Russian spies claim they can now collect crypto keys but won’t say how
Putin gave KGB’s successor agency two weeks to deal with encrypted services.
Glynn Moody | Ars Technica
Russia’s intelligence agency the FSB, successor to the KGB, has posted a notice on its website claiming that it now has the ability to collect crypto keys for Internet services that use encryption. This meets a two-week deadline given by Vladimir Putin to the FSB to develop such a capability. However, no details have been provided of how the FSB is able to do this.
The FSB’s announcement follows the passage of Russia’s wide-ranging surveillance law, which calls for metadata and content to be stored for six months, plus access to encrypted services, as Ars reported back in June.
The new capability seems to go even further, since the FSB notice (in Russian) speaks of obtaining the “information necessary for decoding the electronic messaging received, sent, delivered, and (or) processed by users of the ‘Internet’ network.”
Being able to decode Internet communications would seem to imply getting hold of any crypto keys that are used. However, as an article on The Daily Dot points out, it is still not clear what the new laws will require: “No one seems to know what this new law means in the slightest. Or, more accurately, the people who do know are keeping mum.”
Three of the services that are likely to be most affected by the new requirements are Facebook’s WhatsApp, Telegram, and Viber. Ars has asked all three for clarification on what the Russian authorities have asked for, and what information the companies are or will be providing, but has not yet received any reply. This post will be updated with responses when they are received.
The Daily Dot quotes Russian technologist Anton Nesterov as saying that it’s not even clear whether the new legislation applies to VPNs or basic SSL keys, nor whether mainstream electronic payment systems must hand over their keys as a matter of routine.
Nesterov also points out the dangers involved in providing this information, not least because leaks of such valuable data are always a risk.