Data collection code in mobile apps sends user data to “Russian Google”

Kirill Kudryavtsev | Getty Images

Russia’s largest internet company has embedded code in apps found on mobile devices that allows information about millions of users to be sent to servers in its home country.

The revelation concerns software created by Yandex that allows developers to create apps for devices running Apple’s iOS and Google’s Android, systems that run the vast majority of the world’s smartphones.

Yandex collects user data collected from mobile phones before sending the information to servers in Russia. The researchers raised concerns that the same “metadata” could then be accessed by the Kremlin and used to track people through their cellphones.

Researcher Zach Edwards discovered Yandex’s code as part of an application audit campaign for Me2B Alliance, a non-profit organization. Four independent experts conducted tests for the Financial Times to verify his work.

Yandex acknowledged that its software collects “device, network and IP address” information that is stored “both in Finland and Russia”, but it called this data “non-personalized and very limited. “. He added: “Although theoretically possible, in practice it is extremely difficult to identify users solely on the basis of the information collected. Yandex certainly cannot do this.

The revelations come at a critical time for Yandex, often dubbed “Russia’s Google,” which has long been trying to chart an independent course without clashing with Russian President Vladimir Putin’s desire for greater control of the internet.

The company said it followed a “very strict” internal process when dealing with governments: “Any request that does not meet all relevant procedural and legal requirements is rejected.”

But Cher Scarlett, formerly Apple’s senior global security software engineer, said that once user information is collected from Russian servers, Yandex may be required to submit it to the government under local laws. Other experts said metadata of the type collected by Yandex could be used to identify users.

Ron Wyden, chairman of the US Senate Finance Committee and one of the architects of US internet regulation, has sharply criticized Google and Apple for not doing enough to secure smartphones from Yandex software, which is is found on 52,000 apps reaching hundreds of millions of people. consumers.

“These apps extract private and sensitive data from apps on your phone, threatening US national security and the privacy of Americans and others around the world,” he said.

Yandex is considered a global technology giant and is listed on the New York Stock Exchange and majority-owned by US funds. It is incorporated in Amsterdam and the founder Arkady Volozh lives in Israel. In 2019, the company reached an agreement with the Russian government, codifying a structure that ensures that Moscow can intervene on certain issues such as foreign acquisitions without control of day-to-day operations.

Casey J. Nelson