VPN services in Russia: surrender or die

According to the recent amendments to Russian legislation, VPN service providers are obliged to cooperate with the authorities and block access to web resources which are banned in Russia. Examples of banned sites are those whose content includes piracy, propaganda of religious extremism, advocacy of terrorism, drug trafficking, etc. Using a VPN is a way around the restrictions, used by many in Russia to access the banned sites/materials.

If they refuse to co-operate, VPN services might themselves be blocked in Russia.

Last summer the Russian parliament passed amendments to the Federal Law “On Information, Information Technologies and Protection of Information”. The new provisions regulate VPNs and anonymisers (tools that access the internet on a user's behalf hiding their identifying information) as part of a strong commitment to prevent internet users from bypassing the Government block.

By way of illustration, in November 2016 LinkedIn was blocked in Russia because the company failed to comply with a new law on personal data. Namely, LinkedIn was unable to store Russian users’ personal data on servers based in Russia, as required by the law. The number of LinkedIn users in Russia decreased from 2.5M in November 2016 to 1M one year later. Presumably, they are accessing the blocked social network with VPNs.

Under the new amendments, Roskomnadzor (the Russian Federal executive body responsible for overseeing the media and Internet within the Ministry of Telecom and Mass Communications) has developed the Federal data system of information resources and networks with information on all web resources, anonymisers and VPNs permanently blocked in Russia. The Federal data system was developed especially for VPN services and anonymisers to provide them with a list of “illicit” web resources.

As soon as the Ministry of Internal Affairs or the Federal Security Service detect that any VPN service or anonymizer (no matter where they are based) provides access to web-resources listed in the Federal data system, they inform Roskomnadzor accordingly. Then Roskomnadzor sends an official notification (both in Russian and English) to the VPN service/anonymizer. This notification would inform the private network, that “granting access to webpage X infringes Russian laws” and proposes that the addressee cooperates and blocks access for Russian users to all “illicit” web resources.

If a VPN service/anonymizer cooperates, it should access the Federal data system within 30 days. Then, it should block access for Russian users for all “illicit” web resources within a further 3 days.

If a VPN service/anonymizer ignores Roskomnadzor’s notification, or does not comply fully with the law, then access to that private network (or anonymiser) would be blocked in Russia by Internet Service Providers. If the private network subsequently decides to cooperate and carries out all the actions required by the new law, it would be immediately unblocked.

However, the new rules will not necessarily apply to corporate VPN services/anonymisers. Such networks, by definition, have limit access to employees only, therefore Roskomnadzor has no intention to regulate them.

According to Roskomnadzor, Russian based Mail.Ru Group, Yandex, Kaspersky Lab, and Norwegian software company Opera Software ASA (primarily known for its browser which features a preinstalled VPN service) cooperated and participated in a test of the Federal data system. A couple of VPN services also confirmed that they are going to join the programme and access the data system as soon as they receive an invitation from Roskomnadzor.

Will the new rules work? At least, the new provisions will make it more difficult for an ordinary user to access “illicit” web resources. On the other hand, there is no doubt that any web resource can still be accessed by a user who really wants to access it, and knows what he’s doing.

As a postscript to the above, Opera VPN (which cooperates with Roskomnadzor) still provides an access to the pirate platform rutracker.org, banned in Russia almost two years ago.