Strengthening User Protection: New Measures by Minцифры to Combat Marketplace Fraud with Enhanced Data Sharing

The Ministry of Digital Development has unveiled a new version of regulations on its legal acts portal, mandating that marketplace platforms and classifieds transmit data to law enforcement upon request through the System of Interdepartmental Electronic Interaction (SMEV). This system facilitates information sharing among federal and regional agencies, multifunctional centers, and some commercial entities. The initiative aims to bolster efforts against the rising tide of cyber fraud.

Additionally, the Ministry has proposed to broaden the scope of user data that marketplaces and classifieds are required to share with authorities. This expanded data set includes user timestamps, IP addresses, and ports, as well as, where applicable, a snapshot of the operating system, user agents, UID, IMEI, IMSI (SIM card identifiers), MAC addresses, and the location of the device used for transactions. These measures are intended to identify and combat fraudulent activities more effectively. The new regulations are expected to come into effect on September 1, 2025.

The document was refined considering feedback from relevant authorities and industry stakeholders, as explained by representatives from the Ministry. “In the revised draft, we have endeavored to accommodate the perspectives and interests of all parties. The expanded data requirements aim to enhance the efficiency of combatting cybercrime. This clarified listing will allow for the request and provision of more specific information, thereby reducing the likelihood of additional queries,” the Ministry added.

The revised rules significantly enlarge the list of data that marketplaces and aggregators must provide to security agencies (including the Ministry of Internal Affairs, FSB, National Guard, Investigative Committee, and Federal Security Service) upon their request via SMEV, as noted by Igor Bederov, head of the investigation department at T.Hunter. “Essentially, this compels platforms to gather and provide data that is as detailed as what is collected by telecommunications operators. This represents a major step towards increasing government oversight in the digital realm and significantly diminishes the anonymity of online transactions and activities within these platforms,” Bederov remarked.

Bederov believes that this data will be crucial in countering cybercriminals. “Historically, the challenge has been that digital traces of criminal activities available at the ‘crime scene’ (in server logs) rarely correlated with specific individuals, despite the availability of relevant data within the Ministry of Internal Affairs. Now, log data linked to identified user accounts will be accessible. Consequently, authorities will be able to ‘link’ suspects to particular crimes,” he concluded.

The Ministry has clarified the situation surrounding this issue in the media.

Reports have circulated suggesting that law enforcement would have access to the location data of all marketplace users, but this is not the case. To clarify, data will only be requested when there is reasonable suspicion of fraud. For example, if a fraudster impersonates a seller and obtains a user’s card data, or if a buyer transfers money but does not receive the purchased item. Thanks to the interdepartmental electronic interaction system (SMEV), law enforcement can swiftly obtain the necessary information to solve crimes.

All data will be shared by marketplaces solely in instances stipulated by law. Law enforcement must provide a legal basis for their requests in each instance.

Data exchange will be conducted with all necessary safeguards for data protection, as well as for the rights and interests of citizens.

We will conduct all required consultations and clarifications with marketplaces regarding their connection to SMEV and data sharing.

The proposed measures are designed to reduce the time taken to resolve cybercrimes and enhance the effectiveness of the collaboration between marketplace staff and law enforcement.

The Association of Big Data (ABD, which includes companies like Yandex, VK, Sber, Megafon, Rostelecom, Beeline, MTS, VTB, Avito, and HeadHunter) has expressed concerns to the media about the feasibility and proportionality of the data requirements that aggregators must transmit through SMEV. “Many companies do not collect or retain certain data, such as operating system snapshots, IMEI, IMSI, or MAC addresses, especially if they do not have their own mobile infrastructure. It’s crucial to strike a balance between governmental interests and business capabilities; otherwise, even well-intentioned market players may struggle to formally comply with the requirements,” stated the ABD.