Germany and the EU should assess the risks and long-term implications of Russia’s new internet legislation for European companies and civil society actors. |
EU institutions, particularly the European Commission with its geopolitical focus and ambitions, need to consider devising mechanisms to protect the companies and civil society actors of EU member states from disadvantages created by Russia’s new regulations. |
Germany and the EU should actively promote the advantages of the global internet and involve major stakeholders, civil society actors, and business entities in a broad discussion on how to sustain and enhance its future. |
The New “Sovereign Internet Law”
New regulations on the internet in Russia, most of which came into force on November 1, 2019 and others of which are due to follow in January 2021, have attracted international attention and been described publicly as Russia’s “sovereign internet law.” In fact, there was no such new law, but rather a series of amendments to the existing federal laws “On Communication” and “On Information, Information Technologies, and Information Protection.”
Officially, the amendments aim to protect the internet within Russia from external threats. In fact, they provide the crucial legal framework for creating a centralized management system of the internet by the state authority – theoretically enabling the isolation of Russia’s network from the global internet. These three amendments have particularly far reaching implications:
- The compulsory installation of technical equipment for counteracting threats
- Centralized management of telecommunication networks in case of a threat and a control mechanism for connection lines crossing the border of Russia
- The implementation of a Russian national Domain Name System (DNS)
Russia’s Goals
With these three key amendments, Russia is trying to achieve at least three different goals. First, it aims to create a mechanism for effective surveillance of the internet within its borders. To this end, the amendment concerning the installation of “technical equipment for counteracting threats,” allows for greater state control of information and the prevention of its dissemination if needed. Consequently, implementation of the new legislation may give the Russian government the opportunity to curtail opposition activity on social media sites, helping it to prevent protests such as those in 2011 through 2013 ahead of elections to Russia’s parliament, the State Duma, scheduled for 2021 and the presidential election scheduled for 2024. Even if this amendment is technically difficult to implement, as will be explained below, the law itself is a part of the Putin regime’s continuing intimidation strategy and it will impact Russian society.
Second, the state aims to become the key regulator of the internet in Russia. The recent amendment allowing the state to create centralized control over the internet infrastructure by introducing the cross-border control of connection lines and the rerouting of traffic is an attempt to enable the isolation of a national network from the global internet – for which the state can open and close “digital borders” and determine the flow of information within them as it sees fit. While total state control of Russia’s internet will remain impossible so long as the country is connected to the world via the existing infrastructure of the global internet, the passing of this amendment by Putin’s regime was an attempt to present its control of telecommunication lines, networks, and traffic as a fait accompli.
Third, Russia intends to expand the state-centered model of the internet at the international level. The amendment aiming to create the infrastructure for a national Domain Name System (DNS) could, if achieved as planned in January 2021, create a Russian segment of the internet – parallel to and probably not compatible with the existing one. With this move, Russia is not seeking to isolate itself from the rest of world, but rather to create a precedent, which other states aspiring to sovereignty over their segments of the internet could follow. Presumably, Russia will need to cooperate even more closely with China than it has already to develop the technology to achieve its goals and coordinate its internet policy at the international level. In the long term, such cooperation could lead to the fracturing of the global internet and a shift of stakeholders and powers.
Risks to Others
Although some implications of the three amendments are still unclear and some regulations and requirements are not yet in place, the new legislation already carries concrete risks, which concern not only Russia itself, but also Germany and other European countries that cooperate with Russia and own companies operating within it.
The now compulsory “technical equipment for counteracting threats” will, for example, also be able to prioritize traffic. It can delay the flow of certain types of network packets while prioritizing others, giving them better performance. In practical terms, users of particular websites and services could experience slow access or unavailability. Such prioritization could compromise network neutrality and lead to discrimination against companies not protected by the Russian state.
The fact that neither technical requirements nor certification for this new equipment exist also means that network failures are likelier to happen. Companies operating in Russia could, in turn, suffer collateral damage caused by the new equipment with limited possibilities for recouping losses.
In addition, the likelier prospect of the so-called “splinternet,” where segments of the internet are controlled and regulated by different states and actors, could lead to incompatibility among technical, regulatory, and operational standards – thus impeding cross-border cooperation and the interoperability of the global internet.
Centralizing State Control over the Decentralized Internet
Russia has a long-standing information and internet policy through which it has already attempted to control the internet in previous years, as was also described in a recent DGAP paper by Andrei Soldatov (see infobox below). But, in current practice, the state authorities apply the restrictive internet laws that already exist in Russia selectively for two reasons. First, due to the lack of technical capability, some of the laws cannot be implemented. Secondly, certain internet services and applications are so popular that the state does not block them in order to avoid public discontent.
Generally speaking, in order to gain more influence over a domestic internet, state authorities can implement centralized and decentralized control mechanisms. Which one to choose is mainly defined by the network infrastructure and the amount of control countries possess over their networks. China, for example, opts for centralized control; the country brought internet service providers (ISPs) under its yoke early on and traffic is guided through “choke points,” network nodes through which data travels when entering or exiting a country’s internal network. Countries such as the United Kingdom, India, and Russia currently have much less control over their networks and domestic ISPs. In their case, a decentralized approach is favorable. Authorities roll out new laws and policy measures and oblige ISPs to comply. Up to this point, Russia was “the largest and most aggressive” country pursuing decentralized control, as demonstrated by the laws enacted since 2012 regulating the internet. The new amendments introduced in 2019 aim to give Russian authorities more centralized powers. Roskomnadzor – the Federal Service for Supervision of Communications, Information Technology, and Mass Media – and the central point for control over communication networks and facilities as well as personal data in Russia, wants to monitor traffic at its source, without having an ISP in between or internet services that do not comply with new regulations.
Apparently, Russia is now attempting to catch up with what China quickly implemented in the early days of the internet: centralized and effective control mechanisms at the root of the network.
One of the first laws was passed in reaction to a series of mass protests in 2011 through 2013. The protests were against manipulation of the parliamentary election and the so-called rokirovka – the position swap between then President Dmitri Medvedev and Prime Minister Vladimir Putin. The opposition made wide use of the internet to bring people to the streets. As a reaction from the state, in 2012, a law on a unified register of banned websites came into force. The register initially included sites containing child pornography and drugs. But less than two years later, in 2014, it was amended to include websites promoting rioting or containing extremist content or participation in mass public events. Since 2015, all domestic and foreign internet companies are obliged to ensure the recording, systematization, accumulation, and storage of the personal data of Russian citizens on servers physically located within Russia. In 2016, Yarovaya’s Law (named after Irina Yarovaya, a member of the party United Russia in the State Duma and co-author of the legislation) came into force. Since then, telecommunication companies have been required to store the content of text messages, phone conversations, images, and videos for six months, as well as their metadata for three years within Russian territory. They must provide this information to security services upon request. |
Implications of Three Key Amendments
Below the implications of three key amendments included in the new regulations are explained in detail.
1. The Compulsory Installation of Technical Equipment for Counteracting Threats
This amendment requires all internet service providers to install “technical equipment for counteracting threats to stability, security, and the functional integrity of the internet on the territory of the Russian Federation” (TSPU) on their networks. The legislation does not specify which technical equipment should be used. Although, at this writing, there has still been no official decree on this equipment and its technical requirements, the articles of this amendment state that Roskomnadzor will provide it to ISPs free of charge. The technology will apparently be installed nationwide by a single company called “Data – Processing and Automation Center” and controlled by Roskomnadzor.
The past attempt by the Russian state to block Telegram, a cloud-based messaging app, provides a good example of how the regime is attempting to use this amendment to prevent unrestricted communication that could be utilized to coordinate social unrest and opposition movements. Telegram claims to allow the secure exchange of information through end-to-end encryption, which makes communication possible without intelligence services being able to read it. In 2018, according to the founder of the company Pavel Durov, Telegram had over 15 million users in Russia.
In its attempt to block Telegram, Roskomnadzor tried to ban the IP addresses of Telegram servers without success. In order to finally ban the service and prevent undisclosed communication, Russian authorities might use, among others, a technology commonly referred to as Deep Packet Inspection (DPI). This new amendment obliges ISPs to accept and cooperate in the installation process of DPI systems or a similar technology.
The main technical components of DPI systems are so-called black boxes, which are installed at the hubs of internet providers to analyze both data packets and the content of communications. They enable the monitoring, filtering, and slowdown of requests as well as the blocking of specific content. The black boxes can also determine to which service or application each data packet is attributed. Although DPI systems have been used in Russia since 2012, when legislation creating an internet blacklist was enacted, ISPs have yet to introduce them widely because of their high cost, which they had to bear themselves. |
Anonymous sources have told the BBC that DPI systems, which have already been tested on the networks of all major mobile network operators in the Ural region, are indeed Roskomnadzor’s choice. While it can therefore be assumed that the implementation of the TSPU amendment will be based, at least in part, on the use of Deep Packet Inspection technology – the exact specifications, capabilities, and effectiveness of which are unknown – it might also include other hardware and software solutions, which are also unknown at this time.
Even Encrypted Connections Might Be Blocked
If Roskomnadzor widely implements DPI systems or similar technologies, they might be used to block undesired traffic and severely censor the Russian web. One might think that DPI systems cannot identify, and therefore block, packets of encrypted connections such as HyperText Transfer Protocol Secure (HTTPS), which is widely used on the World Wide Web. Unfortunately, this is not entirely the case. Because data packets – even those sent via an encrypted connection – are always sent to a certain destination, they must always carry an address that is visible. This information cannot be encrypted because an ISP would otherwise not know to which address it is supposed to send the user’s request. For example, an ISP will know that a user is requesting data from YouTube, the size of the request, and its length. But, thanks to encryption, it will not know which specific video the user is watching.
For Russian authorities, the package destination might be indicator enough to block requests from undesired websites. One possible solution would be for a user to hide the address of the packet he or she wishes to send by redirecting it through a Virtual Private Network (VPN). In this case, the user doesn’t communicate directly with the ISP but through one or several entities in between. This makes the destination of the request only visible to the VPN service provider but not the ISP. But, since Russian authorities are also trying to use DPI systems or similar technologies to shut down VPN services, this workaround may sooner or later cease to be a viable option.
Another workaround in current use is a technique called “domain fronting,” with which a request gets redirected on the same server after a HTTPS connection has been established. This technique, among others, was used by Telegram to bypass Roskomnadzor’s IP bans. However, this workaround, too, is becoming more difficult to implement as companies such as Amazon or Google, which operate servers also used for domain fronting, seek to end this practice.
Traffic Speeds May Be Prioritized and Discriminated
DPI or similar technologies can also be used to prioritize and discriminate traffic. Prioritizing traffic could have far-reaching consequences for net neutrality, especially if it is carried out by a state authority. Roskomnadzor could slow down the traffic speed of all unknown or undesired connections and prioritize trusted connections of entities that comply with the fixed rules.
European telecommunication operators may have confirmed that such prioritization and discrimination of traffic works. Larger ISPs – including Deutsche Telekom – are suspected of using DPI for commercial purposes in order to control traffic speeds to block intensive forms of consumption (for example streaming) that are not included in a user’s contract. And if ISPs can slow down connections, Roskomnadzor could do the same in order to put enormous pressure on companies that do not comply with its fixed rules. If a state authority massively slows down some connections, targeted companies could face issues that threaten their businesses. These could include seeing a marked decrease in their user base as customers dissatisfied with the inconvenience of substantially slower services are pushed toward alternatives.
If this amendment is fully implemented, bypassing DPI services and accessing restricted areas of the internet will be very difficult except for highly skilled users, leading to an “asymmetry of blocking effectiveness.” Since it must be assumed that IT specialists can circumvent DPI systems, the amendment’s official goal – repulsing threats – is not entirely plausible. In other words, it is likelier that the primary target of wide implementation of DPI is Russia’s ordinary users, whose internet use will assuredly be restricted. Private companies might also be targeted to cause them economic disadvantages.
2. Centralized Management of Telecommunication Networks in Case of a Threat and a Control Mechanism for Connection Lines Crossing the Border of Russia
This new amendment states that the media regulator Roskomnadzor can take over the centralized management of the network in case of a “threat.” The three main threats are defined in a government decree on the “centralized management of a public communications network,” which is currently still in its development phase and has not yet entered into force. These threats are:
- to the integrity of the network, for example when no connection can be established between users;
- to the stability of the network, for example when equipment does not work correctly or is disabled due to natural or man-made disasters;
- to the safety of the functioning of the network, for example when hackers attack the network and ISPs cannot resist the attack, or when ISPs themselves cause disruption.
If any of these threats materialize, Russian ISPs will have to comply with the rules fixed by Roskomnadzor, which then prohibit the routing of telecommunication messages through communication networks located outside of the territory of the Russian Federation. In addition, when two autonomous systems wish to communicate with each other, they will have to do so through traffic exchange and connection points monitored by Roskomnadzor. The agency can ask any ISP or person running an autonomous system to “change the routes of telecommunication messages” and guide those messages through “technical means to counteract threats to the stability, security, and integrity of the functioning of the […] internet.”
Furthermore, this new amendment creates a control mechanism for connection lines crossing the border of the Russian Federation. All owners of such communication lines are obliged to report not only their purpose, but also which facilities exist on that line to Roskomnadzor.
Russia has more than 40 providers on its borders, and – for now – no large choke points
The Danger of a Kill-Switch
The aforementioned stipulations give state authorities the potential to create a “kill-switch,” a relatively easy to use mechanism that can be used to shut down most of the Russian internet. In the event of such a shutdown, even DPI bypass systems, VPNs, or other unidentified connections will not work – communication becomes physically impossible.
The global internet is strong and redundant because its traffic is handled by a web of computers and servers; data can therefore take many different paths in order to reach its destination. The amount of centralized traffic exchange and choke points strongly affects the power of a government to censor and repress data flows. The lower the amount of choke points, the more easily they can be controlled.
With implementation of this new amendment, Russian authorities will weaken the robust structure of the Russian internet by guiding traffic through centralized, state-controlled connection points, which can be shut down in case of a “threat.” Russian authorities might soon be able to cut off major parts of the network and thus prevent information that is critical of the government from entering or spreading within the country.
In the past, several deliberate internet shutdowns have occurred in different countries on different scales. An intentional local shutdown is theoretically possible in any country with a weak legal system – because it can be pushed through with little juridical resistance. For example, one such shutdown took place in August 2019 during rallies in the center of Moscow; the BBC claims it was requested by law enforcement agencies. In November 2019, Iran cut off most of its internet for several days. However, this nationwide shutdown was only possible because the country relies on data connections through choke points and has a very limited number of ISPs, which are all state-controlled. In contrast to Iran, Russia has more than 40 providers on its borders, many ISPs, and – for now – no large choke points. These parameters had made any major internet shutdown in Russia hard to execute. The new amendments, however, create a new legal basis for just such a scenario, thus enhancing the probability of a shutdown.
3. The Implementation of a Russian National Domain Name System (DNS)
This key amendment concerns the creation of a Russian national Domain Name System (DNS), which is due to be implemented by January 2021. It aims “to ensure a stable and safe use of domain names on the territory of the Russian Federation.” The Russian national domain zone will be composed of its own infrastructure, which means root servers and proprietary domain names. Roskomnadzor is again vested with enormous power: it will define regulations on the national DNS, requirements for it, and the procedure for its establishment, as well as the rules for its use. It will also determine the list of domain name groups constituting the Russian national domain system.
The creation of a proprietary national DNS has never been successfully achieved by any country. It is therefore very hard to predict if such a system could work in parallel to the worldwide DNS in current use, which is allocated and managed by the International Corporation for Assigned Names and Numbers (ICANN). A national DNS would only make sense if a country opts for a long-term and complete isolation of its internet. If Russia manages to implement the new amendments providing for the control of all networks and servers on its own territory and allowing for their disconnection from the global internet, it would then need its own domain name system. This would segregate Russian websites from the international DNS, making them unavailable in all other parts of the world. At the same time, Russia would likely become unable to use the global DNS.
Aspiring to Independence from ICANN
In an explanatory note about Russia’s new law on the “sovereign internet,” the Russian legislature claims that it was created in light of “the aggressive nature of the US National Cyber Security Strategy adopted in September 2018.” In it, the US accuses Russia – along with China, Iran, and North Korea – of using “cyber tools to undermine [its] economy and democracy, [and to] steal [its] intellectual property.” Furthermore, the document states that the United States will punish those who use cyberattacks against them. According to the explanatory note, Russia needs to take “protective measures to ensure the long-term and stable operation of the internet in Russia, and to increase the reliability of Russian internet resources.”
But it would be misleading to consider Russia’s new internet legislation as a mere reaction to the US National Cyber Security Strategy of 2018. Since 2012, Russia has been actively criticizing ICANN’s dominant position in coordinating the global DNS, allocating IP addresses, and governing the internet. In parallel, Russia is pushing for an alternative internet governance model with strong state sovereignty and within the framework of the International Telecommunication Union (ITU) of the United Nations.
Russia is pushing for an alternative internet governance model with strong state sovereignty
Russian fears of getting cut off from the internet expressed in the explanatory note are not fully plausible. First and foremost, because ICANN is an independent organization, interference from the US government is legally almost out of the question. Moreover, the US government is most likely not technically capable of shutting down domains related to Russian websites. The worldwide DNS is managed by IANA (the Internet Assigned Numbers Authority), a function of ICANN located in California. Top Level Domains (TLDs) like .ru or .de are stored on so-called root zone files. These files, which are managed by ICANN and can be considered the backbone of the internet, are primarily stored on 13 root zone servers worldwide – ten of which are located in the US, and one each in the Netherlands, Sweden, and Japan. But TLD files are also stored on many other name servers. If the 10 root servers on US soil are modified so that the domains of Russian websites are redirected, for example, there are still three other root servers and all the name servers left. As soon as manipulation of the root zone files is detected, DNS providers can stop the mirroring process from US root servers. Hence, all the remaining DNS servers would still have the files which grant access to the Russian domain names. Consequently, even if almost all the root servers are located in the USA, a shutdown of TLDs related to Russian websites by the US government is not a realistic scenario.
Against this background, it seems as though the aim of this new amendment is not to defend the internet in Russia from outside attacks, but rather a proactive step toward splitting its own national segment off from the infrastructure of the global internet in order to gain state sovereignty over it. First of all, a proprietary DNS would make Russia independent from ICANN, which the Kremlin sees as being dominated by the USA. And – although technical implementation seems far from easy – a national DNS is the key part which would allow the state to cut off the domestic internet for the long term. Russia would then not have to cope with international traffic and, thus, undesired information leaving or entering the country.
Russia Will Likely Build Up Its Partnership with China
Russia’s ambitions to build a model of state-backed internet control, create its own national DNS, and set new rules in cyberspace only make sense if it teams up with other countries. It remains to be seen how many countries would want to join its experiment. However, Russia already has a longstanding relationship with China when it comes to the internet. Both countries have had several high-level meetings on cybersecurity and internet control.
In May 2015, Russia and China signed a bilateral agreement on cooperation in the field of international information security and defined a broad range of forms in which such cooperation could take place. The agreement includes the “creation of communication channels and contacts to jointly respond to threats,” “exchange of information on the legislation of the states on ensuring information security,” and “interaction in the development and promotion of international law standards to ensure national and international information security.”
Additionally, in June 2016, Vladimir Putin and Xi Jinping signed the joint statement on cooperation in information space development. Both leaders stress they “uphold as always the principle of respecting national sovereignty in information space,” and “explore the possibilities of developing universal rules of responsible behavior in the information space within the UN framework.” Indeed, China has often supported Russia’s initiatives in setting rules in cyberspace within the UN framework.
A Sino-Russian cooperation could lead to the fracturing of the global internet
Such cooperation with China can be beneficial for Russia’s ambitions in the internet in both domestic and international politics in a number of ways. First of all, Russia’s divergence from the West means it might need technology from China; in fact, it is already striking deals with Chinese companies. In June 2019, for example, Huawei signed – in the presence of President Vladimir Putin and President Xi Jinping – a contract with MTS, one of the biggest Russian telecom companies, to develop Russia’s 5G network. Just a couple of months later, they jointly launched the first 5G test zone in Moscow.
Secondly, Russian authorities can benefit from China’s experience in internet regulation and surveillance when it comes to implementing its new legislation on internet control. According to press reports, Roskomnadzor and its Chinese counterpart – the Cyberspace Administration of China – are going to cooperate in countering the spread of prohibited information.
Cooperation between Moscow and Beijing does not, however, automatically mean that the Russian authorities can simply imitate China’s procedures in blocking undesired traffic. As already mentioned, given the fact that China began its isolation process and the implementation of its so called “Great Firewall” in the early days of its participation in the internet, the structure of China’s network is, for now, very different from Russia’s, which has been fully integrated into the global, decentralized internet from the outset. While the Chinese internet has only very few cross-border traffic exchange hubs, Russia’s has many – some of which are not even on the radar of its state authorities.
Germany should add coordinating support for the existing multi-stakeholder model of internet governance
Furthermore, as China has its own global internet services, it does not rely on YouTube, WhatsApp, Google, or Facebook. In Russia, the US companies Google and Facebook currently provide some of the most widely used internet platforms. Many of these companies operate on an international level. Google, for instance, stores user data on many different servers worldwide, making them hard to regulate. Because Russia’s society and economy rely so heavily on services such as social networks, search engines, financial services, and Software as a Service (SaaS), replacing foreign ones with domestic versions seems to be a nearly insurmountable task. Simply shutting down foreign platforms would also have tremendous negative consequences for the economy and likely generate social outrage.
In addition, Russia needs to partner with China at the international level to promote the idea of state sovereignty in cyberspace. As previously suggested, Russian fragmentation from the global internet would only make sense if the country had allies with whom it could establish a parallel network. In November 2017, it became known that Russia’s Security Council instructed the Ministry of Communications and the Ministry of Foreign Affairs to develop ideas for a separate internet infrastructure and its own DNS root server system for the BRICS countries – Brazil, Russia, India, China, and South Africa – independent from ICANN. Successfully establishing a regional segment of the internet will depend on Russia and China developing a network infrastructure which can be sustained without the architecture of the global internet. As yet, it is difficult to predict if they will succeed. It is also still unclear to what extent it will be attractive for other countries to shut themselves off from the global internet. However, with the new legislation, Russia has created a legal framework whose implementation must be taken seriously.
Recommendations
First, Germany and the EU should begin assessing the risks and long-term implications of Russia’s new internet legislation for European companies and civil society actors in a timely manner. The EU needs a clear understanding of Russia’s dependence on the internet ecosystem, its technical capability, and its political goals in order to differentiate between the officially proclaimed goals of the Russian state and its real intentions – which is, in turn, a prerequisite for taking appropriate action.
Second, EU institutions need to consider taking active steps to protect the companies and civil society actors of EU member states operating in Russia from disadvantages created by the Putin regime’s new regulations. The European Commission with its geopolitical focus and ambitions could play a particularly key role in creating and implementing such measures.
Third, the German government could play an important role in advocating for an open and free internet. Concretely, Germany should add coordinating support for the existing multi-stakeholder model of internet governance to the tasks of its upcoming EU presidency, which begins in the second half of 2020. Standards for transnational legal regulations, for example, need to be developed as soon as possible – particularly because the ongoing cooperation between China and Russia in filtering, controlling, and regulating the internet poses a real danger of segmenting the existing internet and shifting global power.
Finally, Germany and the EU should actively promote the advantages of the global internet and involve major stakeholders, civil society actors, and business entities in a broad discussion on how to sustain and enhance its future. Ideally, they should develop a common long-term strategy for preserving the internet in its current, non-segmented, truly global form, which would involve widening the scope of existing platforms such as the United Nations’ Internet Governance Forum.
Acknowledgment: The author wishes to thank Philipp Dietrich for his excellent support in the research, writing, and discussion of this DGAP Analysis.