SORM (Russian: Система Оперативно-Розыскных Мероприятий, literally "System for Operative Investigative Activities") is a technical system for search and surveillance on the Internet. A Russian law passed in 1995 allows the FSB to monitor telephone and Internet communications.
SORM-1 system has been established in 1996 to monitor telephone communications.
In July 1998 the system was replaced by SORM‑2 to allow monitoring of the internet, in addition to telephone communications. Under SORM‑2, Russian Internet service providers (ISPs) must install a special device on their servers to allow the FSB to track all credit card transactions, e-mail messages and web use. The device must be installed at the ISP's expense. It has been estimated to cost $10,000-$30,000. Other reports note that some ISPs have had to install direct communications lines to the FSB and that costs for implementing the required changes were in excess of $100,000.
On July 25, 2000, Russia's Minister of Information Technology and Communications Leonid Reiman issued the order No 130 "Concerning the introduction of technical means ensuring investigative activity (SORM) in phone, mobile and wireless communication and radio paging networks" stating that the FSB was no longer required to provide telecommunications and Internet companies documentation on targets of interest prior to accessing information.
A ministerial order from the Russian Ministry of Communications from 16 April 2014 introduced requirements for the new wiretapping system SORM-3. Telecommunications operators were required to install compliant equipment by 31 March 2015.
According to regulations of Russian Ministry of Communications SORM-3 equipment supports the following selectors:
- Single IPv4 or IPv6 address
- IPv4 or IPv6 networks identified with address mask
- User ID within telecom operator's system, supporting "*" and "?" as globbing symbols (wildcards)
- e-mail address, if targeted user connects via POP3, SMTP or IMAP4; connections protected with cryptography are specifically excluded
- e-mail address, if targeted user connects to a webmail system from a predefined list of services: mail.ru; yandex.ru; rambler.ru; gmail.com; yahoo.com; apport.ru; rupochta.ru; hotbox.ru; again, connections protected with cryptography are specifically excluded
- User's phone number
- MAC address of user's equipment
- ICQ UIN
SORM architecture and deployment
|This section does not cite any sources. (September 2015) (Learn how and when to remove this template message)|
In most cases SORM is deployed using port mirroring. Due to the higher bandwidth usage within providers' networks (compared to external connectivity) many providers deploy SORM only at uplinks. In some cases trying to reduce their costs smaller providers would not implement SORM in their networks but instead would buy SORM-as-a-service from their upstream provider, which then deploys SORM installation on a specific downlink.
Such deployment limits the amount of traffic seen by SORM, i.e. the internal traffic may not be captured by the equipment.
SORM also enables the use of mobile control points, a laptop that can be plugged directly into communication hubs and immediately intercept and record the operator's traffic.
Access by government agencies
On January 5, 2000, during his first week in office, president Vladimir Putin amended the law to allow seven other federal security agencies (next to the FSB) access to intelligence gathered via SORM. The newly endowed agencies included:
- Russia's tax police
- Russian Police
- Federal Protective Service
- Border patrol and customs
- Ministry of Internal Affairs
- Kremlin Regiment
- Presidential Security Service
- Parliamentary security services
Warrant and notification regulations
The acquisition of communications by entitled security services in general requires a court warrant, but at the same time they are allowed to start wiretapping before obtaining such warrant. The warrant is also only required for communications content, but not metadata (communicating parties, time, location etc.), which may be obtained without the warrant.
In cases where an FSB operative is required to get an eavesdropping warrant, he is under no obligation to show it to anyone. Telecom providers have no right to demand that the FSB provide a warrant, and are denied access to the surveillance boxes. The security service calls on the special controller at the FSB headquarters that is connected by a protected cable directly to the SORM device installed on the ISP network.
Zakharov v. Russia
In December 2015, The European Court of Human Rights ruled on a case on the legality of Russian SORM legislation. In a unanimous Grand Chamber decision, the Court ruled that Russian legal provisions "do not provide for adequate and effective guarantees against arbitrariness and the risk of abuse which is inherent in any system of secret surveillance, and which is particularly high in a system where the secret services and the police have direct access, by technical means, to all mobile telephone communications." It ruled that therefore, the legislation violated Article 8 of the European Convention on Human Rights.
2014 Winter Olympics
The FSB made secret arrangements for significant upgrades to SORM equipment in Sochi prior to the 2014 Winter Olympics. The Russian Ministry of Communications also introduced new regulations for ISPs regarding SORM in March 2013. All communication and Internet traffic by Sochi residents is now captured and filtered through deep packet inspection systems at all mobile networks. Roskomnadzor, a federal executive body responsible for media control, reported that several local ISPs were fined by the government after they failed to install FSB-recommended SORM devices.
- "Приказ Минкомсвязи об утверждении Правил применения оборудования систем коммутации, включая программное обеспечение, обеспечивающего выполнение установленных действий при проведении оперативно-розыскных мероприятий". Российская газета. Retrieved 2016-03-16.
- "In Ex-Soviet States, Russian Spy Tech Still Watches You". WIRED. Retrieved 2016-03-16.
- SORM, Lenta.ru, 21 August 2000; full text of the order in Russian: Russian full text, Libertarium.ru
- Pierluigi Paganini (2014-08-18). "New powers for the Russian surveillance system SORM-2". Security Affairs. Retrieved 2014-08-24.
- "СОРМ-3 будет внедрен до 31 марта 2015 года". 2014-10-11. Retrieved 2014-10-12.
- "ПРАВИЛА применения оборудования систем коммутации, включая программное обеспечение, обеспечивающего выполнение установленных действий при проведении оперативно-разыскных мероприятий." (PDF).
- Tracy, Jen (13 January 2000). "Police Get Window Of Access To E-mail". Moscow Times. Retrieved 6 June 2014.
- Russia: Surveillance Policy (Report). Privacy International. 12 December 2006.
- "Слушать подано". Kommersant. 2008.
- "ECHR, Russian Federation: Breaches of Human Rights in Surveillance Legislation – Global Legal Monitor". www.loc.gov. 2016-03-02. Retrieved 2016-04-14.
- "CASE OF ROMAN ZAKHAROV v. RUSSIA (Application no. 47143/06)". HUDOC – European Court of Human Rights. Paragraph 175. Retrieved 2016-04-14.
- "As Sochi Olympic venues are built, so are Kremlin's surveillance networks". The Guardian. 6 October 2013.
- Russian Spies, They've Got Mail - Regulations Allow Security Services to Tap Into Systems of Internet Providers. Sharon LaFraniere, Washington Post, March 7, 2002
- Russia: Surveillance of communications. Statewatch, June 2000.
- New KGB takes internet by SORM, Mother Jones Magazine, February 2000.
- SORM - Russia's big brother...., Issue #21, Numbers & Oddities Newsletter, 1999 December 20
- Об утверждении типовых Требований к плану мероприятий по внедрению технических средств для проведения оперативно-разыскных мероприятий 15 January 2008 (Russian) (document removed)
- Об утверждении Требований к сетям электросвязи для проведения оперативно-разыскных мероприятий. Часть I. Общие требования 16 January 2008 (Russian) (document removed)