Fight surveillance law in Romania

How does it influence the hosting and cybersecurity industry in Romania?


The law will require:

– Hosting provider to intercept communications, provide customer data and decrypt data if necessary, also at their own expense.

– IP resource hosting providers and electronic communication providers “to grant, at the request of authorized bodies, under the conditions of this law, the decrypted content of communications transited in their networks”


But what would this cause for customers in reality?

– decrypt encrypted content. So for example SSL/TLS based data has to be decrypted on request. In case the provider has access towards your key (for shared and managed hosting this is always the case, the same for most DDOS filter)

– provide details about website visitor (IP log)


How will be FlokiNET affected?


The law does include also foreign provider operating IP / network in Romania. However we and our legal team does clearly sees the proposed law as illegal under Romanian constition as well as under EU law. All passwords, decryption keys, SSL keys etc are managed by FlokiNET ehf Iceland and handing them over would violate Icelandic law. We are more then willing to discuss this in court and will not cooperate in any matter that would break Icelandic law.


Customer data remains safe?

Yes, it does! All our server are encrypted, without the keys stored safely in iceland no data can be decrypted.


Should i move my hosting / server towards a different location?

There is no need for this, in case our legal opinion changes or the law becomes permanent we will adress our customers.
What action will take FlokiNET to ensure customer data safety?Since FlokiNET was founded in 2012 customer data protection is our DNA.

This includes the encryption of all data and several technical and legal measurements to make sure this data remains safe. However in the case the law will become active in Romania we will immidiate challenge this in court and are confident to appeal the law.


Conclusion for our customers:

No changes or worries required for now. In case the situation changes we will let you know.

What can i do?

In our previous blog post we mentioned that the Romanian Senate is due to vote on a piece of legislation that severely crippled the ability that hosting companies have to provide secure services to you, the customers. If you want to take a stand against this, we urge you to send a letter to the Commissions inside the Romania Senate, as well as the representatives of Romanian political parties.

You can use the letter below as a template, add your own position to it, and send it. We recommend you act sooner rather than later, since the vote on this piece of legislation is scheduled, most probably, for Monday, February 14th.

Think of it as sending a Valentine’s Day letter to a secure Internet. 😉

The blog entry with the background:

ANTI-SURVEILLANCE OPEN LETTER

A new proposal to extend communication surveillance and to intercept encrypted communications is about to be voted in the Romanian Senate.

This law proposal is designed to increase surveillance by crippling hosting security. Below you can find an open letter that we and other hosting companies have send to prevent this from happening and the letter that will go to the Romanian Senate.

In our second blogpost you can find further details how it influence your services with us.


Greetings,


There is a piece of legislation, most likely due to receive the Senate’s vote on Monday, February 14th, in Romania, that introduces a number of obligations that amount to increased surveillance and a decrease in the secure services we can offer. 
The piece of legislation is an amendment introduced, without any public debate, inside the Code for Communications (which implements a European directive). The amendment has nothing to do with the surrounding legislation – it was introduced strictly in order to increase state surveillance. 
I’ve composed an open letter, which I invite you to read and if you are in agreement with what is expressed, sign. The English version of this letter is appended at the end of the e-mail, and the Romanian version is attached. Your signature will appear on both. 
I urge you to respond to this as soon as you can – we need to send the open letter, in order for it to be received and read by all those we will contact:- the Communications, Economic and Juridic Committees inside the Senate;- the president of the Senate;- leaders of Romanian political parties.
The exact same open letter that I have attached to this e-mail will be sent to all of the above. 
Please respond, if you are willing to sign, by 5pm this Friday, February 11th. Let me know how your want your signature to appear (I suggest a format such as “Ion Popescu representing XYZ hosting company”).
For more context around this matter, you can consult the following:- the open letter of the civic society https://www.stareademocratiei.ro/2022/02/10/senatori-interceptarea-comunicatiilor-trebuie-facuta-legal-si-constitutional-nu-acceptati-calul-troian-din-codul-comunicatiilor/– the initial form of this amendment https://apti.ro/largirea-interceptarii-comunicatiilor-electronice-impusa-pe-sest– the aftermath of the amendment going through the Senate Committees https://apti.ro/furnizori-gazduire-calul-troian


Senator,


With this open letter, the signatory entities, providers of storage (hosting), instant messaging, and other online services express their common position of rejection of the Bill to amend and supplement certain regulatory acts in the field of electronic communications and to establish measures to facilitate the development of electronic communications networks (L532/2021, Communications Code) [1]. 
The signatory entities appeal directly to you to reject Article 10 index 2, in its current form and, possibly if still necessary, to send it to the Special Committees for rethinking and appropriate discussion.


In particular, the new obligation for IP resource hosting providers and electronic communication providers “to grant, at the request of authorized bodies, under the conditions of this law, the decrypted content of communications transited in their networks” puts us in the position of violating the confidentiality of communications transited in our networks, which is an express legal obligation provided by Art 4 Law 506/2004 (as the implementation of EU Directive 2002/58/EC Eprivacy) and Art 28 of the Constitution on the secrecy of correspondence.
Technically, this would be almost impossible if content served by one entity was encrypted by another entity unless we equipped ourselves with a series of highly sophisticated tools and turned into cyber criminals for a man-in-the-middle attack. Even then we don’t think we’d succeed.
Also, the concept of transit itself is vague and cannot be directly translated into a technical solution. In any web application, the term “communications content” refers both to messages exchanged between human users, who are communicating, but also messages exchanged between automated entities, which are part of the smooth functioning of the application. It is incorrect to treat any form of information exchange as homogeneous.  We remind you that most web communications are encrypted (https) nowadays.


The signatory entities are brought together by a common interest in providing customers with quality hosting, storage and messaging services to the same standards as other entities operating in the same field. The signatories carry out commercial activity on the territory of Romania, an activity which is directly targeted by the provisions of the draft law through the following wording:
“provider of electronic hosting services with IP resources – a person who, on the territory of Romania, provides services for storing, distributing content and ensuring access to it, on owned or rented servers, by managing a set of IP addresses on the Internet”.
We would also point out that providers of this type are already regulated by Law 365/2002 on electronic commerce, and an obligation to notify ANCOM (unique in the European Union) would violate the principle of Art 4 (1) of this law.


The Romanian civil society has addressed an open letter to you [1] whose arguments we support:
1. The Communications Code should not be extended with amendments that legislate the interception of communications. The European Directive, which is transposed by the present Communications Code, does not specify such obligations. Moreover, the amendment introduced in the Communications Code is contrary to the existing E-Commerce Directive and the proposed Digital Services Act Directive; 
2. The wording in the amendment is vague: both the wording describing the entities covered by the amendment and the wording describing the obligations incumbent on the entities. From the present wording, the obligation is imposed on any entity hosting content or providing messaging services on the territory of Romania, regardless of the legal entity, the location of the infrastructure, the purpose of the activity. Moreover, this wording is directly contrary to the proper functioning of some hosting and messaging services – from a technical point of view, encryption is necessary and critical for the security of these systems. The obligations of the amendment translate directly into a degradation of the quality of services, which will be suffered by all persons accessing content on Romanian territory;
3. The Constitutional Court of Romania has ruled that vague formulations cannot be considered constitutional.  
Thus, the signatory entities recommend:
1. Rejection of art 10^2 or referral to discussion in the Senate Committees.
2. Transparency in the drafting of legislation on hosting and messaging services, as well as public debates in which the actors concerned offer their support for the drafting of laws that are beneficial to all. 
[1] – https://www.stareademocratiei.ro/2022/02/10/senatori-interceptarea-comunicatiilor-trebuie-facuta-legal-si-constitutional-nu-acceptati-calul-troian-din-codul-comunicatiilor/