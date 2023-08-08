If Yangon’s user data has been stored in Russia until now, the FSB has probably also had access to it, assesses information security expert Petteri Järvinen.

Russian the new taxi legislation has hardly any effect on the security service FSB’s ability to access the user data of people who have used the Yango taxi application in Finland. They have already been extensive, assesses the information security expert Petteri Järvinen.

“Intelligence services don’t ask for permission if it’s in the national interest,” says Järvinen.

Russian speaking news service Meduza has told referring to the information it received, that the data of all Yangon customers is stored in Russia. If this is the case, according to Järvinen, the FSB also has access to them.

“Yes, the FSB has received this information in practice and probably other parties as well. And that, I think, is the troubling aspect here. Russia is the wild west of data protection, where everything is for sale,” says Järvinen.

According to him, it is by no means exceptional that the security services do not need legislation to support them.

“When [Edward] Snowden made his disclosure, so it turned out that the NSA had not asked for any permissions. It had only followed the traffic of Google and Facebook and Microsoft, fetched the information it was interested in,” says Järvinen.

The NSA is the US National Security Agency. In 2013, a former employee of the agency, Edward Snowden, leaked internal NSA documents to the public, which revealed that the agency violated the privacy of citizens and companies by hacking information networks on a large scale.

Finland The data protection commissioner decided on Tuesday to prohibit the transfer of customer data used in Yango to Russia from September 1, because a law reform will enter into force in Russia in September, which gives the FSB the right to receive data processed in taxi operations.

Norwegian data protection authorities also made a similar decision on Tuesday.

Järvinen marvels at the Finnish Data Protection Commissioner’s slow reaction and describes the decision as a panic decision.

“Apparently, this situation had not been terribly monitored there,” says Järvinen.

According to him, the European Union’s attitude towards Russia has also been “lax” in matters of information security, although the fact that Yangon’s owner of Russian background, Yandex, is registered in Holland, which is part of the EU, creates challenges.

“On the other hand, GDPR is the same there, so it doesn’t work here for a reason,” says Järvinen.

“When you know how precise the EU is in the transfer of data to the United States, which is nevertheless a rule of law, and it is justified by the fact that there is no legal protection if information can always be leaked, then the attitude towards Russia seems quite lax.”

What can FSB get information from Yango?

At least movement and payment traffic information. However, according to Järvinen, not much can be done with individual information of this nature.

“If it is used often and that information accumulates over a longer period of time, different profiles can then be drawn from it,” he estimates.

The information could be used, for example, to find out the movements related to people’s private lives and use them for extortion.

“Or, quite concretely, there have been dissidents who have fled to Finland from Russia, or even people who have avoided military service, to track them down,” says Järvinen.

The FSB is also unlikely to be the only one with access to Yangon’s information. The company’s employees may trade information with anyone who agrees to pay for it. This can be done for criminals, but also for other uses. There are examples of this from other Russian authorities and companies.

“[Aleksei] To Navalny in this case, NGOs tracked down Russia’s own agents who were targeting Navalny based on passport and travel information,” says Järvinen.

Provided In Finland, Yango has been used, according to Järvinen, there is almost nothing you can do to save your own user data.

Although the company, as a Dutch company, is committed to EU GDPR practices, there is no guarantee that user data has actually been processed in the manner required by them.

He recommends not using other service providers in the future. If you have to resort to Yangon, one option might be to use, for example, cash as a means of payment.