The most prominent of the projects, Nautilus-S, was meant to deanonymize Tor traffic and create a database of Tor users and devices. Work started on it in 2012, and it appears to have been put into use in 2014, when Swedish researchers discovered Russian Tor nodes trying to decipher data. It’s unclear how successful the FSB has been, but its goal was likely to identify and silence political dissidents.

Other projects weren’t as ambitious. One project that reached the test phase, Hope, mapped the Russian section of the internet and its connections to other countries. Nautilus (not Nautilus-S) collected social network data. Reward was meant to penetrate peer-to-peer networks, while Mentor was built to search and spy on the email of Russian companies. Tax-3 would have created a closed intranet to keep the information of key political figures and judges away from regular government networks.

SyTech took down its website after the hack and has so far declined to respond to the press.

This isn’t the first hack against an FSB contractor. Quantum faced its own breach in 2018. The treasure trove of data appears to be larger here, though. It’s also a likely embarrassment for the FSB. The agency has thrived on covering its tracks and otherwise remaining secretive, but couldn’t ensure that key partners were equally secure. As in many other cases, security was only as strong as the weakest link in the chain.

It would only affect sites with more than 100,000 registered users, bring in revenues above €500,000 per year or receive press subsidies larger than €50,000. There would also be exemptions for e-commerce sites as well as those that don’t earn money from either ads or the content itself.

If passed and cleared by the EU, the law would take effect in 2020.

There are a number of concerns about the draft, though, and many revolve around those exceptions. They’re meant to give young sites a chance to grow before they police their users, but they might actually protect the communities most likely to engage in abusive comments, such as hate groups that may have small bases and no advertising. There’s even a potential conflict of interest — the law might protect the ruling party’s junior partner in government, the populist Freedom Party, from having to curb hate speech on its sites.

The EU might balk at the law, too, as it could punish European companies more harshly than in their countries of origin.

As always, there’s also the simple question of privacy. While requiring names and addresses could discourage harassment and hate speech, it might also discourage people from coming forward with insightful stories and opinions. Moreover, this would turn sites into veritable gold mines for hackers — if they could breach a database, they might swipe personal information for thousands or millions of users. Simply put, there could be a chilling effect on freedom of expression even as Austria attempts to preserve it.