Facebook Put User Data Within Kremlin’s Grasp Last Year

Large tech companies retained access to Facebook users’ data long after everyone else was locked out, according to a New York Times story published Tuesday, including a Moscow search engine that previously handed over user data to Russia’s secret police.

Under a special arrangement with Facebook, so-called “integration partners” like Netflix, Spotify, Bing and the Times itself all enjoyed some level of privileged access to user data.  Facebook defended those partnerships in a carefully worded statement Tuesday night.

“People could have more social experiences—like seeing recommendations from their Facebook friends—on other popular apps and websites, like Netflix, The New York Times, Pandora and Spotify,” wrote Facebook’s Konstantinos Papamiltiadis, director of developer platforms and programs. “To be clear: none of these partnerships or features gave companies access to information without people’s permission.”

The statement names only Facebook’s American partners, conspicuously omitting mention of two of the foreign companies also granted special access: China's Huawei and Russia's Yandex.  

U.S. intelligence agencies and lawmakers in recent years have raised concerns about hardware and software products made in China and Russia, arguing that those countries’ spy agencies could turn the products into surveillance tools at any time. Last year the Russian computer security vendor Kaspersky was banned from U.S. government networks, and this year a similar ban was extended to Huawei. Huawei’s CTO, Meng Wanzhou, was arrested in Canada this month on a U.S. warrant accusing her of violating sanctions on Iran.

Facebook’s relationship with Moscow-based Yandex will likely win special scrutiny. According to the Times story, Yandex maintained privileged access to Facebook user  as recently as 2017, even though Yandex’s integration partnership with Facebook ended years earlier.

Founded in 1997 by two Russian mathematicians, Yandex is Russia’s largest technology company and the fourth largest search engine in the world. While it’s rarely cast as a voluntary collaborator with the Kremlin, in 2011, Yandex admitted it had passed information to Russia’s FSB, the successor agency to the KGB, about donations made to anti-corruption blogger Alexei Navalny through Yandex’s online payment service. And last year Ukrainian law enforcement agents in Odessa and Kiev raided a Yandex subsidiary on suspicion of it committing “high treason.”

“The law-enforcers established that management of the company illegally collected, storage and passed to Russia personal data of Ukrainian citizens,” wrote Ukraine’s counterintelligence agency, the SBU, at the time. “In particular personal data, occupation, way of life, places of visit, residences, phone numbers, emails and accounts in social networks.”

Yandex has denied that accusation, but in its 2017 annual report the company acknowledged the particular risks of doing business under Vladimir Putin’s authoritarian regime, including “perceived lack of judicial and prosecutorial independence from political, social and commercial forces,” and “a high degree of discretion on the part of the judiciary and governmental authorities.”

The company’s relationship with the Russian government is “in the middle,” said Kimberly Zenz, a nonresident senior fellow with the Cyber Statecraft Initiative at the Atlantic Council's Scowcroft Center for Strategy and Security. “Not brave opposition freedom fighters, not a complete state property.” In Yandex’s formative years it resisted the Kremlin’s efforts to get control of Russia’s burgeoning internet. Then in 2014 Putin publicly singled out Yandex as unduly influenced by American and Western European investors, and claimed that the internet itself is a CIA plot.

After that rhetorical warning from Putin, Yandex became more yielding. Following Russia’s annexation of Crimea, Yandex bowed to pressure and “started offering different maps of Ukraine for Russian and Ukrainian users,” explained journalists Andrei Soldatov and Irina Borogan in The Red Web. Ukrainian users saw the map they always had, while Russian users were shown a map that placed Crimea as part of Russia.

At around the same time, the company began complying with a new law requiring online services to retain customer metadata for six months, and it hooked its servers to the Kremlin’s notorious SORM internet spy system, which gives Russian intelligence and law enforcement agencies backdoor access to servers, networks and phone lines throughout Russia.

Using SORM, Russia’s law enforcement and intelligence agencies would be able to copy any  Facebook user data Yandex obtained, provided Yandex stored it on Russian soil and not on servers outside the country, Soldatov told The Daily Beast. “This is the crucial thing,” he said. “Does Yandex store the accessed data at its data centers?”

The Times story, based on leaked Facebook documents, doesn’t expound much on the details of Yandex’s access. A Yandex spokesperson told the paper that the company didn’t know that Facebook gave it expanded permissions and never used that capability.

“Yandex partners with many major U.S. tech companies as Russia's largest technology company and the largest search engine,” Facebook spokesperson Katy Dormer noted in an email to The Daily Beast. “Yandex's integration partnership with Facebook wound down prior to 2015, but Yandex was a search partner until 2017. Yandex continues to use Facebook Login.”

Yandex is on better terms with the Kremlin today than in 2014. Last year Putin even toured Yandex’s Moscow headquarters on the 20th anniversary of the search engine’s founding.