What prompted a wave of concern was the news that Russia was about to pass a new law granting its Federal Security Service (FSB) round-the-clock access to all the traffic data aggregated by certain taxi services. Due to a quirk in its formulation, the law, in fact, applied to only one Russian company: Yandex Go, the only taxi service on the Russian register of information distributors.
Until then, companies in Russia were only obliged to share their data with the law enforcement and security services if petitioned formally by the officials. Now, concerned customers were writing to Yandex from outside of Russia, asking for explanations about their data and whether it would be handed over to the secret police. This prompted an internal message exchange, in which the management clarified that “data from all of Yango” is “stored in Russia,” and there is no “material or logical division” between data collected from users inside and outside of the country. All of Yandex’s data centers, the messages stated, were located in Russia, but mentioning this information should be avoided when talking to customers.
Every single installation of the app is linked to a concrete location, and you can differentiate and granulate everything city-by-city. So it’s perfectly possible to move, say, the Istanbul or the Tbilisi data. The problem is that, come September, the secret services will gain access to the common data that flows into Yandex. And that includes the foreign rides. Yandex has long claimed that its European operations were in strict compliance with the GDPR. These protections are also mentioned in the confidentiality policies published by Yango and Yandex Go. Inside Russia, though, European privacy norms may well be compromised where they come in conflict with the applicable Russian law.
The former Yandex executive Grigory Bakunov says that he can see two possible ways in which the FSB could make use of the data obtained from Yandex:
Imagine that you have two possibilities. Either you can work bare-handed with a heap of raw data, or you can, figuratively speaking, get an email report based on certain variables: “User X with driver Y traveled from point A to point B.” It’s really in the hands of the FSB whether they want to work with the big pile of data. If they have enough specialists, maybe they wouldn’t mind reading the whole trove.
If the FSB were to choose the second option, Bakunov suggests, Russians who left the country for former CIS countries since the start of the Ukraine war will be especially at risk:
That trove contains ride data from Kyrgyzstan, Kazakhstan, Armenia, Georgia, and other places where Russians moved since the start of the war. This, I would say, is more of a threat than access to data on Finland, Norway, or Algeria.
