Russian Internet Services Mandated to Store User Traffic for Six Months

Just days before the “Yarovaya Law” came into effect, the Russian government clarified how information dissemination organizers (ORIs) must store user messages. According to the government’s official legal portal, records of online conversations, text messages, videos, and other content sent by users must be stored for six months. This applies to users who register and log in from Russian IP addresses, provide a Russian phone number, passport, or other state-issued document during registration. Online services are also required to record and store electronic correspondence of users identified as being in Russia by law enforcement agencies.

Due to heated debates about the high costs of implementing the Yarovaya Law, especially for operators and other market participants affected by Federal Law 374-FZ, the authorities previously tried to soften these requirements. In April, a government decree was published regarding telecom operators, requiring them to store messages and call records for six months from the end of their receipt, transmission, delivery, or processing. For data transmission operators, the storage period is 30 days starting October 1, 2018, with a mandatory annual 15% increase in storage capacity for the next five years. However, these conditions do not apply to internet companies, as clarified in the latest government decree.

The current decree specifies that ORIs must store the content of user messages for the maximum period allowed by law: six months. The definition of a Russian user remains as established in the 2014 government decree. Starting July 1, websites, services, and messengers listed in the ORI registry must collect, store for six months, and provide to security agencies upon request not only metadata but also the full content of user correspondence, calls, and any other user activities and interactions.

The ORI registry includes both Russian and foreign websites and services. Major Russian platforms include VKontakte, Yandex (Disk and Mail), Mail.Ru (Mail, My World, Agent, Odnoklassniki, Cloud), and Rambler Mail. Industry-specific, entertainment, and news portals such as Habr, dating services Mamba/Wamba, Roem.ru, and many “C-Media” portals, “Babyblog,” and Dvach are also listed. Some unusual entries include the website of the Republican Syktyvkar Psychoneurological Boarding School and a village school portal. Foreign resources in the registry range from messengers like WeChat and Threema to Snapchat, Vimeo, and Turbobit. However, it remains unclear whether foreign services will comply with Russian security agency requests. For example, Swiss messenger Threema has stated it will not provide user data to Russian authorities, citing Swiss law. Telegram also remains in the registry despite being blocked in Russia for refusing to cooperate with the FSB. Non-compliant services face simple sanctions: blocking by official decision.

For Russian portals and services in the ORI registry, anonymity and confidentiality regarding user actions, public or private correspondence, can no longer be guaranteed. Users should be cautious when using these platforms. If you only consume information, the risk is lower, but if you engage in sensitive work or personal communications, upload files, etc., you should reconsider using these services for such purposes.

It’s not just about security agencies: storing and transferring such vast amounts of sensitive user data to third parties could lead to leaks and black market sales, as has happened with databases from the traffic police, tax authorities, and medical institutions—now with even more personal information at risk.

Expert Opinions and Industry Response

Karen Kazaryan, chief analyst at the Russian Association for Electronic Communications, told CNews: “The government decree sets the maximum legal storage period for message content but does not specify the maximum storage capacity required. Since almost any internet site can be recognized as an ORI, implementing these requirements will be prohibitively expensive for both small and large internet companies. It’s still unclear how to store information containing secrets, personal data, copyrighted materials, and so on.”

He added, “For market participants, the published decree was unexpected, even though the project had been discussed. Large players can comply with the law, but small and medium companies will struggle, especially in such a short time. However, enforcement will likely focus on companies listed in the ORI registry, which rarely includes very small companies.”

The 2016 “anti-terrorism package” introduced similar requirements for telecom operators: they must store information about messages sent by subscribers for three years, and the content itself for up to six months. The rule for storing message content also takes effect July 1, 2018, with requirements detailed in a separate government decree. This decree, issued in spring 2018, requires phone traffic to be stored for six months. For data traffic, a compromise was reached: starting October 1, 2018, operators must allocate storage for one month’s worth of subscriber data and submit the system to Roskomnadzor and the FSB, increasing capacity by 15% annually for five years.

Background: The Yarovaya Law and ORI Registry

The ORI term was introduced in 2014 with the “anti-terrorism amendments” co-authored by Senator Irina Yarovaya. ORIs are websites and services that enable user communication online, excluding sites for personal or family use. Initially, the law required them to store data on Russian user activities within Russia for six months, with a government decree detailing storage requirements. Russian users are defined as those logging in from Russia, registering from Russia, or using Russian identifiers (passports, phone numbers, etc.). Law enforcement can also designate users as Russian. ORIs must store and provide registration data, login records, sent and received messages, paid services, and payments to Russian authorities.

The 2016 Yarovaya Law extended the storage period for Russian user correspondence to one year and message content to six months, covering all types of messages: text, photos, videos, images, audio, etc. This requirement is the most expensive for ORIs, and major Russian internet companies opposed it. The law delayed its implementation until July 1, 2018, with the government to set storage requirements. If ORIs use encryption key exchange, they must provide decryption keys to security agencies.

Unlike telecom operators, whose activities are licensed, regulating ORIs is more difficult. The ORI registry was created by Roskomnadzor in fall 2014, initially including only Russian services. Refusal to register results in blocking access from Russia, but foreign platforms were not penalized at first. The first foreign services were added in early 2017, and some were blocked for non-compliance. However, major services like Facebook, Twitter, WhatsApp, Viber, and Skype are not in the registry and have not faced sanctions.

The most high-profile case involved Telegram. In 2017, Roskomnadzor warned Telegram of a potential block. Founder Pavel Durov agreed to register but refused to provide user correspondence. The FSB then demanded decryption keys, and after Telegram refused, Roskomnadzor began blocking the service, though Telegram has managed to circumvent the block.

Artem Kozlyuk, head of the public organization RosKomSvoboda, notes that the ORI registry has operated non-transparently: “This will likely continue, and user data requests will be handled informally. The case of Swiss messenger Threema is telling: Roskomnadzor added it to the registry, but Threema stated that Swiss law prohibits sharing user data.”

ORIs themselves have been cautious in commenting on the government decree. One market participant noted that the ORI decree took much longer to coordinate than the telecom decree because “no one understands how to implement it.” While telecom operators can be required to buy expensive SORM equipment due to licensing, there are no such requirements for ORIs. Non-licensees can only be threatened with blocking in Russia, and there are still no regulations specifying penalties for non-compliance with the Yarovaya Law.

Yuri Sinodov, founder of Roem.ru (an ORI-registered site), said the decree was no surprise: “Messages are stored and are public. We simply don’t have anything else.” German Klimenko, owner of Liveinternet.ru and former presidential advisor, also sees no major issues: “No surprises. Some services with voice features may face difficulties, as voice is usually not stored. Text data is stored by everyone, often for longer than required by the government.”

The ORI registry also includes VKontakte, Yandex Mail, Mail.ru Group, Rambler, messengers like Telegram, WeChat, Snap, Viber, dating sites Badoo, Mamba, and other platforms. Representatives of Mail.Ru Group, Yandex, Rambler, Viber, and Badoo did not respond to journalists’ questions about the decree.

Financial and Market Impact

Prime Minister Dmitry Medvedev signed the decree requiring internet companies to store user information for six months starting July 1 under the Yarovaya Law. Telecom operators must increase internet traffic storage capacity by 15% annually for five years. Data can be stored on other operators’ servers with prior FSB approval. Operators must begin storing internet traffic from October 1, 2018.

For Mail.ru Group alone, one-time capital expenditures for compliance are estimated at $1.2–2 billion, about three times the group’s annual revenue, according to internal documents from 2016. The company expected additional annual operating costs of $80–100 million, plus $35–40 million for software upgrades needed to store user data. Upgrading Mail.ru Group’s information systems to meet the Yarovaya requirements will take 3–5 years.

Major Russian telecom companies have published their Yarovaya Law compliance cost forecasts. MegaFon estimates 40 billion rubles over five years, VimpelCom 45 billion rubles, with 6 billion and 7 billion rubles planned for 2018, respectively. MTS expects to invest about 60 billion rubles over five years, with 2018–2019 costs to be determined after technical solution procurement. Regional operators are also cautiously commenting, indicating they will have to comply with Federal Law 374-FZ regardless.

The Yarovaya Law’s implementation will impact telecom investments, but analysts are divided. Sergey Drozdov of Finam believes the telecom sector lacks growth potential, mainly due to the Yarovaya Law’s additional costs, which will ultimately reduce future profits. Vitaly Manzhos agrees, noting that MTS shares currently lack buy signals and may decline further. However, Stanislav Kleschev sees a positive buying opportunity for the sector, including Rostelecom and MegaFon.

Some operators have already warned users about tariff increases due to the Yarovaya Law. Smaller providers are especially vulnerable, as acquiring the necessary storage and processing capacity is a major challenge. The main beneficiaries will be SORM (System for Operative Investigative Activities) system manufacturers, such as Citadel, Norsi-Trans, and Orion (formerly Special Technologies). Only the St. Petersburg provider Telecompass (Komfortel brand) has publicly estimated its database system implementation cost at 36.9 million rubles for 10 Gbps peak network traffic (excluding voice data). These costs are already being passed on to subscribers: in late May, Telecompass informed clients of an 8% rate increase starting July 1, 2018. ER-Telecom, which holds 11% of the Russian broadband market, has also begun raising rates by 10%.