Legislation in IT

Author: Chris Punches (@cmpunches, Silo group). License: "Please feel free to share unmodified".

The following text is an unmodified copy of now removed issue #2250 on rms-open-letter.github.io repository. The text claims multiple violations of different policies, codes of conduct and other documents in creation, content and support of the "Open letter to remove Richard M. Stallman from all leadership positions". The issue has not been addressed.

The onslaught of data security breaches today is relentless, with thousands of major breaches each year and 50 percent more breaches in 2019 vs. 2018, according to a report by Risk Based Security. The costs for each breach have burgeoned as well, with the average cost of a data breach at about $3.92 million.

Securing data from breaches not only spares bottom line and publicity, it's now also a basic legal requirement to comply with rapidly growing data privacy laws.

While organizations have long had to comply with industry-specific standards, such as HIPAA in healthcare and the Payment Card Industry Data Security Standard (PCI DSS), you now also face new consumer privacy regulations. Including:

On December 12, it became known from Nginx's employee Twitter that the company's office was searched due to the criminal case under Article 146 of the Criminal Code of the Russian Federation 'Violation of Author's and Neighboring Rights'. The claim belong to Rambler Group was, although formally the complaintant is Lynwood Investments CY Ltd, to which the rights were transferred. The last-mentioned is related to the co-owner of Rambler Group, Alexander Mamut.

The point of the claim: Igor started working on Nginx as an employee of Rambler and only after the tool became popular he founded a separate company and attracted investments.

Here is how the events unfolded.

According to one of the employees Nginx's Moscow office is being searched due to the criminal case brought by Rambler Group (the official response of the company's press office to this issue and confirmation of claims against Nginx is below). The photo of the search warrant is provided as the evidence of the criminal case initiated on December 4, 2019 under Article 146 of the Criminal Code of the Russian Federation 'Violation of Author's and Neighboring Rights'.


It is assumed the complaintant is Rambler, and the defendant is still an 'unidentified group of persons', and in the long run — the founder of Nginx, Igor Sysoyev.

The point of the claim: Igor started working on Nginx as an employee of Rambler and only after the tool became popular he founded a separate company and attracted investments.

It is not clear why Rambler revised its 'property' only 15 years later.

A completely routine tech support ticket has uncovered unexpected bans of IP addresses of Protonmail — a very useful service for people valuing their Internet freedoms — in several regions of Russia. I seriously didn’t want to sensationalize the headline, but the story is so strange and inexplicable I couldn’t resist.

TL;DR

Disclaimer: the situation is still developing. There might not be anything malicious, but most likely there is. I will update the post once new information comes through.

MTS and Rostelecom — two of the biggest Russian ISPs — started to block traffic to SMTP servers of the encrypted email service Protonmail according to an FSB request, with no regard for the official government registry of restricted websites. It seems like it’s been happening for a while, but no one paid special attention to it. Until now.

All involved parties have received relevant requests for information which they’re obligated to reply.

UPD: MTS has provided a scan of the FSB letter, which is the basis for restricting the access. Justification: the ongoing Universiade in Krasnoyarsk and “phone terrorism”. It’s supposed to prevent ProtonMail emails from going to emergency addresses of security services and schools.

UPD: Protonmail was surprised by “these strange Russians” and their methods for battling fraud abuse, as well as suggested a more effective way to do it — via abuse mailbox.

UPD: FSB’s justification doesn’t appear to be true: the bans broke ProtonMail’s incoming mail, rather than outgoing.

UPD: Protonmail shrugged and changed the IP addresses of their MXs taking them out of the blocking after that particular FSB letter. What will happen next is open ended question.

UPD: Apparently, such letter was not the only one and there is still a set of IP addresses of VOIP-services which are blocked without appropriate records in the official registry of restricted websites.