The Russian security services could soon have access to the personal data of thousands of Apple users in Russia, following the tech giant's decision to comply with Russian law and store user data on servers in the country.
Roskomnadzor, the Russian government agency that oversees media and telecommunications, has confirmed for the first time that Apple is to adhere to a 2014 law that requires any company handling the digital data of Russian citizens to process and store it on servers physically located in Russia.
Under Russian counterterrorism laws, Apple could be compelled to decrypt and hand over user data to security services on request.
With Apple products now able to gather vast quantities of information on their customers' lives, the company has publicly positioned itself as a champion of data privacy, and CEO Tim Cook has condemned the "weaponization" of personal data.
In 2016, the tech giant refused to unlock the iPhone of one of the shooters involved in the San Bernardino, California, terrorist attack in December 2015.
But in China and now Russia, Apple has quietly complied with local laws that could leave vast quantities of user data within the reach of the state.
In 2017, the company removed virtual private networks, or VPNs, that mask browsing activity from its App Store in China. Last year, Apple moved iCloud operations and encryption keys to data centers in China, raising fears that the authorities could have easier access to messages, emails, and other data stored in the cloud.
It's not clear what data Apple will store on its servers in Russia. The company's registration with the media agency lists names, addresses, email addresses, and phone numbers as the kinds of user data it processes.
Apple Russia's registration documents, filed on Dec. 25, make no mention of its iCloud service, which can host user photos, videos, documents, contacts, and messages.
"Seems that something is hidden here because of course Apple collects more data," said Sergey Medvedev, a senior lawyer with the Moscow-based law firm Gorodissky and Partners.
Russian law takes a broad interpretation of personal data and applies it to anything that could be used to identify individuals or their behavior. Photos, music, and e-book downloads would all indirectly be defined as personal data, said Medvedev, who specializes in internet and e-commerce law.
Apple did not respond to repeated requests for comment.
Controversial changes to Russia's counterterrorism law, which came into force last year, call on telecom providers to store the content of user communications, including text, video, and audio messages, for up to six months and gives the security services the right to access this data without a court order.
Human rights advocates described the legislation as Russia's "Big Brother" law, amid concerns that it provides sweeping rights to the Federal Security Service — the successor to the KGB — to access people's communications without judicial oversight.
Medvedev said the law could potentially be applied to Apple's iMessage service.
Western tech giants have been tight-lipped about their compliance with Russian laws on data storage. In 2016, LinkedIn, which is now owned by Microsoft, was banned in Russia for refusing to move its data processing to the country. The move was interpreted as a warning shot about the potential ramifications of not adhering to the law.
This month, Roskomnadzor started legal proceedings against Twitter and Facebook for failing to notify the body about steps taken to comply with the law. Last year, Alexander Zharov, the head of the media agency, told the Russian news agency Interfax that Roskomnadzor had received reassurances from Twitter that it would handle Russian user data in country.
Zharov has already raised the prospect of banning Facebook if it fails to handle Russian user data in country. In February, the body will vet Apple for its compliance under the law.
Edward Snowden's revelations of widespread US surveillance online prompted governments around the world to scrutinize how their citizens' data is stored and accessed.
Last year, new data protection laws came into force in the European Union and imposed strict rules on the handling and storage of personal information gathered online.
Russia's move to have data stored domestically comes amid a wider bid by the authorities to control the internet. Vladimir Putin's return to power in 2012 was greeted with mass street protests in Moscow, and since then, a slew of laws have sought to curb free speech online.
Broad interpretations of Russian laws on extremism have seen dozens of people arrested and imprisoned for social media posts criticizing the annexation of Crimea, Russia's military involvement in Syria, or the Russian Orthodox Church.
Last year, a Crimean Tatar activist was given a two-year suspended sentence for reposting a video about a pro-Ukrainian volunteer military unit and adding the comment, "Crimea was, is, and will always be Ukraine!" While Russia's annexation of Crimea is overwhelmingly regarded as illegitimate under international law, criticism of the land grab within Russia has been criminalized under a 2013 law as a call for separatism.
The intent is not to police the daily web traffic of Russia's millions of internet users. "They do not have the technical capacity to spy on everyone to collect this data. It's absolutely impossible," said the Russian investigative journalist Andrei Soldatov, the author of The Red Web, a book about Russia's online surveillance. Rather, it creates a chilling effect and allows the authorities to apply pressure selectively.
"They have this arsenal of different tools available to them, and they'll choose the best way to crack-down on someone," said Tanya Lokot, an assistant professor at Dublin City University who studies internet freedom and governance in Russia.
Last spring, Russia attempted to block the end-to-end encrypted messaging app Telegram for refusing to give the country's security services access to users' encrypted messages. In the process, the government accidentally placed a temporary block in Russia on more than 15 million websites that route through Amazon and Google servers.
Telegram founder Pavel Durov accused Apple of blocking global updates to the app after the Russian authorities demanded it be removed from the App Store.
In evidence of the selective application of Russia's internet laws, a deputy prime minister and Putin's own spokesperson admitted at the time that Telegram was still working as normal on their phones.
"There is a joke from Soviet times, that the severity of Russian legislation is softened by the fact that nobody has to follow the law," Lokot said.
But the Kremlin appears to be trying to change that.
Amy Mackinnon is a staff writer at Foreign Policy.