Openness Ratings of Russian Mobile Operators

Experts from RosKomSvoboda and the Internet Protection Society conducted a study titled “Openness Ratings of Mobile Operators,” aimed at evaluating the policies and practices of Russia’s four largest mobile operators (Tele2, Beeline, Megafon, MTS). The research reveals how willing these companies are to disclose user data at the request of government agencies. The report also illustrates the efforts of the “Big Four” to protect citizens’ rights to freedom of expression and privacy in the digital age, as well as their compliance with digital human rights standards.

“Over five years of intensive Internet regulation, Russian law has imposed many new obligations and restrictions on all parties involved in the dissemination and receipt of information online. This has affected Russian users, as well as the entire IT, telecom, and content industries,” the study notes.

Since 2012, telecom operators and providers have been required to comply with federal laws No. 436-FZ “On Protecting Children from Information Harmful to Their Health and Development” and No. 139-FZ, which introduced restrictions on access to websites listed in the Unified Register of Roskomnadzor. These obligations often conflict with users’ interests and impact their digital rights.

According to RosKomSvoboda, over five years, access by IP address has been restricted to more than ten million websites and online services.

Data Retention and Government Control

With the adoption of Federal Law No. 374-FZ (“Yarovaya Law”) in July 2016, telecom operators were required to store metadata in Russia for three years and all user messages and content for six months. Despite the growing role of operators in state control over content and user activity, the interaction between public authorities and telecom companies remains opaque. Recently, the Russian government has effectively banned the disclosure of information about such cooperation.

International guidelines, such as the UN Guiding Principles on Business and Human Rights, emphasize the responsibility of private companies to respect human rights, regardless of state obligations. These principles call for a minimum level of corporate transparency and encourage companies to commit to upholding human rights. Other international documents, including recommendations from the UN Special Rapporteur on Freedom of Expression, highlight the crucial role of private companies in protecting civil rights in the digital space.

Recommendations state that when governments require companies to participate in censorship or surveillance, companies should strive to prevent or mitigate negative human rights impacts as much as possible within the law. Companies should also ensure maximum transparency in their policies and actions related to freedom of expression and other fundamental rights, and incorporate these commitments into internal policies, product development, business growth, and staff training.

Focus on the “Big Four” Mobile Operators

Given the increasing use of mobile devices for Internet access, the study focused on the “Big Four” mobile operators in Russia: MTS, VimpelCom (Beeline), Megafon, and T2 RTK Holding (Tele2). The goal was to assess their policies and practices regarding data disclosure to government agencies, compliance with federal laws, efforts to protect freedom of expression and privacy, and adherence to digital rights standards.

The authors argue that if users cannot evaluate a company’s approach to their rights before signing a contract, they cannot make an informed choice about their Internet provider. They hope this research will lay the foundation for regular analysis of telecom and Internet company policies and help identify steps to improve human rights protection in the digital space.

According to Mikhail Klimarev, executive director of the Internet Protection Society and creator of “ZaTelekom,” the study’s results can help start a constructive dialogue with both small and large telecom operators. To counter sudden legislative initiatives like the “Yarovaya Law,” it is necessary to establish a practice of proactive data disclosure regarding law enforcement requests and other blockings. Klimarev believes that the more open a provider is about digital rights, the more competitive it becomes. He suggests that a standard “user agreement” that respects digital rights could be developed for operators.

Methodology and Scope

The study used the Ranking Digital Rights methodology, adapted for the Russian context. Researchers analyzed official websites of the four mobile operators, their parent companies, official blogs, and open sources, including media outlets. The questions were grouped into five main topics:

• Company position on human rights
• Availability of User Agreements and Privacy Policies
• Protection of users’ right to information
• Protection of users’ privacy
• Methods of blocking Internet resources used by operators

Each company received a score for each question:

• “1” (yes) – clear evidence of commitment to information freedom/privacy
• “0.5” (partial) – insufficient information, partial disclosure
• “0” (no) – no evidence of commitment found

Each operator’s total score reflects its overall transparency efforts.

Key Findings by Category

1. Company Position on Human Rights

This included any corporate activity announcing the company’s stance on laws affecting digital rights, participation in relevant associations, and public information about their human rights policies. The study found that Beeline and MTS express a stronger commitment to human rights than Tele2 and Megafon, mainly due to their parent companies’ participation in the UN Global Compact. However, at the local level, public commitments are weaker or absent.

Russian law does not require operators to publish such data, and in many cases, they are prohibited from disclosing information about government requests. Information about SORM (the lawful interception system) is considered a state secret, and even operators may not know the details.

RosKomSvoboda’s lead lawyer, Sarkis Darbinyan, notes that the issue is not legal but about corporate social responsibility and respect for clients’ rights. There are no legal obligations, but there are international standards and recommendations.

2. Availability of User Agreements and Privacy Policies

All operators publish their User Agreements and Privacy Policies on their official websites, covering the collection, storage, use, and transfer of personal data. However, these documents are often written in complex legal language, are lengthy, and difficult to understand. In some cases, they are hard to find or access in a user-friendly format.

3. Protection of Users’ Right to Information

The right to information includes both the right to disseminate and receive information. Mobile operators play a key role in providing Internet access and implementing state policies on online information. The study found that none of the operators publish their procedures for restricting access to online resources, appeal processes, or statistics on blocked sites. MTS provides the clearest notifications to users about blocked sites.

There are no legal requirements for operators to publish such information. Operators may disclose the number of blocked sites at their discretion, but there is no obligation to do so.

4. Protection of Users’ Privacy

This section examined whether company policies and practices demonstrate a commitment to privacy and digital security, as outlined in the Universal Declaration of Human Rights and other international documents. The study found that none of the operators notify users about the risks to their constitutional rights or disclose information about possible traffic interception by law enforcement via SORM. There is no mention in service documents that operator equipment is connected to FSB monitoring systems.

No operator publishes information about the process or number of law enforcement data requests. This lack of transparency contrasts sharply with European and US operators, who regularly publish such data. On the positive side, Russian operators do make efforts to combat spam and fraud and educate users about cybersecurity, and all companies commit to using personal data only for contractual purposes.

5. Methods of Website Blocking

Under Federal Law No. 139-FZ, operators must implement technical measures to block “prohibited Internet resources.” Information about such sites is collected in the Unified Register, managed by Roskomnadzor. Operators must regularly download the register and block all listed resources. The technical methods of blocking are not strictly regulated, so operators choose their own solutions. Roskomnadzor monitors compliance using the “Revisor” system, which checks if blocked resources are accessible from operator networks and imposes fines for violations.

Blocking methods include:

• IP and protocol blocking
• DPI (Deep Packet Inspection) technology
• URL blocking
• Platform-based blocking (used by search engines)
• DNS blocking

Blocking can occur at the national, provider, local network, or endpoint level. The study’s open testing of blocked sites and pages revealed significant differences in the information provided to users by different operators.

Conclusions

• SORM procedures are not explained
• Information on government requests is not published
• Blocking procedures and appeal processes are not explained
• Documents are complex and not always easy to find
• Different blocking methods are used
• “Block pages” vary in the amount of information provided

In the “Openness Rating,” the Big Four operators received the following scores:

This work is distributed under a Creative Commons Attribution-ShareAlike 4.0 International License.

According to the authors, the results were sent to all four operators for comments or clarifications, but none responded. RosKomSvoboda urges operators, providers, human rights advocates, and industry representatives to review the study and develop proposals for reforming digital legislation, especially regarding transparency in government-business interactions.