Authorities Regulate Infrastructure, Block Content
Note: This article features explainers. Click on the highlighted terms to see a short explainer.
(Moscow) – Russia has significantly expanded laws and regulations tightening control over internet infrastructure, online content, and the privacy of communications, Human Rights Watch said today. If carried out to their full restrictive potential, the new measures will severely undermine the ability of people in Russia to exercise their human rights online, including freedom of expression and freedom of access to information.
“Russian authorities’ approach to the internet rests on two pillars: control and increasing isolation from the World Wide Web,” said Hugh Williamson, Europe and Central Asia director at Human Rights Watch. “The government has built up an entire arsenal of tools to reign over information, internet users, and communications networks.”
New laws and regulations adopted in the past two years expanded the authorities’ already significant capacity to filter and block internet content automatically, no longer depending on providers’ cooperation to implement the block. The 2019 “sovereign internet” law requires internet service providers (ISPs) to install equipment that allows authorities to circumvent providers and automatically block content the government has banned and reroute internet traffic themselves.
A 2018 law introduces fines for search engines providing access to proxy services, such as virtual private networks (VPNs), that allow a user access to banned content or provide instructions for gaining access to such content. Regulations adopted in 2019 require VPNs and search engine operators to promptly block access to the websites on the list maintained by the federal government’s informational system, which includes a regularly updated list of officially banned sites.
The past two years have also seen legislative incursions into the privacy of mobile communications. In July 2018, amendments to existing counterterrorism legislation entered into force that require telecommunications and internet companies registered with Russian authorities as “information dissemination organizers,” for example, messenger apps and social media, to store and share information about users without a court order.
The amendments build on previous data localization laws, which require companies processing the personal data of Russian citizens to store private data of internet and mobile app users in Russia and hand the information over to security services upon request. In 2019, Russia’s Federal Security Service (FSB) required these companies to install special equipment giving the FSB automatic access to their information systems and encryption keys to decrypt user communications without authorization through any judicial process.
Legislators have justified these rules by citing a need to protect state security, the Russian internet, and the privacy of Russian users. In reality, these requirements facilitate mass censorship and blanket surveillance, introduce non-transparent content-blocking procedures and endanger the security and confidentiality of people’s communications online, Human Rights Watch said.
These laws and regulations effectively reinforce a raft of laws adopted in previous years, and described in a 2017 Human Rights Watch report, that enable the authorities to unjustifiably ban a wide range of content.
Since 2017, the government has also increased the number of official agencies with powers to order content blocking, and increased the fines for organizations, including internet service providers, proxy services, and search engines, that refuse to take down such content or that provide means to circumvent content blocking.
The “sovereign internet” law envisages the full transfer of control over online communication networks to a government agency, from shutting down networks within certain areas of Russia, through cutting Russia off from the World Wide Web. If carried out as planned, the sovereign internet law will also enable the government to directly block whatever content it deems undesirable, Human Rights Watch said.
These internet-related requirements are embedded in an even broader set of laws and regulations aimed at stifling freedom of expression, both online and offline. Some of the recently adopted laws limit space for public debate in general, and especially on topics the government deems divisive or threatening, such as LGBT rights, political freedoms, or most recently, the Covid-19 pandemic. Other legislation apparently aims at further undermining privacy and secure communications on the internet, making no digital communication in Russia safe from government interference.
For the most part, the recently adopted laws and regulations are in their early stages of implementation or have not yet been put into effect. As a result, the manner and scope in which they will be enforced remains unclear.
The recent developments in Russian internet regulations tightening governmental control over internet infrastructure, introducing new technical means for monitoring internet activity, filtering and rerouting internet traffic, and increasing governmental capacity to block online content are inconsistent with standards on freedom of expression and privacy protected by the International Covenant on Civil and Political Rights and the European Convention on Human Rights, to which Russia is a party. While both treaties allow states to limit these rights to protect legitimate national security objectives, these limitations must be established under clear legal criteria, and the least restrictive means of achieving these objectives.
International law allows for certain restrictions on these rights such as protection of national security or of public order, health, or morals. Those restrictions, however, should be in line with the criteria of necessity, proportionality, and legal certainty. The United Nations (UN) special rapporteur on freedom of expression stated that these limits should be “provided by law, which is clear and accessible to everyone,” and be predictable and transparent. The European Convention provides that limitations imposed on freedom of expression and right to privacy should be prescribed by law and “established convincingly” to be necessary in pursuit of a legitimate goal in a democratic society.
Russia’s Constitution guarantees the right to privacy, including the privacy of communications. The Constitution also grants the freedom of opinion and the right to freely search, receive, transmit, produce, and disseminate information.
“The new laws and regulations tighten the state’s noose around users,” Williamson said. “They put users under more surveillance, yanking away their ability to access content, and threatening them with the prospect of being cut off from the outside world online.”
For detailed analysis of the new laws and regulations, please see below.
Human Rights Watch analyzed key laws and regulations that have been adopted or entered into force since 2017 and that collectively empower the Russian government to exercise extensive control over the internet infrastructure and online activity in Russia. They include:
- 2016 “Yarovaya amendments” on forced data retention;
- 2017 law prohibiting VPNs and internet anonymizers from providing access to banned websites and follow-up 2018 amendments to the Code of Administrative Offenses;
- 2017 law on identification of messaging application users and a follow-up 2018 government decree;
- 2019 “Sovereign internet” law; and
- 2019 law on pre-installed Russian applications.
Human Rights Watch also analyzed proposed implementing regulations for these laws which have not been adopted.
Forced Data Retention and the “Yarovaya” Amendments
The 2016 “Yarovaya” amendments, named after their main author, Irina Yarovaya, a member of the State Duma, the parliament’s lower house, from the ruling United Russia party, included numerous provisions that severely undermine the right to privacy and freedom of expression online. Among these were provisions that deepened the invasiveness of the troubling requirements, introduced in 2015, for tech companies to store Russian citizens’ user data on Russian territory.
Most provisions entered into force in July 2016, including the requirement for telecommunications companies to retain communications metadata for three years and for internet companies registered as “information dissemination organizers,” such as messengers, online forums, social media platforms, and any other service that enables its users to communicate with each other, to retain data for one year. Such data includes information about the time, location, and sender and recipients of messages.
Internet and telecommunications companies were also required to disclose the metadata to the authorities on demand and without a court order as well as to provide security services the “information necessary for decoding” electronic messages, such as encryption keys.
In July 2018, another batch of Yarovaya amendments came into effect, requiring companies to retain for six months the content of all communications, such as text messages, voice, data, and images, store this data on Russian servers, and make them available to the authorities on demand without judicial oversight. These provisions expanded already broad and troubling requirements to store user data of Russian citizens on Russian territory. In 2016, the government blocked LinkedIn in Russia for noncompliance with the data storage regulation. In February 2020, the government fined Twitter and Facebook four million rubles (approximately US$ 53,000) each for the same misdemeanor.
In 2019, organizations on the register of “information dissemination organizers” received letters fromthe FSB, requiring them to install special equipment that gives the agency around-the-clock access to their information systems and keys to decrypt user communications. The register includes 237 internet services, such as Yandex services, Telegram, the Mail.Ru Group, and Sberbank-online. The authorities have not yet compelled Google and Facebook services, including WhatsApp, to join the registry. Some of the companies have already installed the required equipment.
In May 2019, the government ordered internet service providers to store data, as prescribed by the Yarovaya amendments, using only Russia-manufactured technical means. In December, the government introduced a two-year ban on public procurements of data storage with foreign entities. In both instances, legislators interpreted the restrictions as protecting Russia’s “critical informational infrastructure.”
Banning VPN’s and Internet Anonymizers
The 2017 law on VPNs and internet anonymizers (276-FZ) does not prohibit these proxies. Rather, it aims to prevent proxy services, including VPNs and anonymizers such as Tor or Opera, from providing access to websites banned in Russia. It also prohibits search engines from providing links to such materials. The law authorizes Roskomnadzor, Russia’s federal executive authority responsible for overseeing online and media content, to block sites that provide instructions on how to circumvent government blocking, including through the use of VPNs. It also authorizes Russia’s law enforcement agencies, including the Interior Ministry and the FSB, to identify violators, and tasks Roskomnadzor with creating a special register of online resources and services prohibited in Russia.
“Laws on prohibiting VPNs and anonymizers from facilitating the bypassing of government blockings are part of the continuous expansion of governmental regulations on blockings,” Aleksander Isavnin, an IT and internet regulation expert told Human Rights Watch.
The 2017 law did not establish penalties for violations. Penalties were introduced in amendments to the Code of Administrative Offenses the following year. In April 2018, Roskomnadzor blocked millions of Internet Protocol (IP) addresses in an unsuccessful attempt to block the messaging service Telegram, for its failure to hand over user’s encryption keys to Russia’s security services, which Telegram does not hold. This led to massive disruptions, temporarily blocking services legitimately operating in Russia, such as banks, online shopping sites, and search engines. Russian internet users increasingly started using VPNs to bypass these disruptions, with some VPN providers reporting a 1,000 percent increase in sales in Russia. Roskomnadzor reacted by blocking 50 anonymizers and VPN services that provided access to Telegram.
In June 2018, the State Duma adopted a bill introducing administrative fines up to 700,000 rubles (US$ 9,000) for violations of the law on banning VPNs and internet anonymizers. The following December, Google was fined 500,000 rubles (US$ 6,500) for failing to filter its search results in accordance with the law, a precedent designed to send a signal to other companies.
In March 2019, Roskomnadzor required VPNs, anonymizers, and search engine operators to ensure that they block sites included on Roskomnadzor’s regularly updated register of banned sites through the federal government’s informational system.
Also in March, the agency published its plans to monitor compliance with the law via a more efficient automatic control system, instead of tracking blockings of banned websites manually. In June 2019, Roskomnadzor threatened to block within a month 9 out of 10 VPN services that received the order to connect to the register, for failure to comply. One service, Kaspersky Secure Connection, which also happens to be the only Russian service out of the 10 registered in the country, complied with the order. Another, Avast SecureLine, left the Russian market following Roskomnadzor’s threat.
Several VPN and internet anonymizer services still operate in Russia and provide access to websites blocked by Roskomnadzor.
Identification of Messaging Application Users
Amendments adopted in July 2017 to the law on information prohibited online messaging applications on the government’s registry of “organizers of information dissemination,” from serving unidentified users. The law requires these companies to identify all users by their cell phone numbers.
A government decree adopted in 2018 further requires foreign instant messaging service providers to sign an agreement with Russian mobile operators, obliging them to confirm a user’s identity by their phone number, within 20 minutes of the service provider’s request for the information. Messaging services cannot allow users whom mobile operators cannot identify to remain registered with the service. According to Aleksandr Zharov, former head of Roskomnadzor, the identity verification requirement applies both to already registered and new users.
The law, however, does not require instant messaging service providers registered as legal entities in Russia to confirm user identity via mobile operators, stating that such providers can use phone numbers for this purpose. The law envisaged a further decree introducing the verification rules for Russian messengers. Such a decree has not been adopted.
Under the law, Roskomnadzor can block mobile applications that fail to comply with the ban on working with anonymous accounts. It can also initiate cases under Art. 13.39 of Russia’s Administrative Code against instant messaging service providers that fail to comply with the law on identifying users. The offense is punishable by up to one million rubles (US$ 13,600) fine. Roskomnadzor has not yet initiated enforcement procedures against messaging services that don’t comply with identification regulations.
It is not clear whether foreign messaging services have been contacting mobile operators for identity verification in the two years since the regulations entered into force.
Many messaging service providers, both Russian and foreign, request users’ phone numbers for identification purposes. But some users have been able to register on messengers using SIM cards they bought unofficially, without providing the passport and other identification details they would have had to provide the official mobile operator.
Experts say that among other things, the law’s lack of clarity makes it difficult for tech companies to carry out. The 2018 decree that requires operators to sign identification agreements with messengers neither regulates the personal data transfer procedure nor explains whether mobile operators must perform this procedure for free. In addition, anonymous verification services have proliferated. These services “rent” temporary phone numbers that people can use to anonymously register with a messenger service, online platform, forum, and the like, allowing users to bypass the service’s verification. The extensive use of these services makes compliance with the law even more difficult.
The 2017 amendments also require instant messaging service providers to restrict dissemination of messages by particular users on Roskomnadzor’s demand if such messages contain information banned in Russia. In September 2017, the government drafted a decree that would establish rules to carry out this provision, but it has not been adopted. The Ministry of Economic Development criticized the draft, noting that compliance would be impossible for many messengers that use end-to-end encryption.
Parliament members acknowledged the lack of effectiveness of these regulations when the State Duma considered a similar legislative initiative for email service providers. The initiative has not advanced in parliament, and the government has not taken any further steps to enforce the law or impose sanctions for offenders.
If fully enforced, however, these regulations will jeopardize the confidentiality of information and communications by Russian internet users.
The Sovereign Internet Law
In May 2019, President Vladimir Putin signed the “sovereign internet” law, whose proclaimed goal is to protect the Russian segment of the Internet from threats to its security, integrity, and sustainability. In reality, the law further expands the state’s control over internet infrastructure.
The part of the law that entered into force in November 2019 obliged internet service providers (ISPs)to install “the technological means [equipment] for countering [external] threats” into their networks. This equipment includes deep packet inspection (DPI) technology, which allows the government to track, filter, and reroute internet traffic. Experts have criticized this technology as instruments of censorship and surveillance.