The last time we wrote about the fact that Mintsifra introduced the public hearing of the bill, according to the explanatory memorandum prohibiting services in Russia work with the technology of hiding domain names - eSNI / ECH, and more broadly, the entire TLS v. 1.3, and according to the letter of the bill - even HTTPS in general.
Now I would like to show what IT people can do in such cases - in addition to the heated discussions on Habré. Will this have an effect - we will see in the coming weeks, but at least this is the right way to communicate with government agencies on such bills.
Actually, each considered draft law of the Ministry of Digital Science, like other departments, has its own page on regulation.gov.ru - in this case, here it is . It has a link "Your suggestions", by clicking on which and logging in through the State Services, you can send proposals in text or in the form of an attached file.
What to do and what not to do?
- Send only proposals written on the essence and the matter of the bill, with specific comments. Spend a day or two to carefully read the essence of the bill, and formulate specific claims to it.
- , - . , 500 , 10 , 490 — , , . , , , .
- — - , . , .
- , , etc. — . — , , .
- If you have the opportunity to openly publish a review and an explanatory note to it, for example, in the media or on the website of any specialized association or organization, use it. Let the trail of your activity remain in the public field and be Google.
- Don't forget about Habr. Rather than groan over and over again in the comments that no one reads about soulless officials, do the specified work and share it here.
So, now - a good example.
Appeal to the Ministry of Finance: experts on the danger of the new bill
“Those who are willing to sacrifice their essential freedom for a fraction of temporary security are not worthy of freedom or security.”
Benjamin Franklin,
Pennsylvania Assembly Official Letter to
Governor Thomas Wharton
November 11, 1755
On Monday, October 5, the reception of responses ended in the framework of public discussion of the new draft law of the Ministry of Digital Science of the Russian Federation, amending 149-FZ "On Information, Information Technologies and Information Protection":
1) 2 21 :
« , () - «» — , , .»;
2) 2 10 :
« , () - «», , .
Violation of the prohibition on the use in the Russian Federation of encryption protocols that allow hiding the name (identifier) of a web page or site on the Internet, entails the suspension of the functioning of the Internet resource no later than 1 (one) business day from the day the violation was discovered by the authorized federal executive body "
According to many experts, which we fully share, in its current form, this bill is not just harmful, but dangerous - primarily for the domestic segment of the Internet, which it is intended to protect.
Let's start a little from afar. A significant part of the existence and development of the Internet over the past two decades, from the moment when it became a generally accepted means of communication, including - for the transfer of critical information, including financial, personal data of users, and the like - is the fight against scammers and other people with dishonest intentions. There were many stages in it: the rapid development of antiviruses, protection against spam and fake (phishing) emails, the distribution of certificates confirming that the site you visited is really who it claims to be, and finally, encryption of the messages transmitted between your computer. and a data site so that fraudsters cannot intercept, eavesdrop, or forge.
These tasks are solved gradually, as in any competition between shell and armor.
The next stage in protecting Internet users from fraudsters is hiding from unauthorized persons not only the content of information that you exchange with sites, but also the very names of the sites you visit. Nobody, except you, should know which bank and when you use, on which services you are registered. These technologies are known to professionals as eSNI and ECH and are now in the early stages of implementation.
Yes, these technologies prevent Roskomnadzor from blocking unwanted sites, including sites that host prohibited content. But in the same way, locks on the doors of apartments and entrances prevent the police from pursuing suspected crimes - but here society has not hesitated to come to a consensus that personal space should remain private and protected. That the right to protect this space should not be unconditionally delegated to the competent authorities, because they still cannot put a police officer at every door. That there is a border that cannot be crossed. Yes, an honest person has nothing to hide. No, this does not mean that you can forbid him to draw the curtains on the windows.
Unfortunately, in the field of digital technologies there is no such consensus - therefore, if we develop an analogy, the Ministry of Digital Development suggests starting with a ban on pulling curtains, and then moving on to the illegality of locks on doors.
In addition to the very inadmissibility of such bans, it is necessary to note the colossal damage that they will inflict on the Russian Internet industry in the medium term. The aforementioned eSNI and ECH are part of global standards - for example, the TLS v.1.3 standard - which will not only be increasingly used by foreign companies, but will certainly be included in certain requirements, for example, in the PCI DSS financial information processing security requirements. which all banking and payment organizations must satisfy.
What will the Ministry of Tsifra answer when representatives of Russian banks come to it and say that they can no longer work with VISA and MasterCard cards, because the new version of PCI DSS makes TLS v.1.3 mandatory - and the Ministry of Tsifra banned it? When will it turn out that the world's largest services are moving to new standards simply in the course of scheduled software updates on their servers?
Moreover, the extreme vagueness of the wording of the bill makes it possible, if adopted, to close almost the entire Internet, including the Russian one, literally the next day. The phrase "allowing to hide the name (identifier) of the Internet page" can formally be applied to any site that uses the HTTPS protocol - that is, to almost 100% of large sites. Go to Yandex, Mail.ru, Sberbank, Kultura.rf - see the lock icon next to the website address? This is the very HTTPS that "hides the name of Internet pages" - and at the same time prevents attackers from replacing the real site with a fake one, intercepting your credit card details or finding out your passwords.
Without denying the importance of combating the spread of illegal content on the Internet, we emphasize: if adopted in its current form, the bill will cause irreparable damage to the Russian segment of the Internet, cutting off the Russian market from the world's largest services, endangering the digitalization of the Russian economy and dramatically reducing the competitiveness of domestic Internet companies. in the international market. The lag in technologies for protecting transmitted data will endanger the country's national security, making it easier for interested foreign agents to collect relevant information.
We insist that the bill should be radically revised taking into account the above comments.
Application:Review of the Direct Democracy Party experts on the draft law “On Amendments to Articles 2 and 10 of the Federal Law“ On Information, Information Technologies and Information Protection ”( PDF, 171 KB ) This
review is signed by:
Makarov Vyacheslav Viktorovich
General Secretary of the Supreme Coordination Council of the Party direct Democracy
Artamonov Oleg Nikolayevich
Head of the group of scientific and technical expertise of the Direct Democracy Party
Shevyakov Timofey Nikolayevich
Press Secretary, member of the Supreme Coordination Council of the Direct Democracy Party
Lysakovsky Dmitry Ivanovich
Entrepreneur, member of the Supreme Coordination Council of the Direct Democracy Party
Chigidin Boris Viktorovich
Member of the Supreme Coordinating Council of the Direct Democracy Party, Ph.D.
Filippov Andrey Alexandrovich
Member of the Supreme Coordinating Council of the Direct Democracy Party
Palyulin Anton Yurievich
Managing partner of the legal bureau "Palyulin and Partners"
Nesterovich Sergey Alexandrovich
Deputy. Chief Editor of "Agency of Political News"
Scherbakov Alexey
Leading developer FoodPlex
Pusher Alexander
Entrepreneur, Community Lead at Gaijin Entertainment
Kaloshin Vyacheslav
entrepreneur, architect, project manager
Zaitsev Alexey Vladimirovich
Web developer
Povolotsky Alexander Borisovich
System administrator and programmer
Bolshakov Nikolay Borisovich
Project manager
Ivanov Pavel Borisovich
Project manager Learnee, developer
Maddalena Alexander Nikolovich
Independent professional
Petrov Alexey Alekseevich
Entrepreneur, web developer
Vardiev Pavel Anatolyevich
IT specialist with more than 20 years experience
***
The original appeal is published here . If you want to become a signatory - albeit post factum - there is a form at the link below.
Let's be honest - we don't know whether this will have any effect, but we will try to make sure that the appeal in the Ministry of Digital Security is noticed.
Let's repeat this experience next time? At least, then no one will be able to say “yes there hackers from the Habr resource were unhappy, but in fact no comments were received”.