The following is a translation of an article written by Russian journalist Darya Luganskaya. The post has been edited for clarity and length, and reprinted with the author's permission. You can read the original text here.
“The Internet was created as a special project by the CIA, and is developing as such,” Vladimir Putin announced three years ago last week. Since then, Russian authorities’ faith in the Internet has declined even further.
Despite this negative reputation among officials, the commercial side of the Russian Internet plays an important part of the country’s economy, accounting for around 1.35 trillion rubles ($23.7 billion), or 2.4 percent of Russian GDP in 2015, according to statistics from the Russian Association for Electronic Communications (RAEC). If officials are seriously thinking about “bringing order” to the Internet, as they say they want to, it’ll be a very costly endeavor. OpenEconomy has learned of three potential ways the authorities might begin to “restore order” to the Internet in the coming years.
1. Total Wiretap
On July 1, 2018, the second part of the so-called “Yarovaya packet,” a set of anti-terror laws prepared by State Duma MP Irina Yarovaya that advances a new way of storing and decoding Internet traffic, will come into force. Service providers including MTS, MegaFon, Beeline, and Rostelecom, will be obligated to store phone call records and user messages, as well as all Internet traffic data (information about who visits which sites, and when) within six months. This information must be turned over to the security services upon request.
Storing this information is very expensive: TMT Consulting estimates that it will cost the Russian telecommunications market nearly $1.7 trillion rubles ($29.8 billion) in 2016. The Ministry of Communications is talking with the security services about ways to reduce storage tenfold, but the costs will still be enormous.
Under the rules, Internet services are also obligated to turn over encryption keys to the FSB (the Federal Security Service) upon request or risk being fined, though it's unclear precisely which keys they've requested and from whom. And Kommersant reported in September that the FSB is trying to find a way to decrypt all internet traffic in Russia using Deep Packet Inspection (DPI), despite the fact that it is less effective when sites use the https security protocol, which many major Russian sites do.
Beginning in September 2015, all this personal information was ordered to be stored on Russian soil, forcing foreign companies question whether they wanted to continue operating in Russia. Adding additional servers isn’t cheap, and the political implications of such a move could be costly for their users and their reputations around the world.
In November 2016, LinkedIn was blocked in Russia for violating this order. But this could change — according to Andrei Soldatov, the co-author of “The Fight for the RuNet,” LinkedIn parent company Microsoft has been known to cooperate with Russian authorities. For example, Windows reportedly handed over source code to Russian authorities so that the government would continue to use its products. This appears to have increased the odds that LinkedIn will be unblocked in Russia at some point.
Twitter has long refused to comply with this data localization law, though the company has said that it is reviewing relevant policies for Russian users, and that it may reconsider “where it stores the data of Russian users who have a commercial relationship as advertisers on the platform.” The messaging system Viber and the ride-share app Uber have made similar announcements.
Soldatov belives that Facebook and Google will not hand over users’ personal information to the authorities. Roskomnadzor, the main RuNet regulator, has not yet threatened to block them. And, Soldatov says, they won’t be added to the list of companies that are up for compliance checks anytime soon.
Other countries are taking similar measures to control the internet, Rose Dlougatch, a senior research associate at Freedom House, which releases an annual ranking of Internet freedom around the world, told Open Economy. “In Turkey, PayPal lost its license for violating data localization laws. The Iranian authorities have indicated that communication services will soon have to store data within Iran. At the beginning of 2016, an analogous data localization law was adopted in Kazakhstan. Citizens’ information is thereby made accessible to the authorities and foreign platforms are pushed out of the local market,” Dlougatch explained.
2. Blocking Sites
In 2012, Russian authorities began thinking about a mechanism by which they could control the Internet—a “black list” of websites. Landing on the government’s register of forbidden sites for violating one of the many laws governing Internet content (like those prohibiting propagandizing suicide and drugs, or those banning calls to extremism or terrorism), websites are blocked, often without court review. By the middle of April 2017, free expression news site Roskomsvoboda counted more than 4 million sites that had been blocked in this manner.
Roskomnadzor has repeatedly threatened to block major websites like YouTube, Reddit, Vimeo, and Wikipedia (and access to these sites has been cut for hours at a time). But these warnings are not about the websites as a whole, but rather about specific pages that, according to authorities, violate one law or another. If a site uses the https security protocol, service providers aren’t able to block only a single page, meaning they have to shut down an entire site until the owner decides to remove the content in question.
It’s possible to access blocked sites by using anonymizers like VPN services that mask the location of your IP address, making it look like you are visiting websites from, say, Britain, rather than Russia. And Russians actively use these anonymizers. For example, only Americans use the well-known anonymizer Tor more than Russians, and nearly 12 percent of Tor’s clients are located in Russia.
At the end of April 2017, Vedomosti reported on a Roskomnadzor project aimed at blocking access to tools that allow users to visit blocked websites. Services can avoid being blocked, however, if they voluntarily cut users’ access to sites on Roskomnadzor’s “black list.” Proposed legislation also obligates search engines to prevent blocked websites from appearing in their search results. They could be fined up to 700,000 rubles if they do not comply.
The goal of this initiative is to make it illegal to circumvent blocks and to block major anonymizers. Still, anonymizers aren’t going away.
Vedomosti also reported that rather than blocking specific sites, measures could be taken that make it difficult for users to access sites, including slowing them down. But this would be very difficult and costly to accomplish. According to the Institute for Internet Research, limiting traffic at the subscriber level would require special equipment that could cost as much as $5 billion to develop and implement.
3. An Autonomous RuNet
Finally, Russia is trying to regulate the so-called “critical infrastructure” of the RuNet—Internet exchange points with other countries and the .ru and .рф domain names.
Two years ago at a meeting of the Russian Security Council, Putin instructed state organs to think up ways to maintain the stability of the RuNet if it were to be cut off from the outside world. And at the end of last year, the Ministry of Communications and the FSB discussed legislation on this very topic.
The Ministry proposes bringing traffic onto a single Government Information System, which Vedomosti has reported would be necessary to localize Internet activity. It also proposes moving Internet exchange points under the administrative control of Russian companies, exclusively. Finally, the Ministry wants to introduce a rule mandating that the administrator of a national domain name system is a Russian legal entity and an executive body with power over communications—that is, the Ministry itself.
The FSB, meanwhile, is proposing changes to the Criminal Code for causing damage to or threatening the nation’s critical information infrastructure—with punishments running up to 6 years in prison.
Both proposals have faced loud criticism. Microsoft and Cisco have come out against the FSB’s plan, and the Ministry of Communication’s proposal has not yet been approved by RAEC or expert committees in the government. Neither proposal has become law.