Last summer the Russian parliament passed amendments to the federal law “On Information, Information Technologies and Protection of Information”. The new provisions regulate tools that access the internet on a user’s behalf hiding their identifying information, such as VPNs and anonymisers, as part of a strong commitment to prevent internet users from bypassing the government block.
By way of illustration, in November 2016 LinkedIn was blocked in Russia because the company failed to comply with a new law on personal data. Namely, LinkedIn was unable to store Russian users’ personal data on servers based in Russia, as required by the law. The number of LinkedIn users in Russia decreased from 2.5 million in November 2016 to 1 million one year later. Presumably, they are accessing the blocked social network with VPNs.
Under the new amendments, the Russian Federal Service for Supervision of Communications, IT and Mass Media (Roskomnadzor) has developed the federal data system of information resources and networks with information on all web resources, anonymisers and VPNs permanently blocked in Russia. The federal data system was developed especially for VPN services and anonymisers to provide them with a list of ‘illicit’ web resources. As soon as the Russian Ministry of Internal Affairs or the Federal Security Service detect that any VPN service or anonymiser (no matter where they are based) provides access to web-resources listed in the federal data system, they inform Roskomnadzor accordingly. Then Roskomnadzor sends an official notification (both in Russian and English) to the VPN service/anonymiser. This notification would inform the private network, that granting access to these webpages infringes Russian laws and proposes that the addressee cooperates and blocks access for Russian users to all ‘illicit’ web resources. If a VPN service/anonymiser cooperates, it should access the federal data system within 30 days. Then, it should block access for Russian users for all ‘illicit’ web resources within a further three days.
If a VPN service/anonymiser ignores Roskomnadzor’s notification, or does not comply fully with the law, then access to that private network (or anonymiser) would be blocked in Russia by internet service providers. If the private network subsequently decides to cooperate and carries out all the actions required by the new law, it would be immediately unblocked. However, the new rules will not necessarily apply to corporate VPN services/anonymisers. Such networks, by definition, have limited access to employees only, therefore Roskomnadzor has no intention to regulate them.
According to Roskomnadzor, Russian based Mail.Ru Group, Yandex, Kaspersky Lab, and Opera Software ASA (primarily known for its browser which features a pre installed VPN service) cooperated and participated in a test of the Federal data system. A couple of VPN services also confirmed that they are going to join the programme and access the data system as soon as they receive an invitation from Roskomnadzor.
Will the new rules work? The new provisions will at least make it more difficult for an ordinary user to access ‘illicit’ web resources. On the other hand, there is no doubt that any web resource can still be accessed by a user who really wants to access it, and knows what they are doing. As a postscript to the above, Opera VPN, which cooperates with Roskomnadzor, still provides an access to the pirate platform rutracker.org, banned in Russia almost two years ago.