In June and July 2019, Coda Story covered the arrest of the Russian investigative journalist Ivan Golunov on spurious drug possession charges, and the ensuing public outcry. Since then, the charges against Golunov have been dropped, and in January five Moscow police officers were charged with fabrication of evidence and drug trafficking.
According to Russian news website Baza.io, one of these officers, Igor Lyakhovets, said that he had obtained the reporter’s address by requesting his travel history from Yandex.Taxi, Russia’s most popular rideshare app. Yandex.Taxi has publicly confirmed that it received and complied with this request.
It was a minor detail in Lyakhovets’ account of the Golunov investigation, but one that has shed light on the ability of Russian security services to carry out detailed surveillance of anyone who uses everyday online services, such as taxi apps. It also raised questions about the security of user data in the many countries outside Russia in which Yandex.Taxi operates.
Concerns have risen over whether Yandex.Taxi went far beyond its obligations in giving the Moscow police Golunov’s user data. On March 2, the Russian digital rights group Roskomsvoboda published a report noting that Yandex.Taxi is not listed on the public registry of “information dissemination organizers.” Such organizations are required to grant Russian authorities access to all user data under the controversial “Yarovaya law,” a package of new measures and amendments to existing statutes focused on public safety and counterterrorism enacted in July 2016.
But Yandex.Taxi argues that it was compelled to hand over user data to law enforcement agencies, citing a different law – known as the “operative-search activities” law, which regulates police investigations – which applies to any organization, regardless of whether it is on the registry or not.
But according to Kirill Koroteev of the legal advocacy organization Agora, this law stipulates that requests for private data are not binding in the absence of a court order. No such court order appears to have been given, but Yandex.Taxi spokeswoman Natalia Zhuravlova told Coda via email that while “certain types of enquiries – for example, requests to reveal text of private correspondence between people – do require a corresponding court decision,” requests for ride histories do not.
Golunov raised a further question concerning the legitimacy of the request Yandex.Taxi received from law enforcement. According to Golunov, it was not made via the correct channels, but rather was sent in an email, from an address at the domain Mail.ru – a popular Russian email server. Golunov told Coda Story that he saw evidence of this during the court proceedings. This detail has not yet been made public, as the trial is ongoing. Yandex.Taxi, however, denies that the request was made via email. In a Facebook post, the company’s spokesman Vladimir Isaev said that he personally saw the signed paper that was submitted to the company’s lawyers.
In a text message, Golunov explained why the question of whether the request was made via email is significant.
“I don’t like the situation with Yandex.Taxi – that information about my movement is available to any person who can write a letter to Yandex.Taxi and sign as a police officer,” he wrote. “I think that this kind of information should only be shared by the company if there’s a court order.”
Whether or not Yandex.Taxi gave up more information than they legally had to, this case shows the extent to which the Russian authorities expect unfettered access to private companies’ information, and do not see the need to give any reason for their requests. “I think it is also highly important to mention that usually, enquiries by the authorities don’t contain any details of cases or names of people in question,” wrote Zhuravlova. “They also don’t mention whether the person in question is under suspicion or whether they are a victim of a crime. As an example, they might contain just a phone number or an internet ID.”
International repercussions
According to its website, Yandex.Taxi operates in 17 countries in Eastern Europe, Central Asia and West Africa. In Georgia, where it is one of the two most popular rideshare apps, the news of the company’s involvement in Golunov’s case was met with alarm. Speaking to Georgian television reporters, parliamentarian Irakli Abesadze called for an investigation of Yandex.Taxi by state security services, in order to determine whether the app also shares Georgian users’ data with Russian authorities.
Privacy concerns related to Russian access to Yandex.Taxi’s international user data long predate this week’s reports, and are not confined to Georgia. In 2018, the Lithuanian defense ministry’s National Cyber Security Centre published an investigation that found that the Yandex.Taxi app in Lithuania regularly sent encrypted communications to Russian IP addresses. Lithuanian Prime Minister Saulius Skvernelis publicly urged Lithuanians not to download the app, owing to concerns that it stored excessive user data with inadequate security.
Asked whether Yandex.Taxi would have handed over user data to the Russian authorities had their request concerned the travel history of a passenger outside Russia, Zhuravlova responded: “The responsibility for rides-related data is carried by the legal entity, which operates the service in a particular country. For example, Russian Yandex.Taxi LLC will handle the enquiries about rides in Russia, provided the enquiries are made according to established legal procedure. Enquiries about rides in Georgia will be handled by the Netherlands-based Yandex.Taxi B.V., while enquiries about rides in Ghana will be handled by MLU Africa B.V. and so on.”
Yandex’s partnership with Uber
In 2018, Yandex and Uber merged their rideshare operations in Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan and Russia into a single entity. Named MLU B.V., it is jointly owned by the two companies and officially based in the Netherlands. Today, if you open the Uber app on your phone in one of these countries, you are redirected to Yandex.Taxi, or another service operated by Yandex. In Russia, a separate Uber Russia app is available, with Yandex listed as the developer.
In the U.S., according to Uber’s privacy policy, a court order, search warrant, or subpoena must be submitted by law enforcement before the company shares its user data. Uber has also published transparency reports detailing the number and frequency of these requests.
However, an Uber spokeswoman told Coda Story via email that Uber and Yandex.Taxi “operate separately with different products, infrastructures and policies.” Uber declined to comment on Yandex.Taxi’s involvement in the Golunov case.
Asked whether Yandex.Taxi could provide similar records of law enforcement requests to those Uber has made public, Zhuravlova responded, “We haven’t so far but are thinking about how to increase transparency on that going forward.”
Additional reporting by Katerina Fomina and Mariam Kiparoidze.