Skip to main content
banner image
venafi logo

Russia-Yandex Encryption Spat Highlights Trust as a Competitive Business Advantage

Russia-Yandex Encryption Spat Highlights Trust as a Competitive Business Advantage

Russia-Yandex Encryption Spat Highlights Trust as a Competitive Business Advantage
July 1, 2019 | David Bisson

In early June 2019, Russian authorities continued a policy of cracking down on the Internet. They did so by demanding that Russian web authority Yandex hand over its encryption keys.


Russia’s Federal Security Service (FSB) justified this mandate on the grounds that it could use those keys to monitor users’ private data across various email providers, social networks and messaging apps in an effort to combat terrorism and digital threats.



Yandex responded by saying that it would not comply with the Russian government’s wishes. Specifically, it said that it would help Russian authorities combat online crime and terrorism within the limits of Russian law. Such cooperation would have its limits, however, as the web authority said in a statement quoted by Bloomberg:


“This [cooperation] does not require the transfer of keys that are needed for the decryption of all traffic. The law can be enforced without violating the privacy of users’ data…. We believe it is important to strike a balance between security and user privacy, and to take into account the principles of equal regulation for all market participants.”



Just a few days after news of this conflict first surfaced, Russian communications watchdog Roskomnadzor confirmed that Yandex and the FSB had reached an agreement regarding this dispute. Reuters’ reporting did not disclose the details of this arrangement. But Alexander Zharov, head of Roskomnadzor, said that the watchdog intended to evaluate Yandex’s compliance with data protection laws later in the month.


On the Heels of Other Encryption Disputes

The above dispute is just the latest instance in a series of recent attempts by governments to gain access to encrypted conversations. Who can forget how the FBI pressured Apple to create a mechanism that would have allowed it to access the locked contents of an iPhone that belonged to one of the attackers behind the 2015 San Bernardino shooting? As we all remember, this dispute ended when the FBI paid a third party more than a $1 million for such a workaround.



More recently, there’s been the debate surrounding the “ghost proposal.” According to the UK Government Communications Headquarters (GCHQ), secretly injecting law enforcement personnel as “ghosts” into encrypted chats could give authorities a “better way” of accessing protected devices and services under certain conditions. But we noted at the time that such a proposal would needlessly increase users’ digital risk and affect their level of trust with service providers. Dozens of service providers articulated this same thought in an open letter that responded to GCHQ’s original proposal:


“The GCHQ proponents of the ghost proposal argue that “[a]ny exceptional access solution should not fundamentally change the trust relationship between a service provider and its users. This means no tasking the provider to do something fundamentally different to things they already do to run their business.” However, the exceptional access mechanism that they describe in the same piece would have exactly the effect they say they wish to avoid: it would degrade user trust and require a provider to fundamentally change its service.”



The Centrality of Trust in Encryption

It goes without saying that trust plays a central role in encryption disputes such as the Yandex-FSB spat and the “ghost protocol” argument. But it’s important to note that this trust doesn’t stop at users placing their faith in encryption algorithms used by service providers. This trust also encapsulates the conviction that those service providers will implement those algorithms properly and not prove themselves untrustworthy by inserting backdoors into their software.


In this sense, encryption functions as what ZDNet calls a “distinct competitive advantage.” Implementing encryption for many service providers has become a central part of their business. It’s why users store their data with those organizations and not others. By extension, organizations risk alienating their users, forsaking an important benefit and thereby jeopardizing their business by allowing law enforcement to access their encrypted data and services.



Acknowledging this fact, service providers need to weigh their customers’ trust against the desire to help law enforcement fight terrorism and digital crime within the confines of the law. Those organizations should also make sure their encryption assets are protected against digital criminals. They can do so by using an automated tool to monitor their keys and certificates for signs of abuse.



Related posts

Like this blog? We think you will love this.
image of a hand touching a tablet screen with digital icons
Featured Blog

What Is an Active Attack vs a Passive Attack Using Encryption?

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Machine Identity Protection for Dummies

Machine Identity Protection for Dummies

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more