Blab Tech
Russia Tightens SORM Surveillance Rules, Expanding Data Collection Across Telecom and Internet Sectors
In late May, the Ministry of Digital Development issued a sweeping update to the System for Operative Investigative Activities (SORM), Russia’s long‑standing lawful interception framework. The new technical standards, effective immediately, broaden the range of data that telecom operators must capture, store, and hand over to security agencies, giving the Federal Security Service (FSB) faster, automated access to digital footprints across the nation’s internet infrastructure.
SORM first appeared in 1995, allowing the FSB to tap telephone traffic. Over two decades, the system has grown to cover internet traffic and other electronic communications. The revised rules now require operators to collect a wider array of identifiers—full names, passport numbers, tax IDs, addresses, usernames, domain names, URLs, corporate records, device identifiers, and geographic coordinates—and to link those identifiers to phone numbers, SIM cards, devices, IP addresses, user accounts, and locations. According to the Ministry, the goal is to enable SORM to “quickly establish links between individuals, devices, networks, accounts and online activity.”
Previously, operators were only obliged to install SORM hardware and grant access when requested. The updated standards add detailed procedures for searching, processing, and transmitting the data, specifying how the information must be handled in government‑mandated formats. The Ministry said the changes are necessary to support national security.
Privacy advocates warn that the expanded data set and automated processing deepen the government’s capacity to monitor citizens’ digital activity. Natalia Krapiva, senior tech counsel at Access Now, said the new requirements “appear intended to reinforce the perception that online activity is constantly monitored.” She added that targeted surveillance, rather than nationwide internet outages, can identify dissent while keeping services online, thereby encouraging self‑censorship.
The regulations impose significant costs on telecom operators. Compliance demands specialized hardware, storage systems, and dedicated communication infrastructure capable of collecting, processing, and transmitting data in the required formats. The investment can reach millions of rubles, a burden that disproportionately affects smaller providers. Failure to comply can trigger financial penalties, licensing problems, regulatory scrutiny, and delays in network approvals, potentially threatening the viability of smaller operators.
Beyond traditional telecom companies, the new SORM rules apply to all “information dissemination organizers” and operators of autonomous systems. This category includes hosting providers, data centers, cloud operators, major technology companies, banks, universities, and large corporations that manage their own internet infrastructure. The expansion reflects the modern internet’s complexity, where data flows across multiple platforms and services.
SORM’s focus is not on intercepting content but on building comprehensive digital profiles that connect fragmented identifiers into a single searchable network. Researchers note that SORM’s evolution moves it closer to functioning as a large‑scale surveillance infrastructure. The system operates within telecommunications infrastructure rather than on users’ devices, so it cannot be disabled by software settings. Virtual private networks may obscure browsing activity from providers, but the existence of the VPN connection and metadata remain visible to authorities.
The updated SORM regulations are part of a broader pattern of tightening digital oversight in Russia. The government has previously experimented with nationwide internet disruptions during periods of political tension, but such outages have proven unpopular even among politically neutral citizens. The new rules allow authorities to monitor dissent more precisely while maintaining service continuity.
Industry observers warn that the increased compliance burden may accelerate consolidation in the telecom sector. Larger operators with closer ties to the state are better positioned to absorb the costs, potentially reducing competition and making it easier for the Kremlin to monitor and control the sector.
As of now, the regulations are in force, and operators are expected to begin implementing the required hardware and software changes within the next few months. The Ministry has not announced a specific enforcement timeline, but non‑compliance could lead to the penalties described above.
The updated SORM rules represent a significant tightening of Russia’s digital surveillance apparatus, expanding the range of data collected and the speed at which it can be processed and accessed by security agencies. The move is likely to have lasting effects on the telecom market, privacy protections, and the broader digital ecosystem in Russia.
SORM first appeared in 1995, allowing the FSB to tap telephone traffic. Over two decades, the system has grown to cover internet traffic and other electronic communications. The revised rules now require operators to collect a wider array of identifiers—full names, passport numbers, tax IDs, addresses, usernames, domain names, URLs, corporate records, device identifiers, and geographic coordinates—and to link those identifiers to phone numbers, SIM cards, devices, IP addresses, user accounts, and locations. According to the Ministry, the goal is to enable SORM to “quickly establish links between individuals, devices, networks, accounts and online activity.”
Previously, operators were only obliged to install SORM hardware and grant access when requested. The updated standards add detailed procedures for searching, processing, and transmitting the data, specifying how the information must be handled in government‑mandated formats. The Ministry said the changes are necessary to support national security.
Privacy advocates warn that the expanded data set and automated processing deepen the government’s capacity to monitor citizens’ digital activity. Natalia Krapiva, senior tech counsel at Access Now, said the new requirements “appear intended to reinforce the perception that online activity is constantly monitored.” She added that targeted surveillance, rather than nationwide internet outages, can identify dissent while keeping services online, thereby encouraging self‑censorship.
The regulations impose significant costs on telecom operators. Compliance demands specialized hardware, storage systems, and dedicated communication infrastructure capable of collecting, processing, and transmitting data in the required formats. The investment can reach millions of rubles, a burden that disproportionately affects smaller providers. Failure to comply can trigger financial penalties, licensing problems, regulatory scrutiny, and delays in network approvals, potentially threatening the viability of smaller operators.
Beyond traditional telecom companies, the new SORM rules apply to all “information dissemination organizers” and operators of autonomous systems. This category includes hosting providers, data centers, cloud operators, major technology companies, banks, universities, and large corporations that manage their own internet infrastructure. The expansion reflects the modern internet’s complexity, where data flows across multiple platforms and services.
SORM’s focus is not on intercepting content but on building comprehensive digital profiles that connect fragmented identifiers into a single searchable network. Researchers note that SORM’s evolution moves it closer to functioning as a large‑scale surveillance infrastructure. The system operates within telecommunications infrastructure rather than on users’ devices, so it cannot be disabled by software settings. Virtual private networks may obscure browsing activity from providers, but the existence of the VPN connection and metadata remain visible to authorities.
The updated SORM regulations are part of a broader pattern of tightening digital oversight in Russia. The government has previously experimented with nationwide internet disruptions during periods of political tension, but such outages have proven unpopular even among politically neutral citizens. The new rules allow authorities to monitor dissent more precisely while maintaining service continuity.
Industry observers warn that the increased compliance burden may accelerate consolidation in the telecom sector. Larger operators with closer ties to the state are better positioned to absorb the costs, potentially reducing competition and making it easier for the Kremlin to monitor and control the sector.
As of now, the regulations are in force, and operators are expected to begin implementing the required hardware and software changes within the next few months. The Ministry has not announced a specific enforcement timeline, but non‑compliance could lead to the penalties described above.
The updated SORM rules represent a significant tightening of Russia’s digital surveillance apparatus, expanding the range of data collected and the speed at which it can be processed and accessed by security agencies. The move is likely to have lasting effects on the telecom market, privacy protections, and the broader digital ecosystem in Russia.
