Such a failure at the time led to the blocking of Telegram. The FSB requested the keys to Yandex.Disk and Yandex.Mail, but they can give access to the passwords of the entire Yandex ecosystem. The company refused to provide them.
The request was sent to Yandex a few months ago. Despite the fact that, according to the law, no more than 10 days are allotted for this, the company has not done so yet.
Since Yandex.Disk and Yandex.Mail are Internet sites on which users can exchange messages, they are located in the ORI. So they must obey the so-called law of Spring. It says that the FSB may require to transmit any information necessary for decoding both received and transmitted, delivered and (or) processed electronic messages of Internet users.
The FSB declined to comment and did not explain what caused such attention.
The representative of Yandex said that the company operates under the current legislation, but refused to confirm that the keys were not transferred in response to the request.
According to the source, Yandex believes that the FSB interprets this rule of law too widely. Having received session keys, the service will gain access not only to mail messages. This will allow it to analyze all traffic from users to Yandex-based services in the RID registry. In addition, it is bad for security.
What exactly does the FSB require?
Session keys. They are used only for one session of connection between the user and the server. In the case of Yandex.Mail, it is generated only when a person visits mail.yandex. The expiration date depends on the settings: this may be the moment when the user closed the tab with the mail, or the browser, or turned off the device altogether. This key encrypts not only user messages, but also all metadata. The idea itself consists in its inconsistency, and the requirement is to store it.
Alexey Lukatsky noted that Yandex uses the Single Sign-On system. This means that re-authentication on other services of the company is not needed when it has already entered the mail. If during transitions the encryption keys do not change, then this may result in the discovery of data in these services.
Leonid Evdokimov also noted that on the same Yandex.Disk, in this way, it is possible to analyze the user’s behavior by looking at the files he downloaded.
Since the refusal to provide the keys is a violation of the law, the FSB will have to draw up a protocol on an administrative violation. In the case of a court decision in favor of the FSB, Yandex will receive a fine of up to 1 million rubles. If this does not work, Roskomnadzor will enter the case. In theory, he may require blocking the service in Russia. The law does not explicitly indicate the powers of Roskomnadzor and the FSB in this situation.
