The successful Mail.RU IPO shows investor’s confidence in the Russian internet’s future prospects despite the somewhat problematic Russian business environment. For example, in Transparency International’s most recent 2010 report, Russia received a score of 2.1. The 2.1 score ties Russia with Cambodia, Central African Republic, and Laos among others. Russia just nosed out the Democratic Republic of the Congo while losing nicely to Egypt’s 3.1 score where the population recently rose in rebellion with government corruption a major issue. By contrast, most European countries score from eight to nine. The US, even with the corporate problems revealed by the ongoing economic crisis, managed a 7.1.
As a result, potential Russian internet investors might profit from a close examination of the risks associated with investing in Russia. The political and economic risks imposed by Yandex’s interaction with the Russian government warrant close scrutiny.
The SEC Form F-1 includes Yandex analysis on the potential impact of Russian Government regulation. The impact of the Strategic Companies Law—that covers investment in firms deemed critical to national defense and state security--is particularly important. The section in the Form F-1 states:
In accordance with the Federal Law "On the Procedure for Foreign Investments in Companies which are Strategically Important for the State Defense and National Security" adopted in May 2008 (the "Strategic Companies Law"), there are restrictions on the foreign ownership of companies involved in certain strategically important activities. Although the internet is not an industry specifically covered by the Strategic Companies Law, companies that hold licenses to use encryption technologies are covered by this law. Our Yandex.Money subsidiary recently received encryption licenses and therefore this subsidiary is now covered by the Strategic Companies Law. As a result, our parent company, Yandex N.V., is likely covered by the Strategic Companies Law.
Under the provisions of the Strategic Companies Law, the direct or indirect acquisition of more than 25% of the voting power of a strategically important company by a foreign state, foreign governmental organization, international organization or entity controlled by a foreign government or international organization, or the acquisition of shares representing more than 50% of the voting power of such a company by any other foreign investor or any of its affiliated companies requires the prior approval of a Russian government committee chaired by the Prime Minister. In addition, foreign investors or their group companies that are controlled by a foreign state or a foreign government or international organization are prohibited from owning shares representing more than 50% by voting power of a strategically important company. Moreover, the acquisition of 5% or more of the shares of a strategically important company triggers a notification requirement to the FAS. Failure to obtain the required governmental approval prior to an acquisition would render the acquisition null and void.
Article Six of the Strategic Companies Law lists the industries covered. Number 14 specifically states that any entity performing data encryption services falls under the law. As a result, Yandex’s assessment that it is “likely’ covered is a slight hedge, Yandex is covered.
Encryption use placed Yandex under the Strategic Companies Law. Encryption use also imposes other requirements as set out in the Form F-1:
Encryption activities in Russia are covered by the Federal Law "On Licensing Certain Activities" of August 8, 2001 (as amended), which requires special licenses for the provision of services with the help of cryptographic (encryption) equipment and software, as well as for the production, distribution and maintenance of such cryptographic equipment. The procedure for licensing encryption services is set out in the Government Resolution "On approving the provisions for licensing certain activities related to cryptographic means" of December 29, 2007 (as amended).
Licenses under these provisions are granted by the Federal Security Service (the "FSB"), subject to the criteria which license holder must, and must continue to, comply with. Our Yandex.Money subsidiary, which uses encryption algorithms for the protection of transfers performed by its customers, received four licenses from the FSB in October 2010 in relation to its encryption activities. However, the requirement for licenses as set out in these laws is very broad and unclear, leaving the regulator with much discretion in applying and enforcing these laws.
The Federal Law is straight forward and lists the activities requiring licenses. Article 11.2 of the Federal Law on the Federal Security Service is the article establishing FSB authorities over encryption. Article 13—entitled The Rights of the Federal Security Service—is somewhat threatening and several pages long. Essentially, under article 13, the FSB can penetrate and exploit entities in support of any FSB responsibility. FSB responsibilities include counterintelligence, intelligence, fighting crime and terrorism, border security and information security. Article 13 states FSB rights are exercised “in institutions and organizations irrespective of ownership.”
The implications for Yandex, and Yandex investors, are fairly obvious. The FSB can penetrate Yandex—through human and/or technical means—if the FSB determines it is necessary.
According to a 2008 Russian tender document, the FSB already sees Yandex as an important target. The tender was for a new monitoring center for the FSB Information Security Center. The FSB’s Information Security Center (FSB ISC) is the FSB’s primary structure for counterintelligence operations involving Russia’s internet infrastructure. FSB ISC operations include monitoring the Russian Internet and analyzing Internet content to identify threats. According to archived directives posted on the FSB web site (www.fsb.ru), FSB ISC is also designated as an FSB expert investigative center performing forensic investigations for criminal prosecution.
The tender specified that the center would include remote, and non-attributable, tasking of monitoring sensors. The center desired extensive automated initial processing and classification—including geo-location—of detected data for transfer to offline databases for further processing. The tender included detailed specification of the desired equipment by specifying that performance would at least equal the performance of well know western technical systems and software. In sum, the project would provide FSB ISC with a state-of-the-art monitoring/analytic center operating on the Russian Internet without attribution.
- Prepared by Taia Global's Russia analysts for the Digital Dao blog -