On May 27, 2026, the Russian business daily Kommersant flagged a draft order, published days earlier on the official legal-acts portal pravo.gov.ru, that would sharply expand the user data telecom operators must store and make searchable for the security services through SORM — the country's lawful-interception architecture. According to Meduza and Kommersant, the new list adds passport data and home addresses, taxpayer identification numbers (INN), banking details, IP addresses, domains, usernames, and precise geolocation — and specifies the machine interfaces (GraphQL, WebSocket, HTTP) through which agencies can query it. Crucially, the draft would bar operators from running at all without SORM connected, even if they hold a valid license.
What actually changed
SORM is not new. It dates to 1995, and successive versions (SORM-2 in 1998, SORM-3 in 2014) progressively extended interception from telephony to internet traffic and bulk metadata retention, reinforced by the 2016 Yarovaya amendments. What the draft order changes is not the existence of surveillance but its resolution. Igor Bederov of the security firm T.Hunter told Kommersant the previous requirements were "far more general in scope," and that the state is making data collection "not just comprehensive, but intelligent."
That is the key shift. Earlier SORM obligations centered on intercepting communications content and metadata. The new schema fuses a subscriber's legal identity (passport, INN), financial identity (bank details), and network identity (IP, domain, login, geolocation) into a single queryable record. In practice, that lets an agency move instantly from an IP address or username to a named, locatable, financially-profiled individual — deanonymization "on the fly," as Russian outlets put it.
The case for it — stated fairly
Every state asserts a legitimate interest in lawful interception. Identifying the human behind a fraud ring, a child-exploitation network, or a botnet command server is a genuine investigative need — and Russia-linked infrastructure is implicated in exactly such abuse. Dutch police on May 29, 2026 dismantled a 17-million-device botnet tied to a Russia-based residential-proxy provider. Standardized, machine-readable lawful-access interfaces are, in the abstract, more auditable than ad-hoc data demands, and most democracies maintain some statutory interception regime (the EU's e-evidence rules, the US CLOUD Act). A regulator can plausibly argue this is mere modernization of a long-standing, legally grounded system.
Why this version fails the proportionality test
That argument collapses on the specifics. Proportionate lawful access is targeted, judicially supervised, and minimized to what a specific investigation requires. This draft inverts all three. It mandates that operators pre-stage the most sensitive categories of personal data — banking and passport records that have nothing to do with telecommunications service — in a form designed for bulk, low-friction querying. SORM has historically operated without per-request judicial scrutiny visible to the operator or subscriber; bolting financial and identity data onto that pipe creates a standing deanonymization capability, not a warrant-bound investigative tool.
The data-security risk is not hypothetical. Centralizing passport numbers, tax IDs, and bank details across every carrier multiplies the attack surface for exactly the criminal proxy networks cited above. Russia's own institutions illustrate the fragility: on April 15, 2026, the Interior Ministry abruptly cut banks' access to the federal passport database without explanation, disrupting lending nationwide. A system this brittle should not be the custodian of a real-time identity-to-finance graph for the entire population.
Compounding the squeeze on the open internet
The order does not arrive in isolation. It lands amid the most aggressive internet-control push in Russia's post-Soviet history. By mid-January 2026, Roskomnadzor had restricted access to more than 400 VPN services; WhatsApp was fully blocked in February 2026 and Telegram throttled; authorities ordered major platforms to block VPN-using visitors by April 15, and Apple pulled 761 VPN apps from its Russian store. Penalties now attach to searching for "extremist" material, including via VPN. Against that backdrop, an upgraded SORM that resolves any IP to a named, geolocated person is the enforcement engine that makes the VPN crackdown bite — and that chills ordinary, lawful speech.
The cost to the sector
There is a competition dimension too. Kommersant reports minimal SORM compliance hardware starts around 5 million rubles, with a proposed licensing overhaul (tiers up to 50 million rubles, plus a ban on individual-entrepreneur licenses) and the lifting of an inspection moratorium. Industry experts predict consolidation, less competition, and higher consumer tariffs. A rule that forces small operators out and raises prices while expanding state visibility is the opposite of pro-innovation policy.
Bottom line
Modernizing lawful-access plumbing is defensible; building a population-scale, real-time deanonymization layer that links identity, finance, and network data with minimal oversight is not. The draft is still open for comment — the proportionate path is to strip the financial and passport categories, require per-request judicial authorization, and abandon the operate-only-with-SORM mandate. Absent that, this is surveillance maximalism dressed as a technical update.