarrassed Russia and its own stock price by verifying how Russian advertising accounts were used to manipulate the US election.

Coincidence?

No you're wrong on stock price, tech stocks all went down Monday. Google, Microsoft, Netflix, Nvidia, Facebook, Tesla, all down.

Facebook announced further Russia advertising findings on Sept 21, and on Sept 22 the stock price barely changed. The Russia factor was already priced in on Friday, before all tech stocks fell on Monday.

This is exactly why interoperable federated social platforms are important and why they are a better solution than centralised platforms. The future is a choice between per jurisdiction walled garden monopolies under national control and multiple interoperable solutions.
I say shut it. Dump the difficult governments.
That would stop Facebook from interfering in Russian elections.