On the morning of November 6, the head of Roskomnadzor from the pages of the newspaper “Izvestia” spoke about the initiative to introduce the identification of users of instant messengers. A few hours after the release of the material, Prime Minister Dmitry Medvedev signed these changes – according to the text of the document, it will take effect on May 5, 2019.
Judging by the words of Zharov and the text of the decree, the new identification rules are aimed at deanonymizing communication – the head of Roskomnadzor calls anonymity in messengers a barrier to investigations by law enforcement agencies. However, the changes sound just in Zharov’s vision: in fact, they are deeper than just a personality check, and experts doubt that they will work as stated.
There are many questions to the new procedure: some of them can be answered independently, but some, most likely, will remain unanswered.
Now you can only communicate under your name and surname?
The answer to this question is quite easy: it is obvious that so clumsily de-anonymization will not work.
For example, a person with a passport of Ivan Pupkin and an OperAtor SIM card registered to this name goes to the ABC messenger. When registering, he indicates in the messenger not his name, but the name of his favorite stand-maker, Danila Cross.
According to the new rules, the messenger must identify the user during his registration – otherwise the person will not be able to use the service. According to the “Izvestia” text, the owners of the messenger must somehow check that the messenger user and the owner of the number are one person: “Now the messengers administrators will check whether the user’s phone number is really registered to him”. But in fact, there is no such requirement in the text of the decree : no one will come to Daniil Poperechnyi to present Ivan Pupkin for the sins, and vice versa, Pupkin is not forbidden to sign with a false name in the messenger.
In reality, the new rules simply oblige the instant messengers to be identified by the phone number: “For identification purposes, the subscriber number assigned to the user of the instant messaging service is provided by the user of the instant messaging service to the organizer of the instant messaging service.” When translating into Russian, during authorization the user must enter his mobile number himself.
The new rules do not prohibit the use of instant messengers under a nickname or other names and surnames . They rather oblige messengers to maintain the relevance of the phone number associated with the profile.
Then, it turns out, messengers can still be used anonymously?
Probably not. Since the rules oblige to pass identification by a mobile phone number, and a SIM-card in Russia can be bought only with a passport, the authorities will have information about who is using the account in the messenger .
Judging by how exactly the new rules are arranged, to de-anonymize the messenger user, the authorities will only need to make a request to all telecom operators – now they are obliged to store information about all identifications of their subscribers in the messengers. Considering that the operators give the law enforcement agencies the passport data of subscribers by telephone number, they will most likely agree to issue information on accounts in instant messengers.
The really important question in this context is: what will be the responsibility of operators for refusing to provide data on accounts in the messenger? Alexander Zharov claimed that administrative liability would be provided for non-compliance with the rules, but it is not yet known which one. If substantial penalties are foreseen, companies will disclose such data.
Is it really impossible to buy a “left” SIM card and use an instant messenger from it?
The authorities pretend to keep the situation under control, and periodically tighten the rules for selling SIM-cards. The last time this happened was on June 1, when Vladimir Putin signed a law obliging corporate clients to indicate all employees who would use SIM cards purchased for the company. Moreover, the operators were obliged to check whether the employee really uses the SIM card – for this, he can be forced to log in through the “Gosuslugi” (they cannot be registered without a passport) and even come to the operator’s office with a passport.
In fact, a “left” (that is, registered to another person, possibly non-existent) SIM card can still be bought. First, the black market has not been canceled by anyone, and even if we toughen the requirements for providing a passport, those who want to maintain anonymity will simply raise the demand for fake passports.
Secondly, in Russia it is not forbidden to use foreign SIM-cards, and the decree does not oblige to use only domestic SIM-cards for registration in messengers. This means that in order to preserve anonymity before the Russian authorities, it may be enough to use a foreign SIM card – for example, in Ukraine they are still sold without a passport (although since the autumn of 2018, voluntary registration of subscribers appeared in the country ).
Therefore, the real question here is this: will foreign operators fulfill the requirements of Russian legislation? It is not clear what levers of pressure Roskomnadzor can use, because a foreign operator may not even work in Russia.
It turns out that the rules do not provide complete de-anonymization?
There is a third argument in favor of the fact that the resolution will not guarantee total de-anonymization. You can always ask to issue a SIM card to another person who does not know exactly how it will be used – for example, a homeless person for a fee. Ignorance, of course, does not relieve him of responsibility and can bring him many problems, but these are the concerns of this person, and not the user who will set him up.
Together with the black market of SIM-cards and the possibility of using foreign operators, it turns out that the authorities will not be able to know in 100% of cases who actually use the account in the messenger . Those intruders who attend to their anonymity can escape responsibility. Then it turns out that the “creation of a secure communication environment” declared by Zharov does not work.
The question to which no one in the government will voice the answer: why then is the identification of users needed, if it does not work with everyone?
New rules will prohibit teenagers to use instant messengers? After all, a SIM card cannot be bought without a passport.
A strange conclusion that directly follows from the previous paragraph – according to the spirit of the decree, teenagers will not be able to use the messenger, because the identification involves checking that the person who is listed in the passport is using the messenger. But in fact, it will not work this way – there are at least two reasons for this.
First, the decree does not oblige to verify that the messenger user is the same as that specified in the passport . According to the described procedure, only the relevance of the phone number is checked – is there a subscriber with such a mobile and active contract in the operator’s database. It is enough that the SIM card works, for whom it will be registered (mom, dad, brother, aunt) – it does not matter.
Secondly, teenagers can get a personal SIM card from the age of 14, when they have their passport. For example, “Beeline” allows you to issue a SIM-card to persons under 18 years old, but in the presence of parents, similar requirements from other operators.
In the end, users still find a way to use instant messengers and social networks, despite the limitations. For example, WhatsApp, Instagram, Facebook, YouTube, Gmail allow registration from the age of 13 (due to the GDPR in some European countries, WhatsApp increased the age to 16 years), but more young users use the services.
Therefore, the question here is: will teenagers sitting on the phone with a SIM-card registered on one of the parents violate the law? If we assume that there will be no mass hunt for teenagers, it means that there appears to be a rather massive hole in the identification procedure, with which no one is going to do anything.
Why such a short time on the reaction – 20 minutes?
It is clear why disconnecting the user from the messenger after the notification of the termination of the contract by the subscriber also wants to be operational (a day after the termination + 20 minutes after the notification is sent). For example, a subscriber could lose his SIM-card or stop being friends with those for whom he registered the “left” SIM-card – he should be able to block access to the messengers to those people who use it in this way and protect themselves. Until now, it was enough to log in to the instant messengers once, and after that they could be used indefinitely. Now the user will be forced to log in messengers upon termination of the contract with the operator, even if he switched from one to another with the preservation of the number.
But the notorious 20 minutes, which are assigned to the identification procedure, raise the most questions. Unless a situation can occur that Ivan Pupkin successfully logged in the messenger through the code from the SMS, and the operator reported that he was not in the subscriber database, and was disconnected from the messenger after 20 minutes? And if it can, isn’t the user capable of doing something dangerous in these 20 minutes? And if able, then why is it about 20 minutes, and not about instant check?
So what does change?
The main thing now is to remember that when authorizing in some messengers after May 5, 2019, account information can be transferred to telecom operators, which means to the authorities . Together with the law of Spring, obliging to keep and issue a recent correspondence of the user, the authorities will not only know to whom, when and what the user wrote, but who the user is on the passport. Of course, if his passport (or SIM-card) is not fake.
For the rest, apparently, almost nothing will change. As before, instant messengers will authenticate the user by phone number and verify that he belongs to him, using a unique code in SMS. Now, in the background, there will also be a check whether the operator has a subscriber with that phone number. Given the code input from the SMS, this check looks superfluous – however, the user will not notice it.
Most instant messengers already use user verification by phone number, so they don’t even have to change anything in their work. You can log in to Facebook Messenger or Instagram without a phone number, and on your Facebook account – but you just need a phone number for it.
However, some instant messengers still do not request a number – for example, Slack, Discord, Kik or Google Hangouts. Can Roskomnadzor make them obey? If not able, will prohibit how telegram?
Well, the main question – what messengers will perform this resolution? So far, the situation with the law of Spring shows that some messengers do not fulfill the law, and in general nothing happens to them.