Euro Security Watch with Mathew J. Schwartz

Application Security , Cyberwarfare / Nation-State Attacks , Endpoint Security

Nokia Supported Russia's 'Lawful' Surveillance Program

When Do Technology Firms That Support Autocratic Surveillance Cross the Line?
Nokia Supported Russia's 'Lawful' Surveillance Program
Nokia's headquarters in Espoo, Finland (Photo: Nokia)

Finnish technology giant Nokia is facing tough questions over how it helped enable a surveillance program that supports President Vladimir Putin's autocratic regime.

See Also: BEC Defense: Advanced Tactics to Shield Your Organization

In the wake of Russia's invasion of Ukraine, Nokia is one of a number of businesses ceasing sales to the country. Of the $23.4 billion in net sales Nokia generated in 2021, market researcher Dell'Oro says less than 2% - meaning $464 million or less - come from Russia and Ukraine.

But as the headline of a report published this week by The New York Times says, "When Nokia Pulled Out of Russia, a Vast Surveillance System Remained."

The report details how Nokia provided equipment that linked Russia's lawful intercept system - called the System for Operative Investigative Activities, or SORM - with the network of Mobile TeleSystems, or MTS, which is the country's largest mobile network operator.

In a lengthy response to the report, Nokia says: "Lawful intercept is a standard capability that exists in every network in almost every nation. It provides properly authorized law enforcement agencies with the ability to track and view certain data and communications passing through an operator's network for purposes of combatting crime."

Nokia says that it does not "play an active part in enabling SORM equipment," but that "like any other network infrastructure suppliers, Nokia is required to ensure that the networking products we sell have passive capability to interface with lawful intercept equipment of law enforcement agencies."

Russia's Domestic Surveillance Program

But what happens when the government authorizing the interception activities stands accused of regularly violating the human rights of citizens, including murdering the president's political opponents?

Russia's Federal Security Service, the FSB, uses SORM, which can eavesdrop on phone calls, messages and data sent via mobile networks, as well as landline phone calls, emails and social networks activity. All such data, by law, must be retained for at least 12 hours for potential inspection, and the Russian government has also attempted to restrict the use of anonymity and VPN tools to make evading SORM tougher, the BBC has reported.

Since 2018, the FSB has been able to use SORM without needing a warrant, the Times reports. In short, Russia's current version of lawful access, for anyone in the law enforcement or intelligence arena, appears to be anytime access, with no court approval required.

Nokia's supply of technology that helps make SORM work came to light in 2019, when a Nokia engineer accidentally left a trove of documents connected to the internet. This was spotted by California-based security firm UpGuard and detailed by TechCrunch.

"Only the FSB knows what they collect," a critic of the SORM program, Alexander Isavnin, who's part of Russian digital rights group Roskomsvoboda, told TechCrunch at the time. "There is no third-party scrutiny."

Mass Surveillance Enablers

Russia doesn't source all of the components that power SORM domestically.

"I don't think people realize how much of the mass surveillance conducted by repressive regimes overseas is dependent on contributions by U.S. tech providers," as well as vendors in Europe and Israel, tweets Matthew Green, a cryptographer and professor at Johns Hopkins University's Information Security Institute.

Many of these companies claim that they only provide lawful intercept capabilities, he says.

Israeli surveillance spyware vendor NSO Group, for example, has responded to criticism of its sales strategy by claiming that it only sells its technology "to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime."

Since NSO Group's Pegasus spyware was discovered spying on devices owned by journalists, lawyers, opposition leaders and human rights activists, some governments obviously appear to either be defining "serious crime" and terror in different ways, or else - wait for it - not abiding by the end-user license agreement.

Nokia and NSO Group are far from the only technology suppliers who have been caught out. The BBC, for example, has reported on how U.K. defense giant BAE Systems and its Danish subsidiary ETI sold sophisticated mass surveillance technology across the Middle East, including to the United Arab Emirates.

As Ross Anderson, professor of security engineering at Cambridge University, told the BBC in 2017, once someone possesses such surveillance technology, they can likely use it not just for domestic law enforcement, but anything else they might like, such as foreign intelligence gathering.

Define 'Corporate Social Responsibility'

Nokia isn't alone in finding itself on the wrong side of fast-moving world events. But one bigger-picture question facing so many technology vendors, including Nokia, as well as the governments of countries in which they're based, is if they should have collectively held themselves to higher standards.

Nokia's response to the March 28 New York Times report

In response to a query about how working in Russia reconciled with any Nokia corporate social responsibility charter, it referred to the statement issued in response to the Times report.

"Nokia ensures that all deals go through our strict human rights due diligence process," it says. "We condemn any misuse of lawful intercept to infringe on human rights."

The statement, somewhat vaguely, also calls for a rethink of "existing legal and technical architectures," without defining what that means.

There's no record of Nokia having issued such a call before over events in Russia - say, after the assassination of Russian opposition politician Boris Nemtsov near the Kremlin in 2015 or the poisoning in 2020 of opposition figure Alexei Navalny, which United Nations special rapporteurs blamed on the Russian government.

Do the Right Thing

"Life comes at you fast," says cybersecurity expert Alan Woodward, a professor of computer science at the University of Surrey. "You need to think very carefully about who you are supplying equipment to, and more particularly what use they are making of it, as regimes and geopolitics can switch directions on a sixpence."

For Putin - a KGB officer from Soviet times who's seemingly turned lifetime president - the writing has long been on the wall, not least over his apparent desire to reconstitute the Soviet Union via soft power or, if necessary, by force.

As the Center for Strategic and International Studies, a bipartisan Washington policy research organization, said in 2014 following Russia's invasion of Crimea: "Putin regrets deeply that Russia is not the Soviet Union, and certainly there is widespread nostalgia for great power status (and thus a source of popular support for Putin as he tries to reclaim it)."

Businesses such as Nokia need to do the right thing. But is that imperative being practiced?

"There is a moral dimension to any business: It is never, or at least should never be, 'profit at any cost,'" Woodward says. "Factors such as the use to which technology might be put should weigh on the minds of vendors, and perhaps a bit of gentle government regulation might help remind them to factor it into their thinking."

Tighter Export Controls

Some Western governments already restrict for export what can be sold to unfriendly governments or autocratic regimes, especially when it comes to so-called dual-use technologies, referring to things that have both peaceful and military applications (see: Should 'Killer Robots' Be Banned?).

Historically, this effort has perhaps been hampered by many lawmakers' lack of technical knowledge.

But this seems to be changing. Last December, the British government proposed more restrictive export control regime changes. The Biden administration also remains very focused on refining and applying export controls, especially pertaining to Russia and China.

No doubt the White House is also working to bring allied governments on board.

Stronger export controls can of course affect a business's bottom line. But from a societal standpoint, this can be well worth the cost, Woodward says.

"It has implications for mergers and acquisitions, and doubtless some will say it may stifle innovation, but that seems preferable to finding it being used to increase the stranglehold a regime has on its people and the force it can project in the rest of the world," he says.

The Bigger Picture

Another frequent argument is that if the West doesn't sell surveillance technology to Russia, then Russia will simply buy it from somewhere else, such as China. But Chinese-made gear isn't necessarily better, and from a cybersecurity standpoint, it can be worse (see: Huawei Security Shortcomings Cited by British Intelligence).

As far as Western geopolitical and intelligence aims go, making Russia rely on domestic or Chinese-built gear might be a boon, at least for helping to make the world a safer place.

One irony facing Nokia - a Finnish firm - is that it's been helping to support a surveillance system that has helped the FSB keep Putin in power, and Putin recently has been threatening Finland as it reconsiders the defensive upsides of joining NATO, of which its neighbor Norway was a founding member.

On March 12, a spokesman for the Russian Ministry of Foreign Affairs warned both Finland and Sweden that if they ever decide to join NATO, they will face "serious military and political consequences."

How are those Nokia profits from Russia looking now?

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.