Data centre at telecommunications service Rostelecom, St Petersburg. (c) Vadim Zhernov / VisualRIAN.
A firsthand account of how the internet is monitored, regulated and blocked in the Russian Federation.
The internet is no longer free in Russia—that’s according to Freedom Net, a report recently published by Freedom House. Freedom of expression on the internet has been under threat for some time in the Russian Federation, but the risks have increased since 2014. In the 18 months since Maidan, the annexation of Crimea and outbreak of conflict in eastern Ukraine, new laws preventing the dissemination of ‘extremism’ online and extending the authorities’ surveillance powers have made the RuNet a far riskier environment.
On terms of anonymity, I spoke with the director of a Russian internet provider—who has worked in the Russian IT market for more than a decade—and found out how the FSB and prosecutor’s office monitor the internet, why they reprimanded an FSB officer who bugged an opposition politician and why cutting Russia off from the global internet isn’t so easy. Read his account below.
Black lists
‘Since 2012, Russia has operated a register of banned websites. This isn’t the federal list of extremist materials, where there’s a heap of leaflets and video clips, which the court has tried to distort in its categorization. No, the register is a selection of 100,000 IP addresses. The FSB doesn’t monitor how bans are put in place: they’re more interested in making sure Roskomnadzor’s [the federal body responsible for media oversight] recommendations come through on time.
According to the law, internet providers should contact Roskomnadzor on a daily basis, but people usually get in touch every three days. Each provider has a ‘curator’ from the FSB. Even we have one, although we’re a typical example of a small company, with 10,000 domains. An FSB guy just sits with a list of providers to monitor. He has the statistics on downloads and if you’re high, then you get a call—your curator starts reprimanding and threatening you. I know some people who were fined because their admins stopped looking at the updates for the black lists.
Unlike the FSB, the prosecutor’s office checks to see if blocked websites can still be accessed. According to the prosecutor’s logic, every provider who isn’t aware that some site has been banned should be taken to court. We were recently fined 50,000 roubles [£500]. In 2011, it seems, we didn’t block a certain site, and now they’ve realised. The state prosecutor himself says: ‘Well, pay – be my guest! We need more cases for the quarterly report.’
The system of implementing black lists varies widely—from the wholesale blocking of an entire website, which is what the big operators do, to blocking specific links, which is what we do. Of course, this is more difficult technically and more expensive. Generally, if you use a small operator, you’re more likely to see banned material—there’s less strict implementation at this level.
I made all sites accessible to my friends. None of them are going to complain to the prosecutor. Theoretically, you could operate these black lists on a commercial basis.
Last summer, there was a bit of a panic over separatism. As a result, all the materials on federalising Siberia were blocked. They used semantic analyses, i.e. searching for specific markers in texts. Places like Yandex [Russia’s most popular search engine] are now banning results for searches like ‘Putin-terrorism-Caucasus, but this hasn’t reached the ISPs yet.
We only block a site when we receive a prosecutor’s order that refers to a court decision. But in the regions, state organs have to fulfill the norm. For example, take some neighbourhood prosecutor’s office, which is connected to our network—they’re constantly checking to see what else some court out in Khanty-Mansiisk [Siberia, i.e. a remote court] has banned. They don’t contact Roskomnadzor, they don’t request to include the banned site in the register—they go straight to court. Get them the hell off the net!
Of course, when we receive a court order, we block everything—it’s just we couldn’t have found out about the decision earlier, given that you can learn about the decision of the Khanty-Mansiisk court only on its website. In the court they ask me: ‘Have you blocked it?’ I answer: ‘Yes, of course!’ Then we go to check: the site, naturally, opens easily enough—after all, the court isn’t connected to our network, and their provider isn’t any more aware of the Khanty-Mansiisk court’s decision. The court officials look at me in surprise, and I end up giving the judge and the prosecutor’s assistant a lecture off-the-cuff about how the internet works. I try to explain that our company can’t block the site everywhere, only on the territory of our neighbourhood. They seem to understand, and then they send me the court summons anyway—block this website now and everywhere.
The blacklists contain opposition websites (Grani, Kasparov.ru), religious websites too. Most of the time, it’s all kinds of trash sites that are getting blocked—nothing particularly shocking or interesting. Often it’s unreadable far left sites with long addresses. They recently blocked an online database of passport information—you couldn’t find anything there either.
SORM-2
Most internet providers now operate SORM-2 [internet surveillance programme designed to track individuals, originally introduced in the late 1990s].
We’re supposed to store addresses for two years. But SORM-2 hasn’t come into full effect yet, it’s expensive and complicated to make it work. Just one system test costs 200,000 roubles [£2,000]. All the work is done by a monopoly, that’s why the price is so high. The big providers, of course, have more resources, but they also have more clients. The scale of the project makes it more complicated—we don’t have the equipment to record all the information at 40 gigabits a second.
We don’t have the hardware for SORM either. The security organs, of course, want SORM-2 fully operational. But they don’t know anything without us knowing about it. When they need something, the FSB just rings up and I look at our database to find out who’s up to what.
The Russian IT market is pretty small, on the whole. Everyone knows everyone else. For example, I know the guy who bugged Alexei Navalny’s office. He got reprimanded for that, by the way—if they’d set the bugs up for passive collection and relay of information at four o’clock in the morning, then they wouldn’t have been able to locate them. I don’t know who ordered the bugging, though, or where else they’ve installed that kind of stuff.
‘These people are really thick’
The standard of security service personnel is catastrophic today. They can’t even use the tools they already have. Police officers see IP addresses like license plates, and don’t understand that thousands of people access the internet through them.
The standard of security service personnel is catastrophic today
Someone brought in a flash drive recently¬—it’d been lost by a security officer from a neighbouring district. There was a whole heap of criminal case files on there, hundreds of investigations. In the end, they found the owner through his account on Odnoklassniki [a Russian social networking site, particularly popular with older generations], though, to be fair, he’d been hacked there.
The guy was really happy: he literally kept his whole life on that flash drive. He didn’t understand that you had to protect or back it up. Or, for instance, I went to the police station recently, I logged on to their local network—it was absolutely full of viruses. And they don’t even have access to the internet there. What qualifications can you even talk about?
These are the officers who are trying to find people sharing ‘incorrect’ material on the internet. They use their personal email addresses from Mail.ru [highly popular and virus-ridden mail service], which is pretty easy to hack—these guys don’t have an official email system.
They write the criminal case number at the beginning of the message, and then ‘please issue information on so-and-so a user, who logged onto VKontakte [popular Russian social networking website set up by Pavel Durov, who now runs Telegram] at so-and-so a time’. It’s surprising if they indicate an IP-address: 300 users log on to VKontakte every second.
Interestingly enough, they haven’t made any requests for Facebook or Odnoklassniki yet. We get a lot of political requests when there’s unrest: Bolotnaya Square [protest in Moscow following Vladimir Putin’s victory at the 2012 presidential elections], the elections [2011 parliamentary elections; 2012 presidential elections]. They were sending five requests a month back then. Usually we get a request every three months.
In 80% of cases I have to ring them back to make sure the request is filled out correctly. Asking the right question is, after all, half the battle. We do have projects to collaborate on—I help them monitor underground gambling clubs on a voluntary basis. You don’t need a lot of information for this work—all the computers have to be connected to one another and the net, but the police are used to burglaries and rapes. Computers are hard to figure out.
I’ve tried to talk to people from the Center for Combatting Extremism. We met at a seminar about cultures of intolerance, and I proposed working more efficiently together, but those people also turned out to be really thick.
‘The best defence is to keep your head down’
Maybe there’s no need to be paranoid then? In the last year, however, there’s been some serious rules introduced. You can’t build a network and remain unnoticed anymore.
They’ve started tightening the screws, and so our company isn’t working with internet telephone services anymore. Everything was just a formality before, but now they’ve requested SORM for telecommunications.
The prospect of a shrinking official market, though, is a different matter: the black market will compensate. The more they carve up the official internet, the greater demand for the dark net.
The more they carve up the official internet, the greater demand for the dark net
I completely support the idea that we have to keep taps on people who are up to bad stuff. But in the current conditions, if this system is introduced 100%, then it will be used for illegal aims. When we move onto SORM-3, then the FSB will be able to just log in to a provider’s network independently—without the prosecutor’s sanction—and look at what photos someone’s posting, what they’re saying on private chat applications.
Internet providers will be obliged to store this information for two days: we’ll have to record our five gigabit-a-second stream for 48 hours—the amount of information will be crazy. As far as I know, SORM-3 isn’t operational on the civilian net, perhaps it’s operational at the Federal Protective Service [Russia’s equivalent of the Secret Service] level, or at defence installations.
On the whole, though, users aren’t trying to hide from this. Only 0.01% of people use encryption. You have to really look on our database to find someone using TOR.
To remain unnoticed, though, you have to behave—you shouldn’t go to demonstrations or repost content from opposition websites or social media accounts. The best defence is to keep your head down. That way you won’t attract the interest of the FSB. And if you do stick your head out, well, it’s useless, I think.
In any case, I recommend you buy a SIM card at the local market and register it to some “Kazbek Alievich” [i.e. a random ‘migrant’ name; most SIM cards bought on the black market in Russia are registered to someone else, often labour migrants], install VPN on your mobile, turn on secret chat on Telegram, otherwise it’s useless. In principle, the FSB should have the keys to the encryption algorithms, otherwise it’s illegal, but it seems that Telegram hasn’t shared its keys.
‘We’ll build our own RuNet just like North Korea’
There was news recently that Roskomnadzor conducted a trial attempt at logging Russia off from the net. Apparently it failed due to the small providers, who still allow unmonitored traffic. We haven’t seen any signs that the net has been cut off yet, although 30% of Russia’s traffics goes through foreign companies. Just as there are underground pipelines, there’s a mass of unregistered cables too.
Even physically, the prospect of cutting us off completely isn’t easy. One of the world’s main traffic exchanges is located in Frankfurt. A load of Russian internet providers use it too. It’s convenient—you can connect various providers with a few short cables. If they block the exchange, that is, cut the cables to Europe, for example, then they’ll have to build an exchange at the physical border too.
‘Illegal’ channels to Frankfurt will remain in use. To cut everything off, you’d have to control everything. There’s a lot of exchanges at the moment and, with time, there’ll be even more. You can’t control everything. Cross-border traffic between countries is clearly not controlled whatsoever. There were attempts to create a single operator for foreign traffic, but that hasn’t gone beyond the conversation stage.
If there really has been a trial run at logging us off, then I think that’s probably to develop a protocol in case the sanctions get worse. Theoretically, it’s possible that global services that deal with domain names or IP addresses will cut Russia off.
Naturally, it’ll be chaos at the start, but in a few days we’ll build our own RuNet. Just like in North Korea.’
This article has been republished from opendemocracy.net.