This article was originally published in IAM Weekly, and is reproduced with permission.
On May 29, 2017 the Kiev and Odessa offices of Russia's top search engine Yandex were raided by the Ukraine State Security Service (SBU) in connection with a criminal investigation for “treason under Article 111 of Ukraine’s Criminal Code”, as reported by SBU spokesperson Olena Gitlyanska. Article 111 includes a threat to information security of the country punishable by 10 to 15 years’ imprisonment.
The company’s management and employees are suspected of illegally collecting and accumulating the personal data of Ukrainian users – including addresses, phone numbers, emails and social media account details – and passing it on to Russian security agencies for espionage purposes and planning of subversive operations in Ukraine. Server hardware and documentation appear to have been seized during the raids for further examination.
Yandex asserts that its business in Ukraine since 2005 has always been conducted in strict compliance with Ukrainian law, giving the highest priority to protecting the personal data of their users in all countries where services are provided. The company’s lawyers are ready to help with any investigation and provide Ukrainian authorities with necessary information.
On May 15, 2017 the Ukrainian President Petro Poroshenko signed Presidential Decree (133/2017) on the Decision of the National Security and Defence Council of Ukraine Regarding Implementation of Personal Special Economic Measures (Sanctions)
The decree enacts a decision of the National Security and Defence Council of Ukraine of April 28, 2017 and expands sanctions, among other things, against a number of Russian IT companies providing services that include:
- social networks;
- search engines;
- antivirus solutions;
- navigation services; and
- accounting services software.
The companies include search engine Yandex, e-mail provider Mail.Ru Group and Russian social networking sites VK (VKontakte) and Odnoklassniki ‒ all of which are among the most popular websites in Ukraine. Before the sanctions, Yandex had 320 employees in Ukraine and was widely used across the country, with over 11 million users every month.
Sanctions were also introduced against well-known IT companies, including 1C, ABBYY, Parus, Softline Group, Galatiki Centre and their Ukrainian affiliates, as well as Russian TV channels Zvezda, TVC, NTV Plus, RenTV, RBC and a number of banks.
The decree requires Ukrainian internet service providers (ISPs) to block access to Yandex and other blacklisted Russian websites and services for up to three years. Non-compliance with the decree requirements could impose administrative liability on the management of ISPs.
While it is still unclear whether the above is compliant with existing Ukrainian law and how the bans will be enforced in practice, specific guidance is expected from the Cabinet of Ministers, the National Security Service and the National Bank of Ukraine assigned to monitor the sanctions.
This escalation of sanctions against Russian IT companies follows a number of recent initiatives from the Ukrainian authorities aimed at limiting access of Russian-controlled entities to critical Ukrainian cybersecurity infrastructure.