The Moscow headquarters of the FSB intelligence service, which uses a surveillance network that Nokia helped run smoothly. Photo / AP
The Finnish company played a key role in enabling Russia's cyberspying, documents show, raising questions of corporate responsibility.
Nokia said this month that it would stop its sales in Russia and denounced the invasion of Ukraine. But the Finnish company didn't mention what it was leaving behind: equipment and softwareconnecting the government's most powerful tool for digital surveillance to the nation's largest telecommunications network.
The tool was used to track supporters of the Russian opposition leader Alexei Navalny. Investigators said it had intercepted the phone calls of a Kremlin foe who was later assassinated. Called the System for Operative Investigative Activities, or SORM, it is also most likely being employed at this moment as President Vladimir Putin culls and silences anti-war voices inside Russia.
For more than five years, Nokia provided equipment and services to link SORM to Russia's largest telecom service provider, MTS, according to company documents obtained by The New York Times. While Nokia does not make the tech that intercepts communications, the documents lay out how it worked with state-linked Russian companies to plan, streamline and troubleshoot the SORM system's connection to the MTS network. Russia's main intelligence service, the FSB, uses SORM to listen in on phone conversations, intercept emails and text messages, and track other internet communications.
The documents, spanning 2008 to 2017, show in previously unreported detail that Nokia knew it was enabling a Russian surveillance system. The work was essential for Nokia to do business in Russia, where it had become a top supplier of equipment and services to various telecommunications customers to help their networks function. The business yielded hundreds of millions of dollars in annual revenue, even as Putin became more belligerent abroad and more controlling at home.
For years, multinational companies capitalised on surging Russian demand for new technologies. Now global outrage over the largest war on European soil since World War II is forcing them to reexamine their roles.
The conflict in Ukraine has upended the idea that products and services are agnostic. In the past, tech companies argued it was better to remain in authoritarian markets, even if that meant complying with laws written by autocrats. Facebook, Google and Twitter have struggled to find a balance when pressured to censor, be it in Vietnam or in Russia, while Apple works with a state-owned partner to store customer data in China that authorities can access. Intel and Nvidia sell chips through resellers in China, allowing authorities to buy them for computers powering surveillance.
The lessons that companies draw from what's happening in Russia could have consequences in other authoritarian countries where advanced technologies are sold. A rule giving the US Commerce Department the power to block companies, including telecom equipment suppliers, from selling technology in such places was part of a bill, called the America Competes Act, passed by the House of Representatives in February.
"We should treat sophisticated surveillance technology in the same way we treat sophisticated missile or drone technology," said Representative Tom Malinowski, D-N.J., who was an assistant secretary of state for human rights in the Obama administration. "We need appropriate controls on the proliferation of this stuff just as we do on other sensitive national security items."
Andrei Soldatov, an expert on Russian intelligence and digital surveillance who reviewed some of the Nokia documents at the request of the Times, said that without the company's involvement in SORM, "it would have been impossible to make such a system."
"They had to have known how their devices would be used," said Soldatov, who is now a fellow at the Center for European Policy Analysis.
Nokia, which did not dispute the authenticity of the documents, said that under Russian law, it was required to make products that would allow a Russian telecom operator to connect to the SORM system. Other countries make similar demands, the company said, and it must decide between helping make the internet work or leaving altogether. Nokia also said that it did not manufacture, install or service SORM equipment.
The company said it follows international standards, used by many suppliers of core network equipment, that cover government surveillance. It called on governments to set clearer export rules about where technology could be sold and said it "unequivocally condemns" Russia's invasion of Ukraine.
"Nokia does not have an ability to control, access or interfere with any lawful intercept capability in the networks which our customers own and operate," it said in a statement.
MTS did not respond to requests for comment.
The documents that the Times reviewed were part of almost 2 terabytes of internal Nokia emails, network schematics, contracts, license agreements and photos. The cybersecurity firm UpGuard and TechCrunch, a news website, previously reported on some of the documents linking Nokia to the state surveillance system. Following those reports, Nokia played down the extent of its involvement.
But the Times obtained a larger cache showing Nokia's depth of knowledge about the program. The documents include correspondence on Nokia's sending engineers to examine SORM, details of the company's work at more than a dozen Russian sites, photos of the MTS network linked to SORM, floor plans of network centres and installation instructions from a Russian firm that made the surveillance equipment.
After 2017, which is when the documents end, Nokia continued to work with MTS and other Russian telecoms, according to public announcements.
SORM, which dates to at least the 1990s, is akin to the systems used by law enforcement around the world to wiretap and surveil criminal targets. Telecom equipment makers like Nokia are often required to ensure that such systems, known as lawful intercept, function smoothly within communications networks.
In democracies, police are generally required to obtain a court order before seeking data from telecom service providers. In Russia, the SORM system sidesteps that process, working like a surveillance black box that can take whatever data the FSB wants without any oversight.
In 2018, Russia strengthened a law to require internet and telecom companies to disclose communications data to authorities even without a court order. Authorities also mandated that companies store phone conversations, text messages and electronic correspondence for up to six months, and internet traffic history for 30 days. SORM works in parallel with a separate censorship system that Russia has developed to block access to websites.
Civil society groups, lawyers and activists have criticized the Russian government for using SORM to spy on Putin's rivals and critics. The system, they said, is almost certainly being used now to crack down on dissent against the war. This month, Putin vowed to remove pro-Western Russians, whom he called "scum and traitors," from society, and his government has cut off foreign internet services like Facebook and Instagram.
Nokia is best known as a pioneer of mobile phones, a business it sold in 2013 after Apple and Samsung began dominating the market. It now makes the bulk of its US$24 billion in annual sales providing telecom equipment and services so phone networks can function. Roughly $480 million of Nokia's annual sales come from Russia and Ukraine, or less than 2% of its overall revenue, according to the market research firm Dell'Oro.
Last decade, the Kremlin had grown serious about cyberspying, and telecom equipment providers were legally required to provide a gateway for spying. If Nokia did not comply, competitors such as Chinese telecom giant Huawei were assumed to be willing to do so.
By 2012, Nokia was providing hardware and services to the MTS network, according to the documents. Project documentation signed by Nokia personnel included a schematic of the network that depicted how data and phone traffic should flow to SORM. Annotated photos showed a cable labelled SORM plugging into networking equipment, apparently documenting work by Nokia engineers.
Flow charts showed how data would be transmitted to Moscow and FSB field offices across Russia, where agents could use a computer system to search people's communications without their knowledge.
Specifics of how the program is used have largely been kept secret. "You will never know that surveillance was carried out at all," said Sarkis Darbinyan, a Russian lawyer who co-founded Roskomsvoboda, a digital rights group.
But some information about SORM has leaked out from court cases, civil society groups and journalists.
In 2011, embarrassing phone calls made by Russian opposition leader Boris Y. Nemtsov were leaked to the media. Soldatov, who covered the incident as an investigative reporter, said the phone recordings had come from SORM surveillance. Nemtsov was murdered near the Kremlin in 2015.
In 2013, a court case involving Navalny included details about his communications that were believed to have been intercepted by SORM. In 2018, some communications by Navalny's supporters were tracked by SORM, said Damir Gainutdinov, a Russian lawyer who represented the activists. He said phone numbers, email addresses and Internet Protocol addresses had been merged with information that authorities collected from VK, Russia's largest social network, which is also required to provide access to user data through SORM.
"These tools are used not just to prosecute somebody but to fill out a dossier and collect data about somebody's activities, about their friends, partners and so on," said Gainutdinov, who now lives in Bulgaria. "Officers of the federal security service, due to the design of this system, have unlimited access to all communication."
By 2015, SORM was attracting international attention. That year, the European Court of Human Rights called the program a "system of secret surveillance" that was deployed arbitrarily without sufficient protection against abuse. The court ultimately ruled, in a case brought by a Russian journalist, that the tools violated European human rights laws.
In 2016, MTS tapped Nokia to help upgrade its network across large swaths of Russia. MTS set out an ambitious plan to install new hardware and software between June 2016 and March 2017, according to one document.
Nokia performed SORM-related work at facilities in at least 12 cities in Russia, according to the documents, which show how the network linked the surveillance system. In February 2017, a Nokia employee was sent to three cities south of Moscow to examine SORM, according to letters from a Nokia executive informing MTS employees of the trip.
Nokia worked with Malvin, a Russian firm that manufactured the SORM hardware the FSB used. One Malvin document instructed Malvin's partners to ensure that they had entered the correct parameters for operating SORM on switching hardware. It also reminded them to notify Malvin technicians of passwords, user names and IP addresses.
Malvin is one of several Russian companies that won lucrative contracts to make equipment to analyze and sort through telecommunications data. Some of those companies, including Malvin, were owned by a Russian holding company, Citadel, which was controlled by Alisher Usmanov. Usmanov, an oligarch with ties to Putin, is now the subject of sanctions in the United States, the European Union, Britain and Switzerland.
Malvin and Citadel did not respond to requests for comment.
Other Nokia documents specified which cables, routers and ports to use to connect to the surveillance system. Network maps showed how gear from other companies, including Cisco, plugged into the SORM boxes. Cisco declined to comment.
For Nokia engineers in Russia, the work related to SORM was often mundane. In 2017, a Nokia technician received an assignment to Orel, a city about 360km south of Moscow.
"Carry out work on the examination of SORM," he was told.