Home / Blog

The Yarovaya Law as an Example of Ill-conceived Legislation

By Alexander Tabachnik

Cyberspace has become deeply integrated in our lives, hence increasingly important as an issue of national security. This is a fresh battlefield where countries fight new types of war, including struggles for the minds of the people, a realm which ever more deeply influences the development of our economy and civil society.    

In recent years information warfare (IW) in cyberspace has become Russia’s major tool in its conflict with the West. Through IW, particularly propaganda efforts in cyberspace, Russia has repeatedly intervened in the election processes and internal affairs of the US, Germany, Ukraine and several other countries. Through IW Russia has repeatedly striven to undermine the unity of Western organizations such as NATO and the EU and to challenge the stability of the leading Western countries.

At the same time, the Russian leadership is convinced that Moscow is endangered by internal and external foes seeking to challenge Russian national security, including that of the information sector. From Moscow’s perspective, the internet, and the free flow of information generally, threatens Russian national security.

Moscow accordingly strives to keep information flow in Russian cyberspace under its strict control. Thus it aims to prevent or deter as much as possible dissemination of information which may darken the positive representation of its regime, or any activity which may endanger the regime’s stability. Through lawmaking Moscow strives to restrict any undesired activity in Russian cyberspace while undermining freedom of speech, information privacy, and the confidentiality of correspondence. Consequently, these efforts also have had a significant negative impact on Russia’s business atmosphere, and generally on investments and the development potential of entire sectors of the Russia economy.

In recent years Russian authorities have passed a series of laws and amendments which demonstrate their determination significantly to reinforce control over information flows in the Russian sector of the internet. These efforts are mostly justified as if countering terrorism and promoting public safety. An example is the Federal law of 6 July 2016 №374-F3  (also known as the Yarovaya law) which concerns the introduction of amendments into the Federal law regulating counter-terror and public safety measures. Specifically, article 15 of this law introduces changes in the Federal law of 27 July 2006 №149-F3 (article 10.1), “Concerning information, information technologies and the protection of information.” The new version of the law, №149-F3 (article 10.1), requires distributors of information such as internet and telecom companies, messengers, email services, forums and other platforms that allow the exchange information on the internet, to store, in the territory of the Russian Federation, the following information:

  • Information on the facts of reception, transmission, delivery and/or processing of voice information, written text, images, sounds, video or other electronic messages of internet users and information about these users for one year after the end of such actions.
  • Text messages of internet users, voice information, images, sounds, video and other electronic messages of internet users up to six months from the end of their reception, transmission, delivery and/or processing.


  • distributors of information on the internet are obliged to provide the information specified earlier to an authorized executive authority (such as the Federal Security Service (FSB)) that conduct operational investigative activities or safeguard the security of the Russian Federation in the cases defined by the federal laws.
  • Distributors of information on the internet network are obliged, when using additional encryption of electronic messages to receive, send, deliver and/or process electronic messages of internet users, and to provide internet users with additional encryption of electronic messages, to deliver to the federal executive authority in the field of security (such as the FSB) information necessary for decoding received, transmitted, delivered and/or processed electronic messages.

According to the law, for non-performance of any of these obligations, the operators (distributors of information) may be blocked in Russia. Note that in comparison with the common Western practice of law enforcement, Russian law grants the special services much wider powers. For example, to gain access to the user's personal data, Western intelligence agencies send a court warrant to a telecom or internet operator. On receiving such a document, the operator is obliged independently to convey the required information to the law enforcement agencies. However, the Russian special services operate differently. Each telecom or internet operator is obliged by law to install special software and hardware, called SORM, which allows the FSB to gain access to users’ personal data. In this case, information is accessed by special services without the knowledge of telecom or internet companies. The FSB officer simply enters the command through the SORM control panel, which is connected to the operator’s servers. As a result, only the FSB officer and his superiors see the warrant issued by the court permitting access to information. Considering the poor record of rule of law in Russia, and the de facto subordinate position of courts to the executive authorities, the special services, such as the FSB, enjoy absolute freedom of action and absence of oversight. This situation is made even worse by the lack of public or parliamentary control over the work of the special services.

This scenario played out in the case of the “Telegram Messenger LLP” company, which rejected implementation of the Yarovaya law (10.1 №149-F3 with amendments according to №374-F3). Namely, Telegram rejected the requirement of the FSB to transfer keys to decrypt users’ messages, because the company considers it its duty to keep users' correspondence secret. As a result, based on Art. 15.4 of the Federal Law “On Information, Information Technologies and Information Protection,” on Friday April 6 2018 Roskomnadzor (the Federal Service for Supervision of Communications, Information Technology and Mass Media – the regulator) filed a lawsuit demanding that access to the information resources of Telegram Messenger LLP be limited (i.e. blocked) in Russia. However, for technical reasons the regulator’s efforts to block Telegram have succeeded only partially, while causing significant collateral damage. Russia instead blocked users’ access to unrelated online services.

Clearly, the Russian authorities have been uncompromising in their efforts to establish control over information flow in the Russian section of the internet, despite significant economic and reputational costs. According to various assessments and estimates (equipment and operational costs), even implementation of the Yarovaya law by the distributors of information may cost 2-10 trillion rubles (30-150 billion US$ -- November 2018 exchange rate) in the coming years.

De facto then, the Russian special services have unrestricted access to a significant portion of private and commercial information which circulates in Russian cyberspace. Considering the opacity and corruption of the Russian governmental structures, including the security services, many of those who operate in Russian cyberspace should worry about how the collected information will be used. Another issue is the safety of the collected and stored information. Will telecom and internet companies be able to provide the necessary level of cyber security and prevent the theft of valuable information by hackers or other concerned parties?

Recently, for a small sum of money a journalist  bought from a Russian official information from a classified Russian database regarding the real identities of the two Russian GRU officers who poisoned the Skripals in Salisbury UK. Thus it can be assumed that this kind of collected information is not stored securely.

In sum, Russia serves as an interesting case where an authoritarian regime’s efforts to preserve its stability lead to damage to its reputation inside and outside the state, significant direct and indirect economic damage, as well as uncontrolled access by the security services to sensitive private and commercial information with wide opportunities for misuse. Also, the efficacy of the described legislation and the measures aimed at total control and preservation of the regime’s stability is questionable. Presumably, in the long term such measures may cause damage to state development, thereby upsetting the regime’s stability. 

The Russian case again raises the question of where the borderline between necessary and excessive control over cyberspace by state authorities should be established, in order to continue guaranteeing the unobstructed development of economic and civil society.