The System of Operational Research Activities (SORM) represents one of the most sophisticated and controversial digital surveillance tools available today. Since its initial implementation in 1995, this system has evolved to become a mainstay of the state control apparatus in Russia. Its ability to intercept and analyze telephone and Internet communications has positioned it as a paradigmatic example of how governments can use technology to surveil their population. However, its implications transcend Russian borders, as SORM has been exported to other countries, becoming a global model of surveillance.
In this article we will explore the origins, evolution and implications of SORM, as well as its impact on human rights, its global expansion and the risks it poses to privacy. This article is based on research by RecordedFuture, you can find the report at the end of the article.
In 1995, the Russian government implemented SORM-1, forcing telecommunications operators to install equipment provided by the FSB (Russian Federal Security Service). This system allowed intercepting and storing telephone communications, emails and basic web browsing data. At the time, Russia had little Internet, but the authorities were already anticipating the crucial role that digital technology would play in the future.
SORM-1 laid the foundation for a centralized state surveillance model, in which security agencies have direct access to communications without prior notification to operators.
With the rise of the Internet in the late 1990s, the Russian government introduced SORM-2, expanding the scope of the system to include surveillance of online activities. Under this version, Internet Service Providers (ISPs) were required to install monitoring devices that tracked emails, financial transactions and web browsing.
In 2014, SORM-2 expanded its scope again, forcing operators of social networks, forums and messaging services to install SORM-compliant equipment. This marked a significant change by also incorporating the monitoring of emerging digital platforms.
The introduction of SORM-3 represented a technological revolution. This system integrated deep packet inspection (DPI) capabilities, allowing real-time monitoring of network traffic and specific devices. Among the capabilities of SORM-3, the following stand out:
SORM-3 consolidated the Russian state’s ability to conduct mass surveillance at an unprecedented level of detail.
One of the most controversial aspects of SORM is the lack of transparency and judicial controls. Although a court order is technically required to access the content of communications, security agencies can initiate surveillance without the need to present formal evidence or notify providers. In addition, telecom operators have no right to demand legal documentation or access to equipment installed on their networks.
This legislation, enacted in 2016 in Russia, strengthened state surveillance capabilities by requiring ISPs and telecommunications companies to store communications data for a minimum of six months and hand it over to authorities on demand. The law also clamped down on the use of encryption technologies that could hinder surveillance.
In 2015, the European Court of Human Rights declared that SORM violated Article 8 of the European Convention on Human Rights, which protects the right to privacy. The ruling highlighted the absence of safeguards against abuse and arbitrariness in the Russian surveillance system. Despite this ruling, Russia continues to use and expand the system.
The SORM model has been exported to several countries, including Belarus, Cuba, Nicaragua, Kazakhstan and Uzbekistan. These countries have adopted SORM-based systems to strengthen their state surveillance capabilities. Russian suppliers such as Citadel, Protei and Norsi-Trans have played a key role in the distribution of these technologies, adapting them to local regulations.
The export of SORM not only strengthens the surveillance capabilities of the purchasing governments, but also raises concerns about possible Russian involvement in accessing the intercepted data. This poses a significant privacy risk, especially in countries with a history of political repression and lack of independent judicial oversight.
The lack of transparency in the operation of SORM facilitates its use for purposes beyond national security. Journalists, activists and political opponents are often the main targets of this type of surveillance.
In countries that have adopted SORM-based systems, foreigners, including companies and travelers, may be subject to monitoring. This represents a significant risk to the security of corporate and personal communications.
The use of SORM generates an environment of distrust and self-censorship among citizens, who fear that their online activities will be constantly monitored.
SORM represents the dilemma between ensuring security and protecting individual freedom. While its proponents argue that it is an essential tool to fight crime and terrorism, its detractors see it as a state control mechanism that threatens fundamental rights. As technology advances and surveillance becomes more sophisticated, it is crucial to reflect on the limits that governments must respect in order to balance security and freedom.
In an interconnected world, SORM reminds us of the importance of defending privacy as an essential human right. The discussion about its impact and global implications is more relevant than ever.
We would like to thank RecordedFuture and Insikt Group for their research contribution on SORM, you can find the full report at the following link.
Alerts About a New Phishing Attack Using Corrupted Files The cybersecurity landscape is constantly evolving,…
What is cybersecurity? Cybersecurity is the practice of protecting systems, networks, applications and data from…
Threat actors are employing new tactics and persistently targeting software developers through social engineering. The…
A Comprehensive Guide On Access Control Models Access control models are essential for maintaining the…
What is the KISS Principle The KISS (keep it simple, stupid or keep it stxpid…
What is the Software Development Life Cycle (SDLC)? The Software Development Life Cycle (SDLC) is…