Many Russians fear that the Russian authorities will use the pandemic to increase cyber-surveillance of the population. QR-codes already restrict freedom of movement. Russia has been working on the possibility to close the country off by creating a 'sovereign Ru-net', looking at the Chinese example. Experts concluded that it is too late to seal off Russia, but Alena Epifanova from the German think tank DGAP points to the possibilities to seriously hamper internet access for business and civil society.
Demonstratie op 10 maart 2019 tegen de invoering van de Ru.net' wet die internet in Rusland kan beperken (foto twitter)
by Alena Epifanova
New regulations on the internet in Russia (some came into force on November 1, 2019, others are due to follow in January 2021), have been described publicly as Russia’s 'sovereign internet law'. In fact, there was no such new law, but rather a series of amendments to the existing federal laws 'On Communication' and 'On Information, Information Technologies, and Information Protection'.
Officially, the amendments aim to protect the internet within Russia from external threats. In fact, they provide the crucial legal framework for creating a centralized management system of the internet by the state authority – theoretically enabling the isolation of Russia’s network from the global internet.
Three amendments have particularly far reaching implications:
- The compulsory installation of technical equipment for counteracting threats;
- Centralized management of telecommunication networks in case of a threat and a control mechanism for connection lines crossing the border of Russia;
- The implementation of a Russian national Domain Name System (DNS)
With these three key amendments, Russia is trying to achieve at least three different goals.
First, it aims to create a mechanism for effective surveillance of the internet within its borders. To this end, the amendment concerning the installation of 'technical equipment for counteracting threats', allows for greater state control of information and the prevention of its dissemination if needed.
Memes on the Russian internet are wildly popular: here the 'robocops' that were used against demonstrations in Moscow in August 2019 are mocked (foto twitter)
Consequently, implementation of the new legislation may give the Russian government the opportunity to curtail opposition activity on social media sites, helping it to prevent protests such as those in 2011 through 2013 ahead of elections to Russia’s parliament, the State Duma, scheduled for 2021 and the presidential election scheduled for 2024. Even if this amendment is technically difficult to implement, as will be explained below, the law itself is a part of the Putin regime’s continuing intimidation strategy and it will impact Russian society.
New laws give the government the opportunity to curtail opposition activity on social media
Second, the state aims to become the key regulator of the internet in Russia. The recent amendment allowing the state to create centralized control over the internet infrastructure by introducing the cross-border control of connection lines and the rerouting of traffic is an attempt to enable the isolation of a national network from the global internet – for which the state can open and close 'digital borders' and determine the flow of information within them as it sees fit.
While total state control of Russia’s internet will remain impossible so long as the country is connected to the world via the existing infrastructure of the global internet, the passing of this amendment by Putin’s regime was an attempt to present its control of telecommunication lines, networks, and traffic as a fait accompli.
Third, Russia intends to expand the state-centered model of the internet at the international level. The amendment aiming to create the infrastructure for a national Domain Name System (DNS) could, if achieved as planned in January 2021, create a Russian segment of the internet – parallel to and probably not compatible with the existing one.
With this move, Russia is not seeking to isolate itself from the rest of world, but rather to create a precedent, which other states aspiring to sovereignty over their segments of the internet could follow.
The state aims to become key regulator of Russian internet
Presumably, Russia will need to cooperate even more closely with China than it has already to develop the technology to achieve its goals and coordinate its internet policy at the international level. In the long term, such cooperation could lead to the fracturing of the global internet and a shift of stakeholders and powers.
Risks to others
Although some implications of the three amendments are still unclear and some regulations and requirements are not yet in place, the new legislation already carries concrete risks, which concern not only Russia itself, but also European countries that cooperate with Russia and own companies operating within it.
Protests against the erection of a church in a park in Yekaterinburg
The now compulsory 'technical equipment for counteracting threats' will, for example, also be able to prioritize traffic. It can delay the flow of certain types of network packets while prioritizing others, giving them better performance. In practical terms, users of particular websites and services could experience slow access or unavailability.
Such prioritization could compromise network neutrality and lead to discrimination against companies not protected by the Russian state. The fact that neither technical requirements nor certification for this new equipment exist also means that network failures are likelier to happen. Companies operating in Russia could, in turn, suffer collateral damage caused by the new equipment with limited possibilities for recouping losses.
In addition, the likelier prospect of the so-called 'splinternet', where segments of the internet are controlled and regulated by different states and actors, could lead to incompatibility among technical, regulatory, and operational standards – thus impeding cross-border cooperation and the interoperability of the global internet.
Centralizing state control
Russia has a long-standing information and internet policy through which it has already attempted to control the internet in previous years, but, in current practice, the state authorities apply the restrictive internet laws that already exist in Russia selectively for two reasons.
First, due to the lack of technical capability, some of the laws cannot be implemented. Secondly, certain internet services and applications are so popular that the state does not block them in order to avoid public discontent.
Generally speaking, in order to gain more influence over a domestic internet, state authorities can implement centralized and decentralized control mechanisms. Which one to choose is mainly defined by the network infrastructure and the amount of control countries possess over their networks.
China, for example, opts for centralized control; the country brought internet service providers (ISPs) under its yoke early on and traffic is guided through 'choke points', network nodes through which data travels when entering or exiting a country’s internal network.
Countries such as the United Kingdom, India, and Russia currently have much less control over their networks and domestic ISPs. In their case, a decentralized approach is favorable. Authorities roll out new laws and policy measures and oblige ISPs to comply.
Up to this point, Russia was 'the largest and most aggressive' country pursuing decentralized control, as demonstrated by the laws enacted since 2012 regulating the internet. The new amendments introduced in 2019 aim to give Russian authorities more centralized powers.
Roskomnadzor – the Federal Service for Supervision of Communications, Information Technology, and Mass Media – and the central point for control over communication networks and facilities as well as personal data in Russia, wants to monitor traffic at its source, without having an ISP in between or internet services that do not comply with new regulations.
Apparently, Russia is now attempting to catch up with what China quickly implemented in the early days of the internet: centralized and effective control mechanisms at the root of the network.
Russia's Internet Policy
One of the first laws was passed in reaction to a series of mass protests in 2011 through 2013. The protests were against manipulation of the parliamentary election and the so-called rokirovka – the position swap between then President Dmitri Medvedev and Prime Minister Vladimir Putin. The opposition made wide use of the internet to bring people to the streets. As a reaction from the state, in 2012, a law on a unified register of banned websites came into force.
The register initially included sites containing child pornography and drugs. But less than two years later, in 2014, it was amended to include websites promoting rioting or containing extremist content or participation in mass public events.
Since 2015, all domestic and foreign internet companies are obliged to ensure the recording, systematization, accumulation, and storage of the personal data of Russian citizens on servers physically located within Russia.
In 2016, Yarovaya’s Law (named after Irina Yarovaya, a member of the party United Russia in the State Duma and co-author of the legislation) came into force. Since then, telecommunication companies have been required to store the content of text messages, phone conversations, images, and videos for six months, as well as their metadata for three years within Russian territory. They must provide this information to security services upon request.
Implications of three key amendments
Below the implications of three key amendments included in the new regulations are explained in detail.
1. The Compulsory Installation of Technical Equipment for Counteracting Threats
This amendment requires all internet service providers to install 'technical equipment for counteracting threats to stability, security, and the functional integrity of the internet on the territory of the Russian Federation' on their networks. The legislation does not specify which technical equipment should be used. Although, at this writing, there has still been no official decree on this equipment and its technical requirements, the articles of this amendment state that Roskomnadzor will provide it to ISPs free of charge. The technology will apparently be installed nationwide by a single company called 'Data – Processing and Automation Center' and controlled by Roskomnadzor.
Oppositionist Alexei Navalny installed an election-app to tell voters whom (not) to vote for in Duma elections in Moscow in september 2019
The past attempt by the Russian state to block Telegram, a cloud-based messaging app, provides a good example of how the regime is attempting to use this amendment to prevent unrestricted communication that could be utilized to coordinate social unrest and opposition movements. Telegram claims to allow the secure exchange of information through end-to-end encryption, which makes communication possible without intelligence services being able to read it.
In 2018, according to the founder of the company Pavel Durov, Telegram had over 15 million users in Russia. In its attempt to block Telegram, Roskomnadzor tried to ban the IP addresses of Telegram servers without success. In order to finally ban the service and prevent undisclosed communication, Russian authorities might use, among others, a technology commonly referred to as Deep Packet Inspection (DPI). This new amendment obliges ISPs to accept and cooperate in the installation process of DPI systems or a similar technology.
Deep Packet Inspection
The main technical components of DPI systems are so-called black boxes, which are installed at the hubs of internet providers to analyze both data packets and the content of communications. They enable the monitoring, filtering, and slowdown of requests as well as the blocking of specific content. The black boxes can also determine to which service or application each data packet is attributed.
Although DPI systems have been used in Russia since 2012, when legislation creating an internet blacklist was enacted, ISPs have yet to introduce them widely because of their high cost, which they had to bear themselves.
Anonymous sources have told the BBC that DPI systems, which have already been tested on the networks of all major mobile network operators in the Ural region, are indeed Roskomnadzor’s choice.
While it can therefore be assumed that the implementation of the TSPU amendment will be based, at least in part, on the use of Deep Packet Inspection technology – the exact specifications, capabilities, and effectiveness of which are unknown – it might also include other hardware and software solutions, which are also unknown at this time.
Blocking of Encrypted Connections
If Roskomnadzor widely implements DPI systems or similar technologies, they might be used to block undesired traffic and severely censor the Russian web. One might think that DPI systems cannot identify, and therefore block, packets of encrypted connections such as HyperText Transfer Protocol Secure (HTTPS), which is widely used on the World Wide Web. Unfortunately, this is not entirely the case.
Telegram is Russia's most popular chat service. CEO Pavel Durov fights with Roskomnadzor about encryption rights
Because data packets – even those sent via an encrypted connection – are always sent to a certain destination, they must always carry an address that is visible. This information cannot be encrypted because an ISP would otherwise not know to which address it is supposed to send the user’s request. For example, an ISP will know that a user is requesting data from YouTube, the size of the request, and its length. But, thanks to encryption, it will not know which specific video the user is watching.
For Russian authorities, the package destination might be indicator enough to block requests from undesired websites. One possible solution would be for a user to hide the address of the packet he or she wishes to send by redirecting it through a Virtual Private Network (VPN). In this case, the user doesn’t communicate directly with the ISP but through one or several entities in between. This makes the destination of the request only visible to the VPN service provider but not the ISP.
But, since Russian authorities are also trying to use DPI systems or similar technologies to shut down VPN services, this workaround may sooner or later cease to be a viable option. Another workaround in current use is a technique called 'domain fronting', with which a request gets redirected on the same server after a HTTPS connection has been established. This technique, among others, was used by Telegram to bypass Roskomnadzor’s IP bans.
However, this workaround, too, is becoming more difficult to implement as companies such as Amazon or Google, which operate servers also used for domain fronting, seek to end this practice.
Discrimination of Traffic Speeds
DPI or similar technologies can also be used to prioritize and discriminate traffic. Prioritizing traffic could have far-reaching consequences for net neutrality, especially if it is carried out by a state authority. Roskomnadzor could slow down the traffic speed of all unknown or undesired connections and prioritize trusted connections of entities that comply with the fixed rules.
European telecommunication operators may have confirmed that such prioritization and discrimination of traffic works. Larger ISPs – including Deutsche Telekom – are suspected of using DPI for commercial purposes in order to control traffic speeds to block intensive forms of consumption (for example streaming) that are not included in a user’s contract. And if ISPs can slow down connections, Roskomnadzor could do the same in order to put enormous pressure on companies that do not comply with its fixed rules.
If a state authority massively slows down some connections, targeted companies could face issues that threaten their businesses. These could include seeing a marked decrease in their user base as customers dissatisfied with the inconvenience of substantially slower services are pushed toward alternatives.
If this amendment is fully implemented, bypassing DPI services and accessing restricted areas of the internet will be very difficult except for highly skilled users, leading to an 'asymmetry of blocking effectiveness'. Since it must be assumed that IT specialists can circumvent DPI systems, the amendment’s official goal – repulsing threats – is not entirely plausible. In other words, it is likelier that the primary target of wide implementation of DPI is Russia’s ordinary users, whose internet use will assuredly be restricted. Private companies might also be targeted to cause them economic disadvantages.
2. Centralized Management of Telecommunication Networks in Case of a Threat and a Control Mechanism for Connection Lines Crossing the Border of Russia
This new amendment states that the media regulator Roskomnadzor can take over the centralized management of the network in case of a 'threat'.
These threats are:
1. to the integrity of the network, for example when no connection can be established between users;
2. to the stability of the network, for example when equipment does not work correctly or is disabled due to natural or man-made disasters;
3. to the safety of the functioning of the network, for example when hackers attack the network and ISPs cannot resist the attack, or when ISPs themselves cause disruption.
If any of these threats materialize, Russian ISPs will have to comply with the rules fixed by Roskomnadzor, which then prohibit the routing of telecommunication messages through communication networks located outside of the territory of the Russian Federation.
In addition, when two autonomous systems wish to communicate with each other, they will have to do so through traffic exchange and connection points monitored by Roskomnadzor. The agency can ask any ISP or person running an autonomous system to 'change the routes of telecommunication messages' and guide those messages through 'technical means to counteract threats to the stability, security, and integrity of the functioning of the […] internet'.
Furthermore, this new amendment creates a control mechanism for connection lines crossing the border of the Russian Federation. All owners of such communication lines are obliged to report not only their purpose, but also which facilities exist on that line to Roskomnadzor.
The Danger of a Kill-Switch
The aforementioned stipulations give state authorities the potential to create a 'kill-switch', a relatively easy to use mechanism that can be used to shut down most of the Russian internet. In the event of such a shutdown, even DPI bypass systems, VPNs, or other unidentified connections will not work – communication becomes physically impossible.
A 'kill-switch' can shut down most of the Russian internet
The global internet is strong and redundant because its traffic is handled by a web of computers and servers; data can therefore take many different paths in order to reach its destination. The amount of centralized traffic exchange and choke points strongly affects the power of a government to censor and repress data flows.
The lower the amount of choke points, the more easily they can be controlled. With implementation of this new amendment, Russian authorities will weaken the robust structure of the Russian internet by guiding traffic through centralized, state-controlled connection points, which can be shut down in case of a 'threat'. Russian authorities might soon be able to cut off major parts of the network and thus prevent information that is critical of the government from entering or spreading within the country.
Internet posts, like Jon Snow dressed up as Jesus, have already been pretexts for persecution according to extremism laws
In the past, several deliberate internet shutdowns have occurred in different countries on different scales. An intentional local shutdown is theoretically possible in any country with a weak legal system – because it can be pushed through with little juridical resistance.
Authorities might be able to prevent critical information from entering or spreading within the country
For example, one such shutdown took place in August 2019 during rallies in the center of Moscow; the BBC claims it was requested by law enforcement agencies. In November 2019, Iran cut off most of its internet for several days. However, this nationwide shutdown was only possible because the country relies on data connections through choke points and has a very limited number of ISPs, which are all state-controlled.
In contrast to Iran, Russia has more than 40 providers on its borders, many ISPs, and – for now – no large choke points. These parameters had made any major internet shutdown in Russia hard to execute. The new amendments, however, create a new legal basis for just such a scenario, thus enhancing the probability of a shutdown.
3. The Implementation of a Russian National Domain Name System (DNS)
This key amendment concerns the creation of a Russian national Domain Name System (DNS), which is due to be implemented by January 2021. It aims 'to ensure a stable and safe use of domain names on the territory of the Russian Federation'. The Russian national domain zone will be composed of its own infrastructure, which means root servers and proprietary domain names.
Roskomnadzor is again vested with enormous power: it will define regulations on the national DNS, requirements for it, and the procedure for its establishment, as well as the rules for its use. It will also determine the list of domain name groups constituting the Russian national domain system.
Russia has more than 40 providers on its borders, and – for now – no large choke points. The creation of a proprietary national DNS has never been successfully achieved by any country. It is therefore very hard to predict if such a system could work in parallel to the worldwide DNS in current use, which is allocated and managed by the International Corporation for Assigned Names and Numbers (ICANN).
Roskomnadzor is again vested with enormous power
A national DNS would only make sense if a country opts for a long-term and complete isolation of its internet. If Russia manages to implement the new amendments providing for the control of all networks and servers on its own territory and allowing for their disconnection from the global internet, it would then need its own domain name system.
This would segregate Russian websites from the international DNS, making them unavailable in all other parts of the world. At the same time, Russia would likely become unable to use the global DNS.
In an explanatory note about Russia’s new law on the 'sovereign internet', the Russian legislature claims that it was created in light of 'the aggressive nature of the US National Cyber Security Strategy adopted in September 2018'.
In it, the US accuses Russia – along with China, Iran, and North Korea – of using 'cyber tools to undermine [its] economy and democracy, [and to] steal [its] intellectual property'. Furthermore, the document states that the United States will punish those who use cyberattacks against them. According to the explanatory note, Russia needs to take 'protective measures to ensure the long-term and stable operation of the internet in Russia, and to increase the reliability of Russian internet resources'.
But it would be misleading to consider Russia’s new internet legislation as a mere reaction to the US National Cyber Security Strategy of 2018. Since 2012, Russia has been actively criticizing ICANN’s dominant position in coordinating the global DNS, allocating IP addresses, and governing the internet.
In parallel, Russia is pushing for an alternative internet governance model with strong state sovereignty and within the framework of the International Telecommunication Union (ITU) of the United Nations.
Russian fears of getting cut off from the internet expressed in the explanatory note are not fully plausible. First and foremost, because ICANN is an independent organization, interference from the US government is legally almost out of the question. Moreover, the US government is most likely not technically capable of shutting down domains related to Russian websites.
Consequently, even if Russia is pushing for an alternative internet governance model with strong state sovereignty almost all the root servers are located in the USA, a shutdown of TLDs related to Russian websites by the US government is not a realistic scenario.
Against this background, it seems as though the aim of this new amendment is not to defend the internet in Russia from outside attacks, but rather a proactive step toward splitting its own national segment off from the infrastructure of the global internet in order to gain state sovereignty over it.
Partnership with China
Russia’s ambitions to build a model of state-backed internet control, create its own national DNS, and set new rules in cyberspace only make sense if it teams up with other countries. It remains to be seen how many countries would want to join its experiment.
However, Russia already has a longstanding relationship with China when it comes to the internet. Both countries have had several high-level meetings on cybersecurity and internet control. In May 2015, Russia and China signed a bilateral agreement on cooperation in the field of international information security and defined a broad range of forms in which such cooperation could take place.
People demonstrate for internet freedom and against Ru.net
Because Russia’s society and economy rely so heavily on services such as social networks, search engines, financial services, and Software as a Service (SaaS), replacing foreign ones with domestic versions seems to be a nearly insurmountable task. Simply shutting down foreign platforms would also have tremendous negative consequences for the economy and likely generate social outrage. In addition, Russia needs to partner with China at the international level to promote the idea of state sovereignty in cyberspace.
As previously suggested, Russian fragmentation from the global internet would only make sense if the country had allies with whom it could establish a parallel network. Successfully establishing a regional segment of the internet will depend on Russia and China developing a network infrastructure which can be sustained without the architecture of the global internet. As yet, it is difficult to predict if they will succeed.
It is also still unclear to what extent it will be attractive for other countries to shut themselves off from the global internet. However, with the new legislation, Russia has created a legal framework whose implementation must be taken seriously.
For the original version of this policy paper, with links and footnotes, see the site of DGAP.