Cloudflare has identified Max, a popular Russian messaging app, as spyware. Fletcher and Octavio dig into what this means for digital surveillance, press freedom, and the future of privacy in the age of authoritarian states.
Cloudflare ha identificado Max, la popular aplicación de mensajería rusa, como un programa espía. Fletcher y Octavio exploran qué significa esto para la vigilancia digital, la libertad de prensa y el futuro de la privacidad en la era de los estados autoritarios.
8 essential B2-level terms from this episode, with translations and example sentences in Spanish.
| Spanish | English | Example |
|---|---|---|
| programa espía | spyware | Cloudflare identificó Max como un programa espía que recopila datos sin el conocimiento del usuario. |
| recopilar | to collect / to gather (data) | La aplicación recopila información sobre tu ubicación aunque no hayas dado permiso explícito. |
| infraestructura | infrastructure | La vigilancia está integrada en la infraestructura digital del país. |
| intimidad | privacy / intimacy (in the deeper, personal sense) | El derecho a la intimidad está protegido por la Constitución española. |
| autocensura | self-censorship | Cuando la gente sabe que puede ser vigilada, la autocensura hace el trabajo de la censura directa. |
| disidente | dissident | El FSB usa los datos para identificar a disidentes y periodistas que critican al régimen. |
| opaco | opaque / non-transparent | Las prácticas de recopilación de datos de muchas aplicaciones son completamente opacas para el usuario. |
| calco | loan word / calque (linguistic borrowing) | La palabra 'privacidad' es casi un calco del inglés 'privacy'. |
There's a company called Cloudflare, and if you don't know what they do, the short version is: they sit between the internet and you, protecting websites from attacks.
Not glamorous work.
But this week they said something that stopped me cold.
Cloudflare publicó un informe en el que afirma que Max, una aplicación de mensajería muy popular en Rusia, es en realidad un programa espía.
Cloudflare published a report claiming that Max, a very popular messaging app in Russia, is actually spyware.
Es decir, la aplicación no solo sirve para enviar mensajes, sino que también recopila datos del usuario y los envía a servidores que el Kremlin puede controlar.
In other words, the app doesn't just send messages;
Right, so Max is an app from VK, which is basically Russia's answer to Facebook, owned by a company that has extremely close ties to the Russian government.
And Cloudflare is now saying it behaves like surveillance software.
Exacto.
Exactly.
Y lo que hace que esto sea especialmente importante es el contexto.
And what makes this especially important is the context.
No es solo que una empresa privada haya creado una aplicación con fallos de seguridad.
It's not just that a private company built an app with security flaws.
Es que en Rusia existe una ley, que se llama SORM, que obliga a todas las empresas de telecomunicaciones y tecnología a dar acceso directo al FSB, el servicio de inteligencia ruso.
In Russia there's a law called SORM that requires all telecom and technology companies to give direct access to the FSB, Russia's intelligence service.
SORM has been around since the nineties, actually.
The first version was designed for telephone networks, then they updated it for the internet age.
But the principle is the same: the FSB gets a back door, and the company isn't allowed to tell its users.
Claro, y eso es lo que distingue la situación rusa de otras.
Right, and that's what makes the Russian situation different.
En muchos países, los gobiernos pueden pedir datos a las empresas tecnológicas con una orden judicial.
In many countries, governments can request data from tech companies through a court order.
En Rusia, la empresa tiene que instalar el equipo del FSB directamente en sus servidores, sin que el usuario sepa nada y sin ningún proceso legal independiente.
In Russia, the company has to install FSB hardware directly on its servers, without users knowing and without any independent legal process.
And Max, to be clear about what this app actually is, it's not some obscure thing.
VK has something like a hundred million users.
Max is their messaging layer.
So we're talking about a significant slice of Russia's digital communication running through something Cloudflare is now calling spyware.
Y la pregunta que hay que hacerse es: ¿cuánta gente que usa Max sabe lo que está pasando con sus mensajes?
And the question you have to ask is: how many people using Max know what's happening to their messages?
La respuesta, me temo, es muy poca.
The answer, I'm afraid, is very few.
Esto no es diferente de lo que pasó con WeChat en China, o con otras aplicaciones en entornos autoritarios.
This isn't different from what happened with WeChat in China, or with other apps in authoritarian environments.
La vigilancia está integrada en la infraestructura, no añadida después.
Surveillance is built into the infrastructure, not added later.
That phrase, 'built into the infrastructure,' is doing a lot of work.
Because what Cloudflare is pointing to isn't a bug somebody forgot to fix.
It's a design decision.
The app was built to do this.
Exactamente.
Exactly.
Y técnicamente, lo que Cloudflare describe es que Max recopila mucho más de lo que necesita para funcionar.
And technically, what Cloudflare describes is that Max collects far more than it needs to function.
Cuando instalas una aplicación de mensajería, es razonable que acceda a tu lista de contactos y a tu micrófono.
When you install a messaging app, it's reasonable for it to access your contacts and microphone.
Pero Max aparentemente recopila información sobre otras aplicaciones que tienes instaladas, tu ubicación aunque no la hayas activado explícitamente, y detalles sobre tu dispositivo que no son necesarios para enviar un mensaje.
But Max apparently collects information about other apps you have installed, your location even if you haven't explicitly enabled it, and device details that aren't needed to send a message.
Okay, so let me think through this for a second.
The average person, say, a nurse in Kazan or a teacher in Novosibirsk, they're using Max because everyone uses Max.
It's what their family uses.
They're not activists.
They're not dissidents.
But their data is still being harvested.
Eso es precisamente el punto.
That's precisely the point.
Los sistemas de vigilancia masiva no se construyen para vigilar a todo el mundo todo el tiempo.
Mass surveillance systems aren't built to watch everyone all the time.
Se construyen para tener la capacidad de vigilar a cualquiera en cualquier momento.
They're built to have the capacity to watch anyone at any moment.
Hoy eres una enfermera, mañana puedes ser alguien que organizó una protesta, o que conoce a alguien que organizó una protesta.
Today you're a nurse;
This is something I keep coming back to from my time in Beirut and, later, covering press freedom issues.
The chilling effect isn't just on the people being watched.
It's on everyone who knows they might be watched.
En España también hemos tenido debates sobre esto.
In Spain we've had debates about this too.
Hubo el escándalo de Pegasus, el software espía israelí que se usó para vigilar a políticos independentistas catalanes y también, resulta, a miembros del propio gobierno español.
There was the Pegasus scandal, the Israeli spyware used to surveil Catalan independence politicians and also, it turned out, members of the Spanish government itself.
Así que esto no es solo un problema de las dictaduras.
So this isn't just a problem for dictatorships.
The Pegasus comparison is sharp.
Because Pegasus was sold as a tool for fighting terrorism and organized crime, and it ended up being used against journalists and politicians.
The stated purpose and the actual use can diverge very quickly.
Y lo que diferencia el caso de Max del caso de Pegasus es la escala.
And what distinguishes the Max case from Pegasus is scale.
Pegasus era un software caro y sofisticado que se usaba de forma selectiva.
Pegasus was expensive, sophisticated software used selectively.
Max tiene cien millones de usuarios.
Max has a hundred million users.
Eso es vigilancia de masas, no vigilancia dirigida.
That's mass surveillance, not targeted surveillance.
Son dos cosas muy distintas en términos de impacto social.
They're two very different things in terms of social impact.
Let me push on the historical side of this a bit, because Russia's relationship with surveillance technology goes back a long time.
The KGB was sophisticated about this in ways that the West sometimes underestimated.
Por supuesto.
Of course.
El KGB desarrolló técnicas de vigilancia muy avanzadas para su época.
The KGB developed very advanced surveillance techniques for its time.
Pero lo importante es que el FSB, que es el sucesor directo del KGB, ha adaptado esas técnicas al mundo digital.
But the important thing is that the FSB, which is the direct successor to the KGB, has adapted those techniques to the digital world.
No es que hayan tenido que aprender de cero;
It's not that they had to learn from scratch;
han trasladado una cultura institucional de décadas al nuevo entorno tecnológico.
they've transferred decades of institutional culture into the new technological environment.
Putin, of course, was a KGB officer.
People forget that's not just biography.
That's worldview.
The way you think about information, about trust, about who gets to know what.
That doesn't go away when you put on a different suit.
Hay una frase que Putin dijo en alguna ocasión que creo que lo resume todo: 'No existe el exkaguebista'.
There's a phrase Putin once said that I think summarizes everything: 'There is no such thing as a former KGB officer.' It's a kind of joke, but it's also a statement of principles.
Es una especie de broma, pero también es una declaración de principios.
Once you're part of that system, you're always part of that system.
Una vez que formas parte de ese sistema, siempre eres parte de ese sistema.
And the thing about Max, the thing that makes Cloudflare's finding so uncomfortable, is that VK's current leadership has very close ties to the Kremlin.
This isn't a company that's being pressured to comply.
The compliance appears to be enthusiastic.
Claro.
Right.
Y es importante recordar que VK no siempre fue así.
And it's important to remember that VK wasn't always like this.
Fue fundada por Pavel Durov, que es también el creador de Telegram.
It was founded by Pavel Durov, who is also the creator of Telegram.
Durov fue básicamente expulsado de su propia empresa en 2014 cuando se negó a entregar datos de usuarios de la comunidad de activistas ucranianos al FSB.
Durov was basically pushed out of his own company in 2014 when he refused to hand over data from Ukrainian activist user groups to the FSB.
Luego tuvo que salir del país.
Then he had to leave the country.
Which is a remarkable story in itself.
The man builds Russia's biggest social network, refuses one demand from the security services, and ends up in exile.
Then goes on to build Telegram, which becomes one of the most widely used encrypted messaging apps in the world.
There's a novel in there somewhere.
Y Telegram tiene sus propios problemas, por supuesto.
And Telegram has its own problems, of course.
Durov fue detenido brevemente en Francia el año pasado por cuestiones relacionadas con el uso de Telegram para actividades ilegales.
Durov was briefly detained in France last year over issues related to Telegram being used for illegal activities.
Pero el punto esencial es que hay una diferencia fundamental entre una empresa que intenta resistir la vigilancia del Estado y una empresa que colabora activamente con ella.
But the essential point is that there's a fundamental difference between a company that tries to resist state surveillance and one that actively collaborates with it.
So what does Cloudflare actually do with this information?
They've published the report, they've named the app.
But Max is still available.
People are still using it.
Y eso es lo frustrante.
And that's what's frustrating.
Cloudflare puede identificar el problema y hacer ruido, pero no tiene la capacidad de forzar a Google o a Apple a retirar la aplicación de sus tiendas.
Cloudflare can identify the problem and make noise, but it doesn't have the power to force Google or Apple to pull the app from their stores.
Eso dependería de que los gobiernos tomaran medidas, o de que las propias empresas tecnológicas actuaran.
That would depend on governments taking action, or on the tech companies themselves acting.
Y ahí es donde todo se complica.
And that's where everything gets complicated.
Because Max is presumably available outside Russia too, right?
Not widely, but it's not geofenced.
If someone in Berlin or Buenos Aires downloads it, they're potentially in the same situation.
En teoría, sí.
In theory, yes.
Aunque la mayoría de los usuarios están en Rusia y en países del espacio postsoviético.
Though most users are in Russia and post-Soviet countries.
Pero tienes razón en que el problema va más allá.
But you're right that the problem goes further.
Hay millones de personas en Europa occidental y en América Latina que usan aplicaciones cuyas prácticas de recopilación de datos son opacas.
There are millions of people in Western Europe and Latin America who use apps whose data collection practices are opaque.
La diferencia es que en el caso de Max, el beneficiario final de esos datos es un gobierno extranjero.
The difference is that in Max's case, the ultimate beneficiary of that data is a foreign government.
And that brings up TikTok, inevitably.
The United States spent two years fighting over whether TikTok, owned by a Chinese company, posed a similar national security risk.
The argument was almost identical: the app collects data, the parent company is subject to Chinese law, therefore the Chinese government can access it.
Y lo que el caso de TikTok demostró es que la respuesta occidental a estas amenazas es muy inconsistente.
And what the TikTok case showed is that the Western response to these threats is very inconsistent.
Se hizo mucho ruido sobre TikTok, pero aplicaciones con problemas similares de privacidad siguen disponibles sin ningún debate.
There was a lot of noise about TikTok, but apps with similar privacy problems remain available without any debate.
La pregunta que habría que hacerse es: ¿actuamos cuando la amenaza es China o Rusia, pero ignoramos los mismos problemas cuando vienen de empresas occidentales?
The question you have to ask is: do we act when the threat is China or Russia, but ignore the same problems when they come from Western companies?
That's a fair challenge.
Facebook has been caught doing things with user data that, in a different political context, we might call surveillance.
The difference is jurisdiction and accountability, but the data extraction itself isn't so different in kind.
Exacto.
Exactly.
Aunque creo que sí hay una diferencia importante: cuando Meta recopila tus datos, lo hace principalmente para venderte publicidad.
Though I think there is an important difference: when Meta collects your data, it does so mainly to sell you advertising.
Cuando el FSB accede a los datos de Max, lo hace para identificar a disidentes, periodistas, y cualquiera que pueda ser una amenaza para el régimen.
When the FSB accesses Max's data, it does so to identify dissidents, journalists, and anyone who might be a threat to the regime.
El fin al que se destinan los datos importa muchísimo.
The purpose for which data is used matters enormously.
I've interviewed journalists who left Russia after 2022, and one of the things that comes up again and again is this: they had no idea how exposed they were until something went wrong.
A colleague gets detained and suddenly realizes their entire messaging history was available to the FSB.
And that's not hyperbole;
that's what several people described to me directly.
Y eso es lo que convierte esto en algo más que una noticia tecnológica.
And that's what makes this more than a technology story.
Es una historia sobre libertad de prensa, sobre la capacidad de las personas de comunicarse sin miedo, sobre los costes reales para la gente real cuando la vigilancia está integrada en los sistemas que usamos todos los días.
It's a story about press freedom, about people's ability to communicate without fear, about the real costs to real people when surveillance is built into the systems we use every day.
Reporters Without Borders published their annual index this week.
Global press freedom at its lowest point since they started measuring in 2002.
Less than one percent of the world's population lives in countries with genuinely strong press freedom.
These things are connected.
Sí.
Yes.
Y la tecnología es una parte central de esa historia.
And technology is a central part of that story.
Los regímenes autoritarios han aprendido que no necesitan detener a todos los periodistas;
Authoritarian regimes have learned that they don't need to arrest every journalist;
basta con crear un ambiente en el que la gente sepa que puede ser vigilada en cualquier momento.
it's enough to create an environment where people know they can be watched at any moment.
La autocensura hace el trabajo que antes hacía la censura directa.
Self-censorship does the work that direct censorship used to do.
The Bentham panopticon, essentially.
You don't need to be watched to change your behavior.
You just need to believe you might be.
Exactamente.
Exactly.
Es que Foucault escribió sobre eso hace cincuenta años, pero en el siglo veintiuno la tecnología ha hecho el panóptico mucho más eficiente y mucho más barato.
Foucault wrote about that fifty years ago, but in the twenty-first century technology has made the panopticon much more efficient and much cheaper.
Antes construir una infraestructura de vigilancia masiva requería enormes recursos.
Before, building a mass surveillance infrastructure required enormous resources.
Ahora, si convences a la gente de que instale la aplicación correcta, ellos mismos construyen la infraestructura de su propia vigilancia.
Now, if you convince people to install the right app, they build the infrastructure of their own surveillance themselves.
Which is the most chilling version of this whole story.
The state doesn't wiretap you anymore.
You wiretap yourself and hand them the recording.
Oye, hay algo que quiero señalar de lo que hemos estado hablando, porque creo que los oyentes lo encontrarán útil.
Hey, there's something I want to point out from what we've been discussing, because I think listeners will find it useful.
Has usado la palabra 'privacidad' varias veces en inglés, y yo he estado diciendo 'privacidad' en español también.
You've used the word 'privacy' several times in English, and I've been saying 'privacidad' in Spanish too.
Pero hay algo interesante ahí que vale la pena mencionar.
But there's something interesting there worth mentioning.
Go on, what's the wrinkle?
Pues que 'privacidad' es en realidad una palabra bastante reciente en español.
Well, 'privacidad' is actually a fairly recent word in Spanish.
Es casi un calco del inglés 'privacy'.
It's almost a direct loan from the English 'privacy.' The traditional Spanish word for that concept is 'intimidad,' which has a slightly deeper, more personal meaning.
La palabra tradicional española para ese concepto es 'intimidad', que tiene un significado ligeramente más profundo, más personal.
When Spain's Constitutional Court protects your privacy rights, it calls it 'derecho a la intimidad.'
Cuando el Tribunal Constitucional español protege tu derecho a la privacidad, lo llama 'derecho a la intimidad'.
Intimidad.
Which in English sounds like 'intimacy,' something closer, more personal.
So the Spanish legal tradition frames privacy not as keeping information from others, but as protecting something that's genuinely intimate to you as a person.
Exacto.
Exactly.
Y eso importa cuando hablamos de vigilancia.
And that matters when we talk about surveillance.
Porque si tu derecho fundamental es a la 'intimidad', entonces el Estado que te espía no solo está violando una norma técnica de protección de datos, está violando algo que te define como persona, algo profundamente humano.
Because if your fundamental right is to 'intimidad', then the state that spies on you isn't just violating a technical data protection rule;
El lenguaje cambia la percepción del daño.
it's violating something that defines you as a person, something deeply human.
That's actually a more powerful framing than anything the GDPR has managed to come up with.
Next time I'm in Madrid and someone asks me about this, I'll say 'intimidad.' Although knowing my track record, I'll probably tell them I'm very pregnant instead.
Sí, Fletcher, mejor practica antes de hablar con mi madre otra vez.
Yes, Fletcher, better practice before talking to my mother again.