International Yarovaya package: how is user data stored in Russia and abroad?

What bill are you talking about?

The government of the Russian Federation submitted to the State Duma a bill obliging the owners

technological communication networks with a numberautonomous system, store and provide information to law enforcement agencies. The text of the document on Monday was posted in the electronic database of the lower house.

We are talking about storage on the territory of Russia inwithin three years "information on the facts of reception, transmission, delivery and (or) processing of voice information, text messages, images, sounds, video or other messages of persons using technological communication networks."

The initiative also obliges to provide the specified data "to the bodies carrying out operational investigative activities or ensuring the security of the Russian Federation."

The draft federal law contains mandatoryrequirements, the assessment of compliance with which is carried out within the framework of state control (supervision), municipal control, when considering cases of administrative offenses.

Explanatory note text

How is data storage regulated by law in Russia now?

On July 1, 2018, the last part of the anti-terrorist package of laws of Deputy Irina Yarovaya and Senator Viktor Ozerov came into force.

  • What do they keep?
  • text messages
  • voice information
  • Images
  • sounds
  • video
  • other electronic messages

Data is stored for no more than six months. Within these boundaries, the law allows the Russian government to independently determine the retention periods for user messages. As a result, the rules look like this:

  • Internet companies will have to store user messages for all six months
  • telecom operators serving users of landline, mobile and satellite phones, pagers and payphones - also six months
  • Internet providers from October 1, 2018 - from one to six months

To the register of organizers of information disseminationso far, a little more than a hundred Internet companies have entered: the largest Russian (Yandex,, Rambler), some foreign (WeChat, Opera) and many small sites where users can leave comments. The Ministry of Telecom and Mass Communications considered that the presence of comments is a sufficient basis for registration in the register.

At the same time, many large foreign social networks (Facebook, Twitter, Instagram) and instant messengers (WhatsApp, Viber) are not in the register.

It is not known if they are going to comply with the "lawSpring ”or not. The only foreign company that announced that it would not cooperate with the special services turned out to be Telegram, although it was formally included in the Russian register.

How is data stored in the United States?

The country has adopted two levels of legal regulation of any significant relations: at the federal level and at the state level, whose powers in the field of lawmaking under the US Constitution are very broad.

At the national level, systemicthere is no regulation of the right to personal data protection as such. Two regulations have been adopted that define the responsibilities of state bodies in this area, without touching on the rules governing the processing of personal data of citizens of operating companies.

Privacy Act of 1974 and Privacy Protection Act of198 should only be applied by federal authorities. Because they contain technical regulations governing data confidentiality, companies can use them as guidelines for organizing their activities. In the event of disputes related to the protection of personal data, the court is more likely to turn not to them, but to case law.

The legislation of the US states, which are completely autonomous in their legal creativity, often turns out to be much more specific and stricter than the federal one.

One of the most striking regulations,governing this area and privacy are enacted by the state of California. It only applies to operating companies collecting personal data from Internet users.

Now every person using their services has the right to know:

  • what kind of information providers and other Internet companies collect about them;
  • for what purpose this information is collected;
  • how they will be used.

Users of Internet services have acquired the right to demand the destruction of this data or prohibit its transfer to third parties for any purpose.

This norm is to some extent analogous toRussian, allowing individuals to withdraw consent to the processing of personal data, with one exception. American data subjects did not provide such consent, and the information collected by the companies is related to a large extent to the Internet activity of users.

Such a strict level of regulation in the casemass enforcement of the law by California residents can cause serious damage to Internet companies. In addition, California law minimizes the rights of operators to collect and transfer personal data of minors to third parties.

  • U.S. Data Protection Standards

The laws in force in America cannot fullyclose all legal field related to the regulation of personal data protection. The same model operates in Russia, the application of the law is ensured by the adoption of many bylaws at the level of the government and the FSTEC.

In America, the scope of two federal acts did not include the standards and parameters that govern the requirements for the automation of personal data protection systems.

Since this is the direction of ensuringthe security of information during its storage and processing requires additional serious regulation, similar to that which is carried out in Russia by the FSB and FSTEC, American operators are instructed to use the recommendations issued by the National Institute of Standards and Technology (NIST - National Institute of Standards and Technology). This organization publishes regulatory and legal documentation in the nature of Russian GOSTs.

How do companies collect data?

  • Pentagon

Joint Center for Artificial IntelligenceThe Pentagon is hiring companies to prepare military data for use with AI. The Pentagon announcement signals a shift in the role of an AI hub from a product developer to an AI readiness service provider for the US Department of Defense.

The basic agreement will allow different departmentsministries and federal partners to issue orders for data processing services for working with AI, which can include everything from collecting data to sorting it to store and simulate how employees will use it with AI.

Agreement on the ordering of provisioning servicesData Readiness for Artificial Intelligence Development (DRAID) "will help the US Department of Defense and government agencies prepare data for use in artificial intelligence applications by providing easy access to the advanced commercial services needed to solve complex technical challenges," the Pentagon said in a statement.

Among the directions that the Pentagon will taketogether with civil partners: data collection and curation, synthetic data generation and data anonymization, software development, modification and customization, and so on.

  • iOS and Android

Researchers from Ireland examined the extent to whichiOS and Android data is sent by Apple and Google. For example, Apple and Google get device IMEI, hardware serial number, SIM card serial number and IMSI, phone number and other data.

Moreover, Android and iOS continue to transfertelemetry to their manufacturing companies, even if the user does not specifically disclose this data. In fact, as soon as a user inserts a SIM card into any device, the corresponding data is transmitted to the parent companies of each of them.

There is no way for users to avoidfor iOS devices to tell Apple the MAC addresses of nearby devices, as well as GPS location data. Indeed, these users don't even need to log in for the device to share data. On the other hand, Google collects much more data from nearby devices than Apple.

For comparison:Google gets about 1MB of data, compared to 42KB for Apple. On standby, Android Pixel sends about 1MB every 12 hours, while iOS sends 52KB. Google collects about 20 times more data from mobile phones than Apple.

Additional features such as iCloud, Safariand Siri send user data to Apple regardless of whether the user allows the action or even knows that their data is being transferred.

In Google Android, such applications transmitChrome, YouTube, Google Docs, Google Messaging, Clock, Safetyhub, and Google Searchbar. The main reason these devices end up sending so much data has to do with connecting to an internal server that is automatically updated by the IP address.

Once a company has an IP address, they can usually determine the corresponding geographic location.

  • Google

Google representatives announced the creationFLoC (Federated Learning of Cohorts) technologies: This will allow you to opt out of cookie-based ad targeting. It is argued that FLoC will increase the privacy of surfing and will not have to resort to the collection of personal user data.

Growing fear of location trackingusing cookies prompted the company to support Internet rights laws and develop a way to effectively target ads without collecting all available information about the user.

The essence of the technology is that the selection of advertisingFLoC ads do not require access to the data of a specific user, but brings people with similar interests into groups. Thus, a group of users sees the advertisement.

In addition, using FLoC will help fight fraudulent advertising traffic.

Google announced the technology in 2019.Testing will take place in 2021. The date of introduction of the technology is still unknown, because the company has not yet resolved legal issues. Testing will take place based on Chrome.

Read more:

The first accurate map of the world was created. What's wrong with everyone else?

Ingenuity helicopter successfully takes off on Mars

NASA told how they will deliver samples of Mars to Earth