The Russian Ministry of Transport has drafted a legislative proposal “On Amending Government Resolution No. 1393 of August 8, 2022.” This draft policy mandates that operators of airline booking systems store and transmit an expanded set of personal data on passengers to a centralized state database. The proposal, if adopted, would take effect on March 1, 2026, providing a legal basis for more extensive data collection by Russian carriers. Under this policy, airlines and ticket agents would be required to capture not only standard travel details like passport information and itinerary, but also passengers’ contact and account data, device and network identifiers, and payment details. The data would then be forwarded to a unified government information system for transport security (known as ЕГИС ОТБ), where it could be retained for seven years. These measures represent a significant expansion of state surveillance capabilities and have raised concerns among industry experts and civil society observers about authoritarian control, data abuse, and privacy rights.
Signals of Surveillance and Authoritarian Control
Several structural aspects of the draft policy signal an enhanced surveillance apparatus characteristic of an authoritarian approach. Centralized Data Collection: The policy channels all passenger booking data into government-controlled centralized databases, which are part of the Unified State Information System for Transport Safety. This centralization enables authorities to monitor citizens’ travel movements across airlines and even other transport modes in one place. Notably, the Government Resolution No. 1393 (2022) already established that the booking system must be a domestic platform under Russian jurisdiction, free of foreign control. The new amendments double down on this by barring foreign stakeholders from the system’s ownership or management and requiring all system infrastructure to reside in Russia. Such provisions ensure the state’s unfettered access to the data and eliminate external oversight, concentrating control within domestic security and regulatory agencies.
Expanded Personal Data Requirements: The mandated inclusion of highly detailed personal data is another strong signal of a surveillance motive. The draft adds a new section obliging the booking system to store and transmit a broad array of passenger data: phone number, email address, user account login and password hash, IP address and port of the device used for booking, and payment information (including the bank’s name and the last four digits of the account or card). These items go well beyond what is necessary for processing a ticket purchase, indicating an intent to collect intelligence on travelers’ digital footprints and financial links. For example, recording the IP address and port used during booking effectively tags the location or network of the passenger at the time of purchase. Requiring even the login credentials (username and hashed password) for a passenger’s account on the airline’s website or app is particularly intrusive, as it is irrelevant to issuing a ticket and could facilitate broader monitoring of the person’s online activities. According to Russian media reports on the draft, authorities indeed plan to add all such information that a passenger provides during booking (often called Passenger Name Record data) into the central system. This level of detail in government-held travel records is a marked departure from standard practices in democratic countries and aligns more closely with a surveillance state model.
Real-Time Data Transmission and Long Retention: The draft rules also emphasize prompt reporting and prolonged data retention, hallmarks of a surveillance-oriented design. Airlines must send passenger data to the central database within 15 minutes of any booking or ticketing operation. Such near-real-time reporting signals that the system is meant for active monitoring, potentially allowing security services to track individuals’ movements as they happen. Once collected, the data will be stored in the state system for seven years. This retention far exceeds typical commercial needs (which usually last only until travel completion or a short period after) and instead serves long-term monitoring or retroactive investigative purposes. The seven-year archive of citizens’ travel histories can enable profiling and social control; it is reminiscent of data retention mandates seen in Russia’s past counterterrorism laws (like the 2016 “Yarovaya law” requiring telecom providers to store user communications) that prioritize security surveillance over privacy. In summary, the structural features of this proposal – centralized data pooling under state control, expanded personal identifiers, real-time updates, and lengthy retention – collectively point to a system designed for pervasive surveillance and authoritarian control of citizen movements.
Potential Abuse and Illicit Access of Travel Data
The accumulation of sensitive travel data in a centralized repository creates serious risks of abuse by domestic intelligence and law enforcement agencies and third parties’ unauthorized access. Under the proposed model, multiple Russian government entities will directly access the unified passenger database. Currently, the EGIS OTB system (which would receive the new data) is accessible to the Federal Security Service (FSB), the Ministry of Internal Affairs (MVD), the Federal Air Transport Agency (Rosaviatsia), and the transport oversight service (Rostransnadzor). Giving such agencies comprehensive visibility into individuals’ travel plans and personal details greatly expands their surveillance reach. In an environment with limited independent judicial oversight, there is a high potential for mission creep – data collected ostensibly for “transport safety” could be repurposed to monitor political dissidents, activists, or any person of interest to the authorities without transparency or due process. For instance, security services could track an opposition figure’s domestic travels in real time and preemptively intervene if they suspect meetings or protests. They could also build detailed dossiers of an individual’s travel patterns and associations over the years. Historically, Russian intelligence and law enforcement have faced accusations of using surveillance powers to target journalists and government critics; this enriched travel database provides another powerful tool to do so. There is also a risk of illicit internal access, where officials query the system for personal motives or unlawful profiling. With millions of records at their fingertips, unscrupulous insiders might exploit the data – for example, to follow a business competitor’s movements or to harass citizens who have not committed any crime.
In addition to insider abuse, third-party intrusion and data leaks pose a significant threat. Russia has a known problem of personal data leakage and a thriving black market for confidential data. Even now, without this unified system, enterprising hackers or corrupt low-level employees have managed to obtain and sell passenger manifests and travel records. Investigative journalists have famously purchased or obtained leaked Russian databases to track the movements of security officers. For example, in 2020, Bellingcat and its partners acquired extensive travel data on FSB operatives – including flight and train trips – from Russian databases, enabling them to uncover agents’ routes in high-profile operations. This was possible because insufficiently protected government and airline data found its way into the hands of data brokers. By massively expanding and centralizing the data collected, the draft policy could create an even more tempting single target for hackers and data thieves. If the centralized passenger database were compromised, an attacker could retrieve years’ personal travel information on potentially every Russian traveler (and even foreign visitors). Such data could be exploited for identity theft, financial fraud (using contact and partial payment details), or doxxing and intimidation (revealing a person’s travel habits and associations). The risk of unauthorized access is heightened by including detailed contact info (emails, phones) and account credentials; a leak of hashed passwords, for instance, could allow criminals to attempt password-cracking and reuse attacks on individuals’ other accounts. In short, while the system is presented as a security measure, it paradoxically aggregates security risks to personal data, making abuse by authorities easier and breaches by malicious actors potentially far more damaging.
Data Scope and Integration into Russia’s Surveillance Patterns
The draft legislation dramatically widens the scope of data that airlines must collect from passengers, embedding this practice into Russia’s broader surveillance framework. Under current rules, airlines gather basic Passenger Name Record (PNR) details – such as the passenger’s name, passport number, travel dates, and route – already transmitted to EGIS OTB for security vetting. The new proposal expands this considerably to include nearly everything a passenger might input when buying a ticket. According to the text and official comments, the following specific data fields would be collected and centralized:
Contact Information: The passenger’s phone number and email address were provided during booking.
Account Credentials: User account data for the airline’s website or app – specifically the login (username) and the hashed password stored by the carrier.
Device/Network Data: The device or network’s IP address and port number used when booking. This logs the internet connection effectively and can infer the approximate location or link the booking to a specific computer or VPN endpoint.
Payment Details: Information about the electronic payment method used – including the name of the bank or payment provider and the last four digits of the account or bank card number. Additionally, the ticket cost and service class (e.g. economy, business) are to be recorded for each booking.
Ticket and Travel Details: Full details of the ticket itself (date of travel, origin, destination, and any other booking record information) which, combined with the above, mirrors a comprehensive PNR profile.
By accumulating these data points, Russian authorities effectively link individuals’ online identities and behaviors to their physical travel. Including IP addresses and device-related data is telling: Russia’s security agencies already operate a nationwide internet surveillance system (SORM) that can intercept online communications and metadata. With IP logs from airline bookings, an intelligence analyst could correlate a person’s travel purchase with other internet activity from that same IP (for example, social media use or emails sent around that timestamp), further enriching the surveillance picture. The login and password hash collection similarly indicates an attempt to bridge travel data with digital identity. Although passwords may be stored as hashes (one-way encrypted form), industry experts pointed out that requiring even hashed passwords is unusual and problematic. Airlines like Smartavia noted they do not store plain passwords and cannot “hand over” password data except as a hash, which has limited direct use. One rationale for authorities to seek password hashes could be to enable them, with effort, to attempt password-cracking or to check if a passenger reuses the same password elsewhere (which could grant access to that person’s other accounts). This blurs the line between pure travel security and general digital surveillance. Russian telecom laws (e.g., Yarovaya amendments) already force ISPs to store user communications and enable government access; now travel booking systems would feed into a similar data pipeline, extending the surveillance net to travel and financial activities.
These measures fit into an existing pattern in the Russian Federation of expanding state monitoring across different facets of daily life. Over the past decade, the government has introduced laws and systems to control information flows: from the above-mentioned SORM for communications, to extensive CCTV and facial recognition systems in public spaces, to centralized databases of personal data like the digital profile of citizens. The transport security database (EGIS OTB) was created to bolster counter-terrorism by tracking passengers, but this draft policy greatly amplifies its capabilities. It is reported that the Ministry of Transport’s digital transformation program envisions increasing the number of data elements stored per passenger from 6 to 22 data points by 2025–2026. This proposal is a direct manifestation of that plan. Such comprehensive personal data collection is characteristic of authoritarian regimes’ governance. China offers a parallel: it mandates real-name registration for all flight and train travel and integrates these records into a vast public security system. In China, travel data has been used to enforce the infamous “social credit” system. By 2018, Chinese authorities had blocked 17.5 million would-be airline passengers and 5.5 million train trips as penalties for offenses, under an ethos of “once discredited, limited everywhere”. Critics rightly call China’s system Orwellian, as it uses big data to monitor and control citizen behavior on a massive scale. Russia’s expanded EGIS OTB, while officially about transport safety, could likewise become a tool for comprehensive population oversight, especially when combined with other databases.
Finally, it is notable that the Ministry of Transport claims this new data collection is aligned with international civil aviation standards and necessary due to terrorist threats. Deputy Minister Dmitry Bakanov stated that the policy would only require information already recorded by the carrier’s system and is partly justified by amendments to the Chicago Convention on Civil Aviation. However, industry groups like the Association of Air Transport Operators (AЭВТ) argue that some of the demanded data are not typically collected in bookings and that compelling their disclosure may conflict with confidentiality laws. In fact, ICAO’s guidance (Doc 9944) on PNR data recommends that states not require carriers to provide data elements they do not already capture in their systems. The draft appears to overshoot such guidelines by forcing carriers to adjust systems to gather new categories (for instance, if carriers currently don’t log IP addresses or device ports, they would have to start doing so). This demonstrates how the policy’s surveillance ambitions drive it beyond standard global practices, integrating it tightly into Russia’s broader state surveillance regime.
Comparison to Global Privacy Norms and Data Retention Practices
The proposed Russian model starkly contrasts with privacy protection standards and data retention norms in democratic countries, while drawing parallels to more authoritarian approaches in nations like China or Iran. A key difference lies in data minimization and purpose limitation, principles enshrined in the EU’s General Data Protection Regulation (GDPR). GDPR would classify much of the data Russia plans to collect – IP addresses, emails, phone numbers, even hashed passwords – as personal data subject to strict protection. European law demands that personal data collected be limited to what is necessary for a specified purpose and that individuals be informed and consent or have another clear legal basis. It is highly unlikely that indiscriminate long-term storage of all passengers’ IP addresses or account logins for general security monitoring would meet GDPR’s necessity and proportionality tests. In fact, the European Court of Justice has signaled that mass data retention on everyone, without targeting, is a serious infringement of privacy rights. By comparison, the Russian draft mandates broad collection by default on all travelers, with no opt-out, which would be deemed unlawful in the EU.
Even when looking at Passenger Name Record (PNR) systems used in the EU and U.S. for security screening, Russia’s plan is more sweeping. The EU’s PNR Directive (2016) requires airlines to provide specific passenger data to national authorities for flights. However, this is mainly limited to flights entering or leaving the EU (with some states also applying it to internal flights). The data types in EU PNR are extensive (up to 19 elements), including names, travel itinerary, contact details, payment information, and baggage info – but notably do not include sensitive personal passwords or granular technical identifiers like IP addresses. Furthermore, the EU Directive built in data protection measures: PNR data must be depersonalized after six months, with identifying details masked, and completely deleted after five years unless an investigation is ongoing. By contrast, Russia’s system would keep all data fully identifiable for seven years or more, and cover all domestic and international journeys of its citizens (and possibly foreign travelers within Russia) without differentiation. European regulators have voiced that even a five-year blanket retention may be disproportionate – an EU Council legal advisor warned that the EU’s own PNR scheme could violate privacy rights as a “blanket retention of personal data”. The Russian model’s seven-year retention of highly detailed records for every trip would almost certainly breach European proportionality standards if subjected to the same scrutiny.
The United States also collects PNR data for flights, especially international routes, but under frameworks that differ from Russia’s approach. U.S. authorities (through the Department of Homeland Security) receive PNR information on travelers entering or leaving the U.S. and use it for terrorism and serious crime screening. The data fields can be similar to the EU’s (name, contacts, payment method, etc.), and the U.S. famously insisted on retaining PNR data for up to 15 years for counterterrorism purposes. This retention period (negotiated in a 2011 EU–US agreement) was controversial even then – it is three times longer than the EU’s own 5-year limit and drew criticism for violating “basic European principles”. However, important context is that U.S. retention applies to international travel records and is subject to specific filtering and oversight via the DHS Privacy Office. The Russian proposal applies a scaled-down version of a PNR system (because it’s initially for domestic use) but with scaled-up intrusiveness in data types and coverage, unlike the U.S., which does not, for instance, demand to know a traveler’s website password or routinely log the network port used to make a booking, Russia is seeking data that verge into monitoring of personal online behavior. Also, the U.S. does not maintain a centralized registry of all domestic travel accessible to police in real time – domestic flight manifests can be accessed via legal process if needed. Still, there isn’t a single, all-carrier database updated continuously for law enforcement. In Russia’s case, creating a unified, constantly updated travel database accessible by security services moves its practice closer to continuous domestic surveillance.
Meanwhile, authoritarian states tend to employ travel surveillance analogous to what Russia is building. China’s system, as mentioned, integrates travel data with a citizen scoring mechanism to control movement – a clear violation of Western privacy norms. Iran, too, tightly monitors the travel of specific individuals (especially activists or women without a male guardian’s permission in some cases) and uses security watchlists at airports. However, Iran’s systems are less publicly documented. Generally, Iran lacks a comprehensive data protection law like GDPR; the security services can access flight bookings and border control records freely. This means Iranian citizens and foreign visitors in Iran have little assurance of privacy in their travel details – a situation likely to mirror what will happen in Russia. The Russian government’s argument that its new data requirements are less than “many other countries” is not borne out by facts compared to Western democracies. No EU country or the U.S. demands that airlines hand over customers’ account passwords or systematically collects IP addresses for all bookings. These elements, however, would not be unusual in China’s or potentially other closed regimes’ internal monitoring. In summary, Russia’s model diverges sharply from GDPR and liberal privacy norms by mandating expansive data collection and long retention without individual consent or independent oversight. Its closest analogues are found in countries prioritizing state control over privacy, highlighting the policy’s alignment with global authoritarian practices rather than international privacy conventions.
Figure: Comparison of maximum passenger data retention periods in law. Unlike the EU’s five-year limit under the PNR framework and the U.S.’s controversial 15-year retention for certain travel records, Russia’s proposed system would retain passenger data for 7 years. (China’s retention is effectively indefinite in practice, as data are used on an ongoing basis for surveillance.)
Legal Implications Under Russian and International Law
Implementing this draft policy raises questions about its compliance with existing Russian laws and potential conflicts with international legal commitments on privacy. Under Russian domestic law, personal data protection is governed by the Federal Law on Personal Data (No. 152-FZ). This law generally requires that the collection and processing of personal data have a legitimate, defined purpose and, in many cases, the consent of the data subject. There are exemptions for authorities – for example, if data processing is necessary for the performance of a public function or for security reasons, consent may not be required. The Ministry of Transport is positioning the expanded data collection as a security measure (“to ensure the safety of passengers in the face of terrorist threats”). However, parts of the data to be collected, such as login credentials, could be interpreted as “confidential information” under Russian law. AЭВТ explicitly noted in its formal feedback that login and password data are confidential and “not subject to disclosure without the subject’s consent”. This suggests a tension: unless the government introduces a specific regulation that overrides the personal data law for this purpose, airlines handing over such data might be in violation of privacy guarantees to their customers. The draft resolution itself, once approved, would carry the force of law and likely amend any conflicting provisions, effectively compelling carriers to comply notwithstanding the general protections of 152-FZ. But until then, legal ambiguity remains, and airlines have flagged the need to reconcile this with privacy obligations.
Another domestic legal implication concerns the Constitution of the Russian Federation, which in Article 23 guarantees the right to privacy of correspondence and communications, and Article 24 which prohibits the collection, storage, and dissemination of information about a person’s private life without their consent, except as provided by law. The government can argue that this new requirement is indeed “provided by law” once passed, and it serves a legitimate aim (public security), thus meeting constitutional standards. Yet, if challenged, a court might ask whether collecting someone’s IP address and account password for a flight ticket is truly necessary and proportionate to that aim. In practice, Russian courts have generally deferred to the executive on national security measures, so a constitutional challenge might be unlikely to succeed. Still, the breadth of data here stretches the typical understanding of necessity, potentially setting a broad precedent for data gathering that could extend to other industries in the future under similar rationales.
Internationally, Russia’s policy might conflict with certain treaties or norms, although enforcement of those is doubtful given Russia’s current geopolitical stance. Russia was a party to the Council of Europe’s Convention 108 (for the Protection of Individuals with regard to Automatic Processing of Personal Data), which establishes principles for data protection and is open to non-European states as well. However, Russia’s membership in the Council of Europe was terminated in 2022, which likely affects its adherence and accountability under Convention 108. Even so, Convention 108+ (the modernized version) and general international privacy norms emphasize proportionality and transparency in data processing. The blanket surveillance inherent in this draft would likely be seen as violating those principles. For instance, the International Covenant on Civil and Political Rights (ICCPR), to which Russia is a signatory, provides in Article 17 that no one shall be subjected to arbitrary or unlawful interference with their privacy. One could argue that indiscriminately logging and retaining personal data of all travelers – without individualized suspicion and with minimal oversight – constitutes an arbitrary interference with privacy. The Russian government would counter that it’s “lawful” because a domestic law permits it, but arbitrariness also implies a lack of necessity or proportionality. United Nations human rights bodies have criticized mass surveillance programs on these grounds, and this travel data scheme could fall into that category.
Moreover, Russia’s obligations in international civil aviation might be at play. The draft was linked to “changes in the Convention on International Civil Aviation” (the Chicago Convention) by the Transport Ministry. The Chicago Convention (Annex 9) does encourage states to use PNR data for security purposes, but it also calls for cooperation in facilitation of travel and respecting passengers’ rights. If the new requirements impede foreign carriers or conflict with data protection laws of other countries, it could lead to disputes. For example, an EU airline operating flights to Russia would find itself in a legal bind: EU GDPR forbids exporting personal data to a third country (Russia) without adequate protection. If Russia mandates that airline to transmit European passengers’ phone numbers, emails, etc., into a Russian state database, the airline might be breaching GDPR unless some exemption applies (perhaps if required by an international agreement or if the passengers give consent as part of the contract). In the absence of an EU-Russia PNR agreement (which doesn’t exist, unlike EU-US), this could become a legal flashpoint. A similar issue arose in the past when the EU negotiated PNR data sharing with the US and Canada – privacy concerns had to be balanced with security demands. Should this Russian policy be enacted, foreign airlines and travelers might seek clarity or even challenge the data transfer on legal grounds in their home jurisdictions.
In summary, under Russian law the government likely has the muscle to legalize this data haul, but it raises internal contradictions with privacy statutes that would need to be overridden. Internationally, it runs counter to prevalent privacy treaties and could complicate Russia’s aviation relations, although enforcement of privacy rights across borders (especially given Russia’s current diplomatic isolation from Western bodies) remains uncertain. The policy might also be scrutinized under any future legal proceedings or sanctions – for instance, other countries could cite it as evidence of Russia violating international privacy norms, just as Russia often points to Western surveillance as hypocritical. The legal trajectory thus pits state security powers against privacy rights, with the scales in the Russian context tipped heavily toward the former.
Access by Agencies and History of Database Misuse
If implemented, this policy will designate certain government bodies as authorized recipients of the passenger data, and Russia’s track record with similar databases raises alarms about misuse. Which entities gain access? As of now, the centralized transport safety database (EGIS OTB) is operated by the Ministry of Transport, with a state-owned IT enterprise (FGUP “ZashitaInfotrans”) ensuring its technical running. Key security and enforcement agencies have access: notably the FSB (Federal Security Service), which is Russia’s main domestic intelligence agency, and the MVD (Ministry of Internal Affairs), which oversees the police, are granted direct access to query and receive information. In addition, Rosaviatsia (the aviation authority) and Rostransnadzor (transport regulator) have database access rights, likely to monitor compliance and safety incidents. It is possible that other agencies like the Federal Customs Service or Border Guard (a branch of FSB) would also tap into the data for their functions (e.g. tracking those on exit/entry watchlists). Essentially, once data is pooled in a central system, Russian practice is to make it broadly available across the security apparatus — a concept often referred to as creating a “digital profile” of citizens accessible to various state actors.
The historical record of misuse of personal data in Russia by such agencies is troubling. There have been numerous instances where databases nominally used for law enforcement or security were repurposed or accessed illegally. One recurring issue is unauthorized queries by officials: police or security officers have been caught obtaining private data on journalists, activists, or even acquaintances without a valid reason. For example, in the past, traffic police databases and mobile phone databases have been used to stalk individuals or were sold to private investigators. With a comprehensive travel database, an unscrupulous officer could look up, for instance, where a particular person has traveled in the last year and hand that info to a third party for a bribe. Unfortunately, demand for such information is high on the black market. The Bellingcat investigation into FSB activities revealed that corrupt insiders and data brokers have easy access to government data systems – for “a few hundred euros” they could retrieve phone call records with cell tower locations or passenger flight records, and these services are often advertised via anonymous online channels. In one case, investigative reporters were able to buy the flight itinerary of an FSB team, which directly led to unmasking their clandestine operations. This underscores that even highly sensitive databases in Russia are not immune to misuse and leaks.
A specific historical misuse example: in 2019, after opposition leader Alexey Navalny was poisoned, Bellingcat and partners obtained data on the travel movements of the FSB unit involved by accessing Russian rail and air ticket databases. They compiled a spreadsheet of 565 trips made by those operatives, covering flights and train rides over several years. Such data should, in theory, have been confidential and used only by authorities to combat terrorism, but it was available to outsiders through illicit means. While in this case the data exposure served a public interest by exposing a crime, it demonstrates how easily state-held travel records can leak. The consequence is that once the new system stores every passenger’s detailed travel profile, it might only be a matter of time before large portions of it end up in the wrong hands – whether that be foreign intelligence agencies, criminal groups, or hacktivists. There is also a precedent of insufficient accountability for officials who misuse databases. Penalties exist on paper, and occasionally someone is prosecuted for selling data, but enforcement is sporadic. This lack of stringent accountability means agency personnel might not be strongly deterred from using the data for political repression or personal gain.
It’s worth noting that one Duma lawmaker, Anton Gorelkin, voiced concern that the planned data set is excessive and could invite misuse. He specifically criticized the need for collecting account passwords, noting that doing so would force airlines to stop encrypting passwords and “hackers will say thank you” for the easier access. His statement acknowledges the security risk and hints at the broader misuse issue: once data is collected in plain form, it’s much more vulnerable to both external and internal exploitation. Despite such warnings, a source “close to Mintrans” indicated that the draft will not be revised to remove these data points and downplayed leak fears as exaggerated. This attitude suggests that the agencies’ desire for more data is trumping considerations of restraint or privacy.
In conclusion, FSB, MVD, and related bodies will gain a rich new stream of personal information through this policy, expanding their surveillance toolkit. Russia’s past experiences show that similar troves of data (phone logs, vehicle registrations, etc.) have repeatedly been misused or leaked. Without robust independent oversight – which Russia lacks in matters of state security – there is a strong likelihood that the travel database, too, will be employed in ways beyond its official counter-terrorism scope and will be prone to illicit access. The history of misuse casts a long shadow over the promises of safety; it illustrates that a database created for “security” can quickly become a tool for abuse and an object of insider commerce, to the detriment of citizen privacy and even national security (if foreign adversaries obtain the data).
Impact on Travelers, Dissidents, and Other Stakeholders
The implementation of this policy will not affect all groups equally; certain categories of individuals face higher risks and potential negative impacts. We can break down the stakeholders into a few key groups and assess how the expanded data collection might affect them:
Ordinary Russian Travelers (General Public): The average law-abiding citizen may not feel an immediate change when booking a flight or train ticket – as the Parliamentary Gazette noted, “citizens themselves will not feel the difference, since no additional information is asked from them” at booking. However, behind the scenes these individuals’ privacy is diminished. Their movements between cities, vacation trips, and personal visits will all be logged for years. For most people, the surveillance risk remains moderate; they are unlikely to be actively tracked by security agencies. Yet they still incur an elevated data breach risk – in the event of a leak, their contact and travel details could become public or be used for scams (for instance, fraudsters knowing someone’s recent travel might target them with related phishing attacks). Thus, while the general public might not face direct harassment, they shoulder the collective burden of living under increased state observation and the potential fallout of any cybersecurity failures.
Political Dissidents and Civil Society Activists: This group faces a high surveillance risk. Activists, opposition politicians, and NGO workers are often of interest to the FSB and police. With the new system, their domestic travel can be monitored as easily as international travel. Patterns in their movements (e.g. attending rallies, meeting with supporters in different cities) will be readily apparent to authorities, who could respond with intimidation or preemptive detentions. For example, if an opposition figure frequently travels to a particular region, local security might increase scrutiny or surveillance on the ground during those trips. Activists already experience travel-related pressures – in recent years, some were even prevented from leaving Russia or removed from trains on dubious grounds. This database could facilitate travel bans or tracking; an activist might unknowingly be flagged so that whenever they book a ticket, an alert goes to security services. Additionally, if leaked, the data could expose activists’ networks (e.g. if multiple activists booked tickets to the same meeting, a leak could reveal that gathering). The personal safety and freedom of movement of dissidents are therefore at stake, making their risk level very high.
Independent Journalists and Media Personnel: Journalists (especially investigative reporters) often operate in a climate of distrust with the authorities in Russia. They share many of the same risks as dissidents – being surveilled, tracked to their sources, or harassed. If a reporter is secretly traveling to meet a whistleblower, the centralized system could tip off the security services. There’s a precedent of journalists being followed or intercepted; with this data, it could happen systematically. For foreign correspondents in Russia, the stakes are also high: their contacts, movements, and perhaps even habits (like frequent trips to certain regions or border areas) become transparent to state agencies. This may lead to increased censorship and self-censorship, as journalists might avoid traveling with phones or credit cards to keep a lower profile – but even the act of buying a ticket will leave a trace. Thus, for journalists, the state surveillance risk is high, and the risk of data misuse (like being doxxed or having trip details leaked to pro-government media) is also elevated.
Foreign Travelers to Russia: Foreign nationals visiting or transiting through Russia form another stakeholder group. Tourists or business travelers from abroad might be unaware that their personal details (provided during booking) will be funneled into a Russian government database. This includes potentially sensitive data like phone numbers, emails, and partial financial info. The privacy expectations of these travelers (for instance, Europeans protected by GDPR at home) will not be met in Russia. Their data could be used for counter-intelligence profiling – for example, if a foreign NGO worker or diplomat travels internally, FSB could track their itinerary. In the past, Russia has surveilled foreign NGOs and even expelled some individuals; a rich travel history database makes such monitoring easier. For ordinary tourists, the personal impact is likely low unless a data breach occurs. However, if their data were compromised, foreigners could become targets of phishing or, hypothetically, be scrutinized upon future visits if their past travel within Russia is deemed unusual. One should also consider exiled Russian dissidents who are now foreign residents: if they return to Russia or even communicate with someone buying a ticket for them, that info could endanger them. Foreign travelers thus face a moderate surveillance risk (higher if they are politically notable) and a moderate data breach risk, considering they have little control or recourse regarding how Russian authorities handle their personal information.
Airlines and Booking Operators (Industry): While not individuals, the companies operating in this space are stakeholders too. They will bear the compliance burden of adapting systems to collect and transmit the new data, incurring financial costs and technical challenges. Airlines have expressed concern about the feasibility of automating the transfer of such a volume of data and about liability for data leaks. Indeed, if a breach occurs, the immediate blame might fall on the airline’s security measures. Under Russian law, recent amendments increased fines for personal data leaks significantly (up to 3% of annual revenue for repeat offenses). So airlines are anxious that being forced to gather and hold more data will make them liable to punishment if that data is compromised, even if the compromise happens on the government’s side. The industry also fears reputational damage: passengers may lose trust knowing their information is siphoned to government databases. Some foreign carriers might even face legal conflicts as discussed, which could affect operations. In summary, from an industry perspective, the policy introduces high compliance costs and security risks, along with unclear benefits.
Risk Matrix: Relative risk levels for different stakeholder groups under the new data regime. “State Surveillance Risk” reflects the likelihood of being targeted or monitored by authorities using the data; “Data Breach/Misuse Risk” reflects exposure if the data leaks or is misused by third parties. High-risk groups like activists and journalists face intense surveillance danger, while the general public and foreign visitors see moderate privacy intrusions and breach exposure.
As the risk matrix illustrates, dissidents/activists and independent journalists are the most vulnerable groups. They combine both high surveillance risk (the state has interest in their activities) and a non-negligible breach risk (since their data, if leaked, could be weaponized by hostile actors or trolls). The general public and ordinary foreign travelers are assigned moderate risks – they are less likely to be singled out by the state, but their personal data still accumulates in the system and could be swept up in any large-scale abuse or hack. In all cases, the policy tilts the balance toward the government’s awareness of everyone’s movement, at the expense of personal privacy. It also potentially creates a chilling effect: people knowing they are tracked might avoid traveling to certain places or attending gatherings (the so-called “Panopticon effect” where surveillance, or even the idea of it, alters behavior). For foreigners, knowledge of such surveillance might deter tourism or business travel to Russia, especially for those from countries with strong privacy expectations.
In conclusion, while the stated goal is catching criminals and ensuring transport safety, the side effects on society are significant. Law-abiding citizens must cede more of their privacy. Those who dissent or seek to report truth face greater peril of being watched and hindered. Even if one trusts the government’s intentions, the aggregation of so much data means any future political abuse or security failure could have far-reaching consequences for many stakeholders.
Security Measures and Risk of Compromise
A critical aspect of the draft policy is the assurance of data security – whether the sensitive information collected can be protected from unauthorized access or cyber threats. The draft amendments themselves reference the need for “measures to protect the information contained” in the system. In practice, Russian authorities have indicated that the EGIS OTB system will employ certified protection tools and adhere to government security standards. Typically, this means using encryption and storage systems certified by the Federal Security Service (FSB) or Federal Service for Technical and Export Control (FSTEC) for handling personal and classified data. The data will reside on servers under Russian jurisdiction, presumably in secure data centers managed by state-affiliated entities (like ZashitaInfotrans). Such facilities often must meet GOST standards (Russian national standards) for information security. The Ministry of Transport has a budgeted program to invest heavily in upgrading the transport security information system – reportedly spending 2.5 billion rubles by 2026 to enhance it. These funds likely go into improving infrastructure, resilience, and defensive cybersecurity measures for the EGIS OTB network.
Officials have publicly touted the security of the system. A source close to Mintrans claimed that EGIS OTB systems are “protected better” than the airlines’ own reservation systems. This confidence suggests deployment of robust firewalls, intrusion detection, encryption of data in transit and at rest, and strict access controls. It also implies that the central system might have undergone security audits or has a higher security classification (given that it serves national security purposes). Furthermore, the lawmaker Anton Gorelkin – while criticizing aspects of the data collected – stated he does “not doubt the level of protection” of the unified system, acknowledging that it’s above the security of many commercial booking systems. However, he immediately pointed out a catch: one of the data requirements (passwords) could actually undermine security by forcing airlines to handle passwords in an unsafe way. This highlights a nuance: technical adequacy of security measures is not just about the central database, but also about what the airlines must do. If airlines are pressured to deliver passwords, they might have to store them in plaintext or reversible form (since a hashed password is of limited use to authorities). That would be a violation of basic cybersecurity practices and create new vulnerabilities at the airline level. Even if the central repository is secure, weakest-link issues arise if each carrier has to modify its systems. The policy does stipulate that if certain data weren’t collected (not “actually recorded”), the airline doesn’t have to invent new collection. But in reality, to comply, many may start recording extra data anyway. Any security lapses in that data handling pipeline – for example, an airline’s server transmitting data via FTP as hinted by some tech docs – could expose the information en route to the government system.
Moreover, the sheer aggregation in one place increases the risk of catastrophic compromise. With all travel data centralized, a single breach of EGIS OTB could yield far more information than hacking one airline. Even with certified encryption, insiders with access credentials pose a risk. The system’s operator staff and connected agency users have to be trusted not to mishandle their access. Past incidents in Russia show insiders can be bribed or coerced. While the system might log queries and have authentication steps, the breadth of authorized personnel (FSB, MVD, etc.) means many points of potential failure. Additionally, advanced persistent threat actors (for example, foreign hackers or state-sponsored groups) might find this database a lucrative target – it’s essentially an intelligence goldmine of personal patterns. If Russia’s adversaries were to breach it, they could extract profiles of Russian officials (since they travel too), undercover agents’ movements, or details on foreign visitors. The national security implications of such a compromise would be serious.
From a technical adequacy standpoint, questions remain whether the system’s design can truly safeguard against these scenarios. Encryption can protect data in storage, but when data is used (queried by an authorized user), it must be decrypted for viewing, at which point it’s only as secure as the user and their device. Russia has seen some improvements in cybersecurity posture in recent years, particularly after being hit with data leaks and realizing the need to secure critical systems. However, the track record discussed earlier – abundant leaks via Telegram bots and forums – suggests that enforcement of security protocols is inconsistent. The government might mandate multi-factor authentication, strict role-based access, and regular security audits for EGIS OTB. Those are positive measures, yet the human factor (the “insider threat”) and the value of the data means the risk of compromise can never be zero. Even a small chance of breach, multiplied by a huge data trove, equals a significant risk.
One particular concern is whether requiring the use of only Russian-certified cryptography (as is common for sensitive systems) could limit interoperability or the strength of security. Russian cryptographic algorithms, while certified domestically, are not peer-reviewed internationally to the extent of say AES or RSA standards. If weaker or backdoored algorithms were used under the hood (for example, to allow lawful interception by FSB), that could inadvertently open doors for unauthorized hackers as well. Without specific details on the “certified tools” (which likely refers to certified encryption modules, secure operating systems, etc.), it’s hard to evaluate their resilience. But skepticism remains warranted: as one airline representative put it, “the more information collected, the greater the negative consequences in case of a leak”. No matter how certified or fortified the storage, the expansion of data multiplies the potential damage if something goes wrong.
In conclusion, the proposal mandates state-of-the-art security measures on paper and officials express confidence in them, but significant risks persist. The centralized system will presumably use strong protections, yet the requirement to centralize is itself what heightens the stakes. Every link in the data chain – from the airline’s data capture, through transmission, to storage and access – must be secure to claim overall safety. Given the history of data leaks and the inherent complexity of securing such a system against both external and internal threats, many observers remain concerned that technical safeguards may prove inadequate. The result could be exposure of exactly the kind of sensitive personal information the policy promises to keep safe, thereby undermining both public trust and the very security goals the system was meant to serve.
Conclusion
The draft policy “On Amending Resolution No. 1393” represents a significant shift in how the Russian state intersects with the domain of civil aviation and broader travel. On the surface, it is presented as a modernization of data requirements to enhance transport security and align with international practices against threats like terrorism. In substance, however, it establishes a new surveillance infrastructure with capabilities and legal reach far beyond those international counterparts. The policy’s structural elements – from compelling only Russian-controlled booking systems to funneling a rich set of personal data into a centralized government database – echo classic instruments of authoritarian control over a population. It effectively turns every airline ticket into a data point for state analysis, stored for years and accessible to an array of security bodies.
The analysis above identified multiple layers of risk and impact:
Surveillance and Authoritarian Features: The centralization of travel records and the broadening of data types (including digital fingerprints like IP addresses) are clear markers of a surveillance-state approach. The requirement that systems be under domestic jurisdiction with no foreign influence ensures the state’s unchecked access and also mirrors a self-isolation trend under the banner of “data sovereignty.” These features cement the state’s ability to monitor and potentially control citizens’ movements, much as it already tries to control information flows online.
Abuse Potential: With agencies like the FSB and MVD plugged into this trove, the likelihood of data being used beyond its intended scope is high. Past experiences show that once data exists, it tends to be exploited. The existence of a comprehensive travel database could lead to its use in routine law enforcement, political surveillance, or even personal vendettas by officials – essentially normalizing a continuous tracking of citizens. Meanwhile, the centralization magnifies the harm of any data breach or leak, potentially exposing millions to privacy violations.
Data Collected in Context: The specific personal data points to be collected raise red flags, especially when viewed against Russia’s existing surveillance methods. Collecting account credentials and IP information bridges a gap between one’s online life and physical travel, fitting into a pattern of holistic surveillance (something China has pursued with its fusion of data sources). While authorities claim this will help find “behavioral anomalies” of criminals, it will inevitably also scoop up perfectly innocent anomalies or be used to infer things about citizens’ lives that should be private.
Global Norms vs. Russian Model: In contrast to EU and US practices – where data collection is more targeted, retention shorter, and privacy safeguards stronger – the Russian proposal is indiscriminate and prolonged. It aligns more with the likes of China’s social credit travel blacklists, though without explicitly linking to a score system. Countries with strong privacy laws would deem this kind of blanket data processing unlawful or excessive. Russia appears willing to sidestep such norms, prioritizing state security imperatives. This could isolate Russia further in terms of data-sharing agreements; foreign carriers and countries might be wary of Russia’s demands and treatment of personal data.
Legal and Treaty Considerations: Domestically, the policy will likely override conflicting privacy protections, but it exemplifies a departure from rule-of-law standards in data handling. Internationally, it stands at odds with principles Russia once agreed to, such as those in human rights treaties. It underscores the country’s broader pivot away from European legal frameworks since 2022, effectively placing internal security needs above international privacy commitments.
Agencies and Misuse History: The agencies set to benefit – security and law enforcement – unfortunately come with a baggage of misuse incidents. The analysis documented how Russian databases often leak or are misused, which undermines confidence in new ones. The policy doesn’t clearly spell out independent oversight or auditing of how agencies use the data; absent that, the fox is guarding the henhouse.
Stakeholder Impact: Different groups will feel the effects to varying degrees. For the average person, the change is invisible but their privacy quietly erodes. For activists, journalists, and regime critics, this tool can further constrict their space to operate and expose them to harassment or repression. Foreign travelers, too, will be under a level of scrutiny they might not expect, raising ethical issues for companies facilitating travel to Russia. The risk matrix indicates high concern for those already vulnerable in Russia’s political climate.
Security Adequacy: While Russia plans to secure the system with certified tools and heavy investment – and has publicly assured its safety – skepticism remains justified. The requirement to gather more data ironically creates new security dilemmas (like handling of passwords) and a more attractive target for attackers. The effectiveness of the security measures will hinge on flawless implementation and discipline, which is hard to guarantee. A single breach could undo the perceived security benefits by exposing sensitive data en masse.
In a broader context, this draft policy can be seen as part of the tightening of state control in Russia across various sectors since the start of the war in 2022. From greater censorship online to economic autarky to now internal movement monitoring, the Russian government is fortifying an ecosystem where it can observe and direct the populace with minimal external interference or oversight. Travel data may have been one of the few remaining areas of personal life that wasn’t yet fully surveilled – after this policy, that will no longer be the case. The convergence of travel, tech, and security in this proposal encapsulates the challenges of the modern digital age: how to balance safety and freedom. In the Russian case, the balance is decisively tilted toward state security, raising critical voices about the cost to privacy and civil liberties.
Ultimately, whether this policy will truly enhance security is debatable. Supporters argue it gives tools to catch dangerous persons (the Mintrans source spoke of identifying everyone “from smugglers to terrorists” faster). Detractors point out that terrorists can adapt (use VPNs, burner phones, etc., rendering some collected data moot) and that the policy will generate massive data that’s costly to protect and analyze without clear benefit – all while putting ordinary people’s rights at risk. What is clear is that it empowers the state and demands trust in its institutions’ intentions and competence. Given the Russian government’s trajectory and the concerns raised by experts, there is considerable reason to question whether that trust is merited, and to closely watch how these draft measures evolve into practice. The world, particularly those concerned with privacy and human rights, will be watching as Russia navigates the implementation of this surveillance-heavy model of transport security.
