The Importance of Effective Communication
It all started when the Public Services Regulatory Commission (PSRC), the arms-length body that oversees companies in Armenia that provide electricity, gas, water, district heating, communications, mail service and railroads sent a draft regulation to over 170 Internet Service Providers (ISPs) asking for their preliminary input. The regulation was called “Decision on the Setting of Standards for the Maintenance of Archives Regarding Internet Access Services Provided by Entities Regulated in the Field of Electronic Communications.” Someone at one of those companies forwarded the document over to Samvel Martirosyan, one of Armenia’s top technology gurus (be sure to check out his contributions to EVN Report), who helpfully posted a copy of the original document to a publicly-accessible Google Drive on the morning of Friday, October 18, 2019. The two-page document is in Armenian but an unofficial English translation is provided at the end of this article.
The document, using vague wording, outlined that ISPs were to keep certain types of information about their customers (including tying their identity to IP and email addresses) and retain it for a period of two years. Although it is clearly marked “DRAFT” in the top right corner and the date fields were left blank, the document looked quite official and mentioned that it was to take effect on January 1, 2020. As there was no mention of this decision or a copy of the regulation on the PSRC’s website – and with thrilling agenda item titles like “Making Changes to the Public Services Regulatory Commission of the Republic of Armenia’s Decision #256A of July 10, 2019” it’s not exactly a breeze to understand everything the PSRC is up to from their website – speculation began to mount that some sort of secret decision had been made to monitor what websites Armenians were visiting and who they were communicating with. No such decision had been made but a lack of official public information fed the fire.
The topic piqued the interest of comedian Narek Margaryan, of ArmComedy fame, who, by that Friday afternoon, had posted the link to the document and tagged a number of Members of Parliament in a Facebook post, expressing his concern. About an hour later, he dedicated a Facebook Live session to the issue to make sure it grabbed people’s attention. It definitely got the conversation going and a number of news agencies jumped on the story. Many made their own interpretations of what the document entailed, which, due to its vagueness, varied widely. The uncertainty fed the fire further.
Assuming the worst, most people voiced their outrage directly through Facebook, ironically a website and company to which they freely provide their most sensitive personal information and with which they conduct much of their personal communication, all while knowing full well that that data is being used to attach category labels to them for the benefit of advertisers.
So What’s Actually In the Draft?
In Armenia’s super-connected post-Velvet Revolution world, that very afternoon, Vahagn Tevosyan, an MP from the My Step caucus, weighed in, also through a Facebook post. Seeing the document for the first time and awaiting clarification from the PSRC, his first interpretation of what it required was that ISPs only needed to keep track of who their customers are, when they first joined their service and when they canceled it, which hardly seems to be a privacy over-reach.
Indeed, the vague wording of the draft regulation leaves many things ambiguous: Is it asking for the date and hour that a person first became an ISP’s customer or is it looking for a detailed history of what times a person logs on and off throughout the day? When it talks about the email service provided to customers, is that service limited to the company running the servers that process the emails or are VivaCell and other providers expected to “sniff” (yes, that’s the technical term) the data you receive through their network to figure out if it is an email or not? Most importantly, what does it mean to keep a record of “the type of communication” that an email was? The other details are different ways of identifying the user.
The following day, Saturday, October 19, Samvel Martirosyan released a podcast about the document. Its title loosely translates to “They are Attempting to Put Our Internet Traffic Under Surveillance.” He made it clear that the actual contents of the emails and websites accessed are not included in the list of data that ISPs are expected to archive. He also shared that you can use a Virtual Private Network (VPN) together with email providers based outside Armenia to circumvent the most questionable provisions of the regulation. Mostly, he lamented the reputational hit to Armenia’s technology industry and the costs of compliance that companies would inevitably need to pass on to consumers.
Finally, after a weekend of spiralling speculation, on Monday, October 21, the PSRC released an official communication to set the record straight and dispel some of the rumors that had grown around leak:
- Yes, this was only a draft that had been circulated to ISPs by the PSRC.
- No, it was not being evaluated in secret. It was planned to be posted to e-draft.am once feedback from ISPs had been incorporated. All PSRC decisions are made during public sessions.
- No, the content of your browsing history or email messages was not to be disclosed, but their metadata was.
- The regulation was based on an attempt to replicate Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC.
The clarification was not enough to satisfy critics. Gevorg Gorgisyan, an MP and Secretary of the Bright Armenia Party caucus rose to speak in Parliament on the issue, denouncing the regulation as a “totalitarian” measure that one would expect from North Korea. Though his tone was alarmist (US ISPs record more detailed metadata than was outlined in the PSRC document), he did note that the European Directive 2006/24/EC that the regulation was supposedly based on had been struck down in 2015 by the European Court of Justice for violating the European Charter of Fundamental Rights.
The Open Society Foundations Armenia Office released a public announcement, co-signed by several NGOs, denouncing the draft regulation as unconstitutional, claiming that it violated Article 31 of the Armenian Constitution, which grants the right to inviolability of one’s private and family life. The announcement also accuses the draft regulation of violating the Law on Personal Data Protection and the Law on Operative Search Activities. Of course, these assertions are their interpretation only and have not been tried in court.
The Draft Regulation Should be Abandoned
The PSRC is no stranger to controversy. In 2015, its approval of a 17% electricity fare hike led to the “Electric Yerevan” street protests. The movement ultimately led to the sale of the Electric Networks of Armenia distribution company by its Russian corporate shareholder. It would be wise for it to abandon this draft regulation before public opposition grows any greater.
If the PSRC’s document was meant to copy the practices of an obsolete 13-year-old EU directive (written before the first IPhone was ever released), it did an atrocious job of it. The EU directive specifically spells out that “No data revealing the content of the communication may be retained pursuant to this Directive,” which is crucially left out of the text of the Armenian version. The EU directive sets a period of retention of “not less than six months and not more than two years from the date of the communication” with a requirement to destroy the data at the end of this period, while the Armenian version only mandates an implied minimum period of two years, with no maximum term specified. The EU directive also goes to great lengths to restrict access to this data only to “national authorities in specific cases.” Though such a provision is missing from the Armenian draft, the PSRC stated that the Law on Electronic Communications prohibits ISPs from disclosing customer data except through established legal channels.
The main issue is that the regulation is simply not useful for the stated purpose of protecting national security interests. In fact, the very existence of such archives endangers national security by presenting juicy targets for hackers and malicious insiders to attempt to compromise. In the wrong hands, the information could be useful as part of a coordinated attack on individual Armenian citizens. If a bad actor can link an IP address to a person’s identity, for example, they could then scan their computer for vulnerabilities, knowing who it is they are affecting.
The Public Services Regulatory Commission has promised to consider public input on the draft. You can send them your thoughts by emailing [email protected].
Government Surveillance Worldwide
In a post-9/11 world, there has been a tendency for governments to acquire more and more power to peer into their citizens’ communications. Encryption is a process by which communications can be scrambled so that only those with a “key” (an individual descrambling code) can read them. Famously, after the 2015 San Bernardino attack, the FBI in the United States requested that Apple provide a “master key” that would enable them to decrypt information stored on the attacker’s iPhone. Apple explained that such a master key did not exist and that creating one for new phones in the future was a bad idea. It could fall into the wrong hands by accident, but, more pressingly, other less-democratic governments could also demand it.
In 2013, Edward Snowden blew the whistle on National Security Agency (NSA) projects under which major technology companies provided information about their users to the Five Eyes intelligence alliance, consisting of the United States, United Kingdom, Canada, Australia and New Zealand. It led to the popularization of “end-to-end encryption,” a technology that allows two people to communicate without even the company whose software they are using being able to decipher the content of their messages. Signal and Telegram were two messaging apps that were quick to employ the technology. WhatsApp followed suit in 2014, after being acquired by Facebook.
In the summer of 2019, Facebook announced plans to extend end-to-end encryption across all their platforms, including Facebook Messenger and Instagram. The United States and the United Kingdom were not happy, once again requesting special backdoor access so that their law enforcement agencies could read the content of messages sent on these platforms.
In China, the government and major technology firms cooperate very closely on surveillance and even censorship of messages on platforms such as WeChat. Companies, such as Google and Facebook, who refuse to work with the Chinese government are blocked within the country.
The current Pashinyan government knows very well that it owes a special debt to Internet freedom. Livestreams and social media helped the Velvet Revolution grow during its earliest stages, when protests were still being ignored by traditional media. Especially given the strategic importance placed on the technology industry as part of Armenia’s economic growth targets, it would be wise for government agencies not to press too hard on the regulatory hurdles they place on Internet companies. If anything, regulations should be moving in the opposite direction, strengthening privacy safeguards and improving Armenia’s reputation as a trustworthy center for new technology companies.
An unofficial English translation of the leaked draft is provided below:
Republic of Armenia
Public Services Regulatory Commission Decision
Dated the _________th Day of ________, 2019 Yerevan
On the Setting of Standards for the Maintenance of Archives Regarding Internet Access Services Provided By Entities Regulated in the Field of Electronic Communications
Based on the Law on Electronic Communication, specifically:
Article 5, Section 2, Subsections 11) and 27);
Article 6, Section 1; and
Article 6, Section 2, Subsection 1)