A citizen with basic knowledge of technology “will never know that he is being watched” through the Russian spy system SORMaccording to Gaspar Pisanu, leader of Advocacy and Public Policies for Latin America of the international NGO Access Nowdefender of the open and free internet.
According to a report by American researchers Douglas Farah and Marianne Richardson, the regime of Daniel Ortega and Rosario Murillo has been using the System for Operational Investigation Activities (SORM, by its Russian acronym) since 2018— to spy on Nicaragua. The SORM-3 version has been implemented in the country.
The cybersecurity expert stressed that this version “has become very technical, to a point where we don’t know all the things it is capable of doing.”
“In general terms, (SORM-3) does not affect the devices, but rather gets in the way of communications. Let’s imagine that we have a conversation on the street and a person stands in the middle and listens to everything we are saying,” Pisanu explained in an interview with the program. Tonight.
The SORM platform is used by Russia and other former Soviet nations. “for phone and internet surveillance, and allows operators to monitor credit card transactions, email, phone calls, text messages, social networks, Wi-Fi networks, and forum postings,” according to information from the United States Government , provided by Farah to CONFIDENTIAL.
Pisanu noted that diplomatic and training relations with Russia “may include, in part, incentives to develop a SORM-like system; This may imply the enactment of certain regulations or the acquisition of certain technologies. That is why we say, precisely, that SORM is deployed in different ways, in different countries”.
How does the so-called System for Operations Research Activities, better known as SORM, by its Russian acronym, work?
The SORM system is a technical framework that includes both technologies and laws, and was originally developed by the former Soviet KGB, in the late 1980s, and was later replicated by countries in Central Asia and Western Europe, with different characteristics in each of the countries.
We must understand it as a legal framework because it includes regulations that provide law enforcement and security agencies with the ability to monitor, store, and filter information on commercial mobile traffic, as well as that of the Internet.
When this system emerged, it was designed to intercept landline communications. The newer versions are beginning to also include mobile phone and internet communications. Always all this under the justification of national security. It is often called, in technical terms, the back door of the internet and communications, for the Russian Federal Security Service.
SORM has had different stages: SORM-1 was, precisely, the intervention of land telephone communications; SORM-2, we are already talking about the Internet; and SORM-3 is the most complex stage of this program, where it already allows not only access to communications, but also the processing, filtering, and storage of the data obtained through the intervention of those communications, and the activity made by users on the Internet.
What devices are vulnerable or can this system intervene?
It is not like other infection systems that attack the device. The SORM-3 has become very technical, to a point where we don’t know all the things it is capable of doing. In general terms, it does not affect the devices, but rather gets in the middle of communications. Let’s imagine that we have a conversation in the street and a person stands in the middle and listens to everything we are saying; that’s kind of the way this works, it’s also known as attack attacks middlemanprecisely because he is a person in the middle.
The information that is being captured, in the telephone systems, is: who are the people who are conversing, where they are doing it, when they did it and the content, that is, what is being talked about. What it does on the Internet is the collection of the most varied activities that one can have, from emails, the contents that people publish on networks, to transactions that are carried out with credit cards.
Does this system have the ability to read and extract messages from applications with end-to-end encryption, such as WhatsApp or Signal?
It is difficult to give an exact answer. These technological issues and the agreements that governments make: how they use it or what they use, are extremely non-transparent. It is very difficult, both for journalism and for activism, civil society, and academia, to be certain about how these systems work, to what level of development they have reached. Taking this into account, it cannot be ensured that they are not capable of breaking the encryption that exists in end-to-end encrypted communications.
However, it is always a good practice to use these types of direct messaging applications, which also include encrypted calls. The encryption avoids this person in the middle; Going back a bit to the analogy of people having a conversation on the street, it would be like these two people are communicating in a language that can never be understood by that third person who got in the way.
The same happens, for example, with the use of VPNs, these virtual secure local networks, which work in a similar way, avoid sharing all the information with the telephone and internet service provider. Some of these VPN services even allow encryption of the information that is transmitted over those lines. As a practice, it is always advisable to use this type of service, even more so if we are talking about governments that have a history of monitoring their citizens and anyone who can be considered opposition.
Role of internet providers
And what role do telephone or telecommunications companies play in this system?
This system works very differently from country to country; For example, there are many reports or investigations of how SORM works in Russia and how it works in other countries, which at the time belonged to the Soviet Union, and they are very different. At the time, SORM —which is also a legal framework— obliged telecommunications companies to facilitate the deployment of this surveillance system; So, the companies enabled the conditions for this person to be in the middle, who is the one who intercepts the communication.
The reality is that today we cannot ensure that the entire surveillance program requires telecommunications companies, because there have been developments that allow, through a portable mobile device, to connect to a communications access point and intervene in them; then, the telecommunications company would no longer be needed so much. Although they have played a crucial role, today the program is likely to extend far beyond the involvement of telecommunications companies.
Does it mean that the SORM system can work without the support of Internet service providers to establish a kind of control or mass espionage throughout the country?
The truth is very difficult to ascertain because the SORM program is not very transparent and we do not know to what point it has developed technologically, to be able to say: it does not need it or there are certain things that yes or yes require this collaboration of the companies telecommunications, or if there is a certain part of the system that does not require the telecommunications companies.
Can you tell if they are spying on us under the SORM system?
In general, a person with basic knowledge (of technology) will never know that they are being watched through this system. There are investigations that, precisely, use different mechanisms to detect certain traffic redirections, that is, it is not reaching the person I am sending the message to, but rather it is reaching another person first and then the person I was sending it to. But today, surveillance technologies have advanced so much that it is becoming increasingly difficult to detect them.
What are the main ways to protect yourself or avoid their intervention in our internet networks, in our phones?
There are two levels of protection: a first level, which is what any citizen should have, is protection at the state level. It has to do with regulating the use of surveillance tools, in many cases prohibiting them, because they directly interfere with human rights. In many contexts in different countries, this is practically impossible, States make a great effort to do this in a completely obscure way, without any type of regulation.
On a personal level, use these direct messaging services with end-to-end encryption, applications such as WhatsApp or Signal; use VPN systems; all that are social network accounts, use double authentication factors. And also be aware of the things that are being published, of what is the risk to which we are exposing ourselves.
We must be aware that, even taking all digital security measures, there is the possibility that we are being watched, and it is very difficult to fight against it; That is why I believe that journalistic work is so crucial, to reveal these cases and generate pressure.
Diplomatic relations with Russia
And do you have information on in which Latin American countries this surveillance system is used?
Not specifically. We know that there are diplomatic relations between many countries in the region with Russia, which is the one who developed this system. Those diplomatic and training relationships may include, in part, incentives to develop a SORM-like system; This may imply the enactment of certain regulations or the acquisition of certain technologies. That is why we say, precisely, that SORM is deployed in different ways, in different countries.
The problem is that today in Latin America there is a very high degree, or rather, little or no transparency in the use of surveillance systems, which makes it difficult to assert that there are no governments that are using it. It happens to us with simple acquisitions, for example, such as security cameras that are used for traffic control, they do not want to give us information regarding these issues. So, imagine that a program as complex as SORM is.
