Russia Combats Internet Freedom

Executive Summary:

• The conflict in Ukraine has prompted Russia to intensify its efforts to restrict internet freedom, leading to unprecedented measures against uncensored information and internet encryption.
• In response to censorship, Russian users have turned to VPN technology for accessing uncensored news. Russian officials are actively pursuing technologies to detect and block VPN encryption protocols, including developing separate internet infrastructure under state control.
• Russian lawmakers are preparing new legislation to compel VPN services to comply with blacklists or face a ban. These actions raise concerns about the loss of access to information in Russia.

The continued conflict in Ukraine has served as an excuse for an unprecedented crackdown against internet freedom in Russia. The Kremlin took additional measures throughout 2023 to restrict access to uncensored information and the use of internet encryption by civilians, adding 529,000 websites to the Russian Communications Authority blacklist (Kommersant, December 28, 2023).

The initial invasion of Ukraine set off a scramble among privacy-savvy Russians who wanted to access the internet and obtain uncensored news about the war. These users turned to Virtual Private Networks (VPN), which protect an individual’s internet usage from their Internet Service Provider (ISP). Analysis of VPN adoption rates by the VPN provider AtlasVPN showed that VPNs were downloaded 33.5 million times in Russia in 2022,—the highest number after India, despite having a substantially smaller population (AtlasVPN, accessed February 15). Data from 2023 shows that the Russian population continued to download VPN technology, with VPN apps being the most popular items on Google Play and Apple’s App Store, according to data provided to the Russian newspaper Vedomosti (Vedomosti, January 12).

Aware of the drive for encryption to bypass the closure of independent media, Russian officials have stated that they are pursuing machine learning technology and Deep Packet Inspection. These are used to detect the presence of VPN encryption protocols and block them, similar to the capabilities China’s Great Firewall introduced in the last several years (RIA Novosti, October 25, 2023). As a result of the state’s increasing capacity to target encryption with new means of surveillance, Ruskomsvoboda, an NGO focusing on internet freedom in Russia, estimates that 8 of the 15 most popular VPN services in Russia are now inaccessible (Ruskomsvoboda, November 14, 2023). The organization notes that VPN providers can continue introducing new technology to avoid the blocks. Still, there is a significant risk that many ordinary users will give up after too many attempts to bypass censors.

Russian lawmakers are also preparing new legislation for March 2024 to attempt to force VPN services operating in Russia to comply with the blacklists or be banned from the country (IT-World, November 27, 2023). Previous legislation tried to accomplish the same goal. Still, international VPN providers ignored Russian state demands to comply, and the UK-based Kaspersky VPN company shut down its VPN service in Russia (SPBit, November 9, 2022).

Another prong of the assault on internet freedom by the Kremlin is the development of separate internet infrastructure under state control. Transport Layer Security (TLS) certificates are vital technologies enabling a secure internet by encrypting the HTTP traffic, which serves as a basis for the World Wide Web. Leading TLS certificate issuing authorities promptly exited the Russian and Belarusian markets in 2022 as part of a mass exodus of Western technology companies (Forbes.ru, October 21, 2022). The Kremlin’s National Security Council first explored the subject in 2016. At the time, this was talked about under the guise that Russia should have its own infrastructure if international certificate providers stopped providing services to Russian internet users (Lenta, February 15, 2016). The invasion of Ukraine served as a perfect excuse to implement the plans.

Within weeks of the invasion, three Russian cryptographers published a paper through the internet’s technical governing body, the Internet Engineering Task Force (IETF). They proposed an alternative encryption method for use within Russia known as GOST (IETF, March 2022). Key firms behind the development of GOST and other parts of Russia’s parallel certificate and encryption system include sanctioned Sberbank subsidiary “Digital Technologies” (US Department of the Treasury, April 6, 2022) and Crypto-Pro, which have a history of working with the Russian Federal Security Service (FSB) (Trusted.ru, January 28, 2021).

The Russian government began to pressure users to download these certificates to interact with several sites and perform basic functions. These functions included banking and municipal services, as well as requiring domestic web browsers, such as Atom and Yandex, to include the certificates in their software. As a result, in June 2023, estimates from Russia’s Central Bank calculated that up to 30 percent of the Russian population had downloaded said certificates (Vedomosti, June 16, 2023). Using these certificates is problematic as it leaves a user’s internet traffic susceptible to interception by authorities.

Russia’s efforts are running parallel to the large-scale efforts underway to localize as much of the internet infrastructure as possible, thereby creating a sovereign Russian national internet. This would maximize Moscow’s control over the system. The Kremlin’s National Security Council began to study the idea of creating a sovereign internet in 2017 and passed legislation establishing a groundwork for the project in November 2019. Subsequently, Putin’s government moved to localize as much necessary infrastructure as possible, alleging that this would be a way to protect the population, should Russia ever be cut off from the broader internet (Kommersant, January 20, 2022).

Russia is using every available lever to pursue its project of a sovereign internet by localizing network infrastructure. Retroactively constructing a complete China-style Great Firewall, however, would not be technically feasible for Russia. China implemented its vast censorship system in the 1990s as the internet was a nascent technology, at a time when chokepoints could still be established. The latest round of testing in Russia for the “sovereign internet” took place in July 2023. Government officials claimed that such tests were successful. Still, media sources reported that Russian users attempting to access websites for various government services, including the Russian Railway, experienced significant slowdowns, which government officials attributed to cyberattacks (RVTI, July 5, 2023).

These moves by the Kremlin are part of a broader campaign by authoritarian states to use technologies to restrict internet freedom and to borrow best practices from one another. Kazakhstan initially attempted to coerce its population to download national TLS certificates in the 2010s, presaging Russia’s actions. Iran and Belarus experimented with complete internet blackouts amid anti-government protests in 2020 and 2022 (OpenNET.ru, December 6, 2020). Echoing Moscow’s actions, Ankara’s Communications Ministry began restricting 16 VPN services in December 2023 out of suspicion that they were being used to access censored media (Gazete Duvar, December 20, 2023). These draconian policies to crack down on internet freedom raise the specter of a splintered World Wide Web, with an increasing number of internet users no longer able to access information freely.