The New York Times recently wrote about Nokia providing telecommunications equipment to Russian ISPs, all while Nokia was intimately aware of how its equipment would be interconnected with System for Operative Investigative Activities (SORM) lawful interception equipment. SORM equipment has existed in numerous versions since the 1990s. Per James Lewis:
SORM-1 collects mobile and landline telephone calls. SORM-2 collects internet traffic. SORM-3 collects from all media (including Wi-Fi and social networks) and stores data for three years. Russian law requires all internet service providers to install an FSB monitoring device (called “Punkt Upravlenia”) on their networks that allows the direct collection of traffic without the knowledge or cooperation of the service provider. The providers must pay for the device and the cost of installation.
SORM is part of a broader Internet and telecommunications surveillance and censorship regime that has been established by the Russian government. Moreover, other countries in the region use iterations or variations of the SORM system (e.g., Kazakhstan) as well as countries which were previously invaded by the Soviet Union (e.g., Afghanistan).
The Time’s article somewhat breathlessly states that the documents they obtained, and which span 2008-2017,
show in previously unreported detail that Nokia knew it was enabling a Russian surveillance system. The work was essential for Nokia to do business in Russia, where it had become a top supplier of equipment and services to various telecommunications customers to help their networks function. The business yielded hundreds of millions of dollars in annual revenue, even as Mr. Putin became more belligerent abroad and more controlling at home.
It is not surprising that Nokia, as part of doing business in Russia, was complying with lawful interception laws insofar as its products were compatible with SORM equipment. Frankly it would have been surprising if Nokia had flouted the law given that Nokia’s own policy concerning human rights asserts that (.pdf):
Nokia will provide passive lawful interception capabilities to customers who have a legal obligation to provide such capabilities. This means we will provide products that meet agreed standards for lawful intercept capabilities as defined by recognized standards bodies such as the 3rd Generation Partner Project (3GPP) and the European Telecoms Standards Institute (ETSI). We will not, however, engage in any activity relating to active lawful interception technologies, such as storing, post-processing or analyzing of intercepted data gathered by the network operator.
It was somewhat curious that the Times’ article declined to recognize that Nokia-Siemens has a long history of doing business in repressive countries: it allegedly sold mobile lawful interception equipment to Iran circa 2009 and in 2010-11 its lawful interception equipment was implicated in political repression and torture in Bahrain. Put differently, Nokia’s involvement in low rule-of-law countries is not new and, if anything, their actions in Russia appear to be a mild improvement on their historical approaches to enabling repressive governments to exercise lawful interception functionalities.
The broad question is whether Western companies should be authorized or permitted to do business in repressive countries. To some extent, we might hope that businesses themselves would express restraint. But, in excess of this, companies such as Nokia often require some kind of export license or approval before they can sell certain telecommunications equipment to various repressive governments. This is particularly true when it comes to supplying lawful interception functionality (which was not the case when Nokia sold equipment to Russia).
While the New York Times casts a light on Nokia the article does not:
- Assess the robustness of Nokia’s alleged human rights commitments–have they changed since 2013 when they were first examined by civil society? How do Nokia’s sales comport with their 2019 human rights policy? Just how flimsy is the human rights policy in its own right?
- Assess the export controls that Nokia was(n’t) under–is it the case that the Norwegian government has some liability or responsibility for the sales of Nokia’s telecommunications equipment? Should there be?
- Assess the activities of the telecommunications provider Nokia was supplying in Russia, MTS, and whether there is a broader issue of Nokia supplying equipment to MTS since it operates in various repressive countries.
None of this is meant to set aside the fact that Western companies ought to behave better on the international stage. But…this has not been a priority in Russia, at least, until the country’s recent war of aggression. Warning signs were prominently on display before this war and didn’t result in prominent and public recriminations towards Nokia or other Western companies doing business in Russia.
All lawful interception systems, regardless of whether they conform with North America, European, or Russian standards, are surveillance systems. Put another way, they are all about empowering one group to exercise influence or power over others who are unaware they are being watched. In low rule-of-law countries, such as Russia, there is a real question as to whether they should should even be called ‘lawful interception systems’ as opposed to explicitly calling them ‘interception systems’.
There was a real opportunity for the New York Times to both better contextualize Nokia’s involvement in Russia and, then, to explain and problematize the nature of lawful interception capability and standards. The authors could also have spent time discussing the nature of export controls on telecommunications equipment, where the equipment is being sold into repressive states. Sadly this did not occur with the result that the authors and paper declined to more broadly consider and report on the working, and ethics and politics, of enabling telecommunications and lawful interception systems in repressive and non-repressive states alike. While other kicks at this can will arise, it’s evident that there wasn’t even an attempt to do so in this report on Nokia.