The Kremlin implemented new online filtering protocols that could result in widespread government monitoring of web traffic.
Signed into law by Vladimir Putin on July 28, the internet-filtering measure contains a single, innocuous-sounding paragraph that allows those compiling the Register to draw on court decisions relating to the banning of websites.
The new system allows ISPs not only to filter traffic, but to monitor it on a nationwide scale.
The principle of internet censorship is not a new one to the Russian authorities. For five years, regional prosecutors have been busy implementing regional court decisions requiring providers to block access to banned sites. To date this has not been done systematically: Sites blocked in one region remained accessible in others. The Register removes this problem.
The Kremlin’s new “Single Register” of banned websites, which goes into effect today, will wind up blocking all kinds of online political speech.
And, thanks to the spread of new internet-monitoring technologies, the Register could well become a tool for spying on millions of Russians.
The new system is modeled on the one that is used to block extremist and terrorist bank accounts. The Roskomnadzor (the Agency for the Supervision of Information Technology, Communications and Mass Media) gathers not only court decisions to outlaw sites or pages, but also data submitted by three government agencies: the Interior Ministry, the Federal Antidrug Agency and the Federal Service for the Supervision of Consumer Rights and Public Welfare. The Agency is in charge of compiling and updating the Register, and also of instructing the host providers to remove the URLs. If no action by the provider follows, the internet service providers (ISPs) should block access to the site in 24 hours. The host providers must also ensure they are not in breach of current law by checking their content against the database of outlawed sites and URLs published in a special password-protected online version of the Register open only to webhosters and ISPs.
Most importantly, however, the new Roskomnadzor system introduces DPI (deep packet inspection) on a nationwide scale. Although DPI is not mentioned in the law, the Ministry of Communications — along with the biggest internet corporations active in Russia — concluded in August that the only way to implement the law was through deep packet inspection.
“At the end of August, under the chairmanship of Communications minister Nikolai Nikiforov, a working group was held, drawing representatives of Google, SUP Media (the owner of the Livejournal social network), and of all the other big hitters. They discussed how to ensure that the [filtering] mechanism — they used the concrete example of YouTube — how to block a specific video, without blocking YouTube as a whole. And they reached the conclusion that pleased them all,” Ilya Ponomarev, a member of the State Duma and an ardent supporter of the law, told us.
This is far from the first time protecting children has been invoked in support of laws requiring a significant online surveillance, just last year the U.S. House considered the Protecting Children from Internet Pornographers Act of 2011, which would have mandated internet service providers (ISPs) to maintain records of everything you do on the Internet every year, and give the government access to the data without a warrant under the same pretenses. The evolution of the Russian law should make American citizens thankful the U.S. legislation failed: While it originated as a blocking mechanism for obscene content, since passage, Russian courts have said the measure can be used to ban political extremism and critics of President Vladimir Putin’s regime and the Ministry of Communications concluded Deep Packet Inspection (DPI) is the only way to implement it. DPI is a method of data processing involving looking at the details of the packets sent across networks to determine how to process or reroute the information. Logistically, this will require Russia’s ISPs to maintain detailed records of user traffic and would allow the Russian government a potential backdoor into the private lives of Russia’s internet users. As Eric King, head of research at Privacy International explained to Wired, this has some very troubling implications:
“No Western democracy has yet implemented a dragnet black-box DPI surveillance system due to the crushing effect it would have on free speech and privacy… DPI allows the state to peer into everyone’s internet traffic and read, copy or even modify e-mails and webpages: We now know that such techniques were deployed in pre-revolutionary Tunisia. It can also compromise critical circumvention tools, tools that help citizens evade authoritarian internet controls in countries like Iran and China.” All of this makes DPI sound sinister, and it can be: the late Libyan leader Muammar Qaddafi used DPI to track online dissent in Libya, and has proven a cost effective way for totalitarian regimes to censor and target political opposition. Although, there are legitimate uses — particularly in network protection — most internet freedom advocates are against large scale implementation due to the damage potential abuse would for freedom of speech and privacy rights, especially in nations with poor track records on human rights issues (such as Russia).
However, most ISPs are already keeping tabs on what their subscribers are generally up to online and have the ability to use DPI on case by case basis — and as with much of the technology interacting with personal details, the questions of who has access to what breakdown of information, under what conditions, and with what safeguards to prevent abuse are critical to their responsible use. Even in countries with more respectable track records on these issues than Russia, DPI can cause considerable controversy, such as when it was proposed as part of new cybersecurity protocols in the United Kingdom. Depending on how Russia’s mandated DPI processing is implemented and utilized, it may serve as a cautionary tale not only about how the justifications for legislation don’t represent their actual applications, but how structured surveillance can stifle the free flow of ideas online.
“No Western democracy has yet implemented a dragnet black-box DPI surveillance system due to the crushing effect it would have on free speech and privacy,” said Eric King, head of research at Privacy International. “DPI allows the state to peer into everyone’s internet traffic and read, copy or even modify e-mails and webpages: We now know that such techniques were deployed in pre-revolutionary Tunisia. It can also compromise critical circumvention tools, tools that help citizens evade authoritarian internet controls in countries like Iran and China.”
“There are basically two functions in DPI — filtering and SORM,” added IBM East Europe Business Development Director Boris Poddubny, referring to the Russian government surveillance system for monitoring both internet traffic and phone calls. “There may be devices to copy traffic. DPI helps analyze it. And there will be a detailed log: what is downloaded by whom, and who looked for what on the internet.”