Archive for May 16th, 2017

h1

National security v Freedom of choice and the Internet – Ukraine

May 16, 2017

The Ukrainian social and main stream media is filled with reaction to the Presidential Decree expanding sanctions upon Russian companies and individuals – for upon those companies sanctioned and to be banned are VK (VKontakte) and Odnoklassniki, two social media platforms far more popular than Facebook in Ukraine, as well as Mail.ru wherein which millions of Ukrainians have email addresses, the popular search engine Yandex, Kaspersky software, Dr Web and the extremely popular accounting and business management system C1.

The Decree was signed and subsequently published on 16th May based upon the recommendations of the National Security and Defence Council that appeared in late April.

Naturally prohibiting such sites within Ukraine presumably is supposedly related to security implications in some cases, and will clearly have societal and economic implications too.

Undoubtedly blanket bans across popular social media websites will be viewed by many as a degradation of liberal democracy.  Comparisons with China, Iran and Russia will inevitably be made.  After all people and companies use these platforms by choice and not through coercion or lack or free market alternatives.  The argument will be the blanket removal of such a choice is unjustified.

Therefore a national security case has to be made to warrant national security overriding free choice and a free internet.

The national security advocates will argue that VK (VKontakte) and Kaspersky in particular have well known and uncomfortable associations with the FSB.  This notwithstanding the Russian SORM surveillance system.

That VK is used to infiltrate, propagandise, disinform et al is well known within Ukrainian society.  That VK also requires email addresses, telephone numbers etc when joining the social media platform also provides the FSB the opportunity to harvest direct contact details of every member – thus it has millions and millions of contact details for Ukrainians.  There is then the issue of whatever personal details are also added – Instagram, Facebook, LinkedIn links, as well as whatever anybody writes or photographs/videos they upload, and groups (open or closed) that they may join which regardless of any privacy settings are obviously not private with regard FSB accessibility.

However, banning VK access in Ukraine does nothing to alter the details already on and harvested from the VK system.

Neither does it prevent access to the website for Ukrainians outside of Ukraine.

The counterpoint to the ban however, is that all of this FSB connectivity is very well known to Ukrainian social media users – who still choose it over or in parallel to Facebook.  There is no revelation in declaring VK links to the FSB or associated data and content security on VK to any Ukrainian.  Nobody is suddenly illuminating a dark space when identifying such an association.

It is also equally well known that the Ukrainian intelligence services are (necessarily) active on VK.  How will the move effect their operational intelligence gathering?  Social media and unencrypted end to end telephone calls/texts are low hanging fruit for all security services after all.

No doubt, should the ban take effect from 1st June as stated in the Decree, there will also be a massive uplift in the use of VPNs masking IP addresses to allow entry and also hiding page visits from ISP providers.

VPNs and plasters/band aids over webcam lenses have long been en vogue in Russia – particularly among the youth.

Only time will tell whether a large increase in the use of VPNs will be a security services and policing deficit for Ukraine compared to their use now.

The impact on what has proven to be occasionally very useful OSINT, not to mention the Ukrainian national sport of trolling the Russian trolls, will naturally suffer.  With the social media platform accessibly globally except for within Ukraine, it will become far less competitive when it comes to prevailing narratives for those looking and logging in.

There will also be a lot of Ukrainians that will be less than pleased when bared from their own social media pages on VK and Odnoklassniki who will feel they do not need governmental parenting when it comes to Russian disinformation and infiltration.

Come Schengen visa-free on or about 11th June, Ukrainians will be able to access VK across the entirety of Europe (and most of the world) other than in Ukraine (excepting those that employ a VPN).

Nevertheless people regularly adjust their on-line and software habits.  We have all lived through software upgrades and uploaded and deleted programmes.  Either alternatives or circumventing solutions will be found depending upon the individual.  The question therefore is what national security gains vis a vis loses are achieved by the VK ban?  How will policy gains (or losses) be measured?

No sooner had Mail.ru been named as banned from 1st June, it published the way to circumvent the prohibition for Ukrainian users.  (A circumvention guide of equal use to Russian users too.)

There is also the matter of business losses that operate and advertise on VK.  How to manage customer bases?  Where to direct them?  Will they go?

Kaspersky software remains surprisingly popular given its FSB association and the number of competitors – but again everybody knows about the association.  There is no revelation in pointing it out.  Perhaps the least talked about Kaspersky issue is its “always on packet sender service”, but highlighting such issues do not change the already well known FSB associations.  The question is once again whether a blanket ban is appropriate to systems that are not tied to industries, institutions and infrastructure that are not related to strategic national security ?

Clearly the NSDC and President Poroshenko think so.

In the fast moving hacker world that we inhabit, hacks, exploits etc., are no sooner patched than another intrusion occurs.

The blanket prohibition of the very popular 1C business management system will certainly not be popular across the entirety of the economy.  Albeit there may be issues with its use in certain entities – for example in Odessa the National Guard, Institute of Naval Services and Prison Service all use 1C – so do an awful lot of commercial enterprises.  Enforced change will be both costly and unpopular.

Which brings about the issue of enforcement of this Decree once it comes into effect from 1st June.

Having perused current Ukrainian legislation, thus far the blog has failed to find any statute that places a legal penalty upon any ISP provider that does not comply.  There appears to be no criminal liability nor penalty for non-compliance (assuming the ISP providers have the technical ability to ban specific websites as presumably such hard and software does not come cheap).

If that be the case, to actually force, rather than nudge (via the usual coercion methods) ISP providers into compliance there is an urgent need over the next fortnight to draft and pass such statute applying responsibility and penalty.

By extension if there is an absence of legal mechanism, once again policy implementation, be the policy good, bad or indifferent, suffers.

Considering all the above, the questions are therefore what is the stated aim of the policy (beyond simply sanctioning somebody for the list), what is the real aim of the policy (if that not publicly proclaimed – for example is this a case of de-Russifying the social media platform space under the guise of sanctions or national security), and how successful will it ultimately prove to be (already 3 years into an on-going war with Russia)?

It will be interesting to see just how effective this all turns out to be.

%d bloggers like this: