Russian Authorities Powerless Against VPNs

The law banning the circumvention of internet blocks via VPNs came into effect in Russia on November 1, 2017. According to this law, the FSB and other law enforcement agencies determine which services must block access to websites prohibited in Russia. However, as many internet experts predicted, things did not go as planned.

A spokesperson for Roskomnadzor reported that, to date, the agency has not sent any requests to VPN services or anonymizers to block user access to sites listed in the registry of banned information. According to Federal Law 276-FZ, the FSB and other agencies conducting operational investigative activities (ORD) are responsible for identifying which services must block access to prohibited sites.

As of today, a Roskomnadzor employee admitted that law enforcement agencies have not sent the supervisory authority any documents requiring VPN services or anonymizers to comply with Federal Law 276-FZ:

“As of today, there have been no requests from ORD participants or state security agencies regarding anonymizers and VPN services.”

Even during the law’s adoption, experts warned it might not work. Roskomnadzor lacks leverage over most VPN services, and it cannot block them for non-compliance either—there are no technical solutions for this, explained Karen Kazaryan, an analyst at the Russian Association for Electronic Communications (RAEC).

Internet ombudsman Dmitry Marinichev previously called the law “madness” and doubted its feasibility, since it is impossible to distinguish between VPNs used for commercial purposes and those used to bypass internet blocks.

The Association of European Businesses (AEB), which includes Air France, Citibank, Volvo Cars, Deutsche Bank, Nokia, and several hundred other European companies, also expressed concern about the law in late October 2017, as many companies use VPNs in their corporate networks.

The law describes a specific procedure for initiating cooperation with VPN services and other proxy or anonymizing systems. Roskomnadzor does not have the right to initiate this process on its own; it must receive instructions for each specific service from government agencies conducting ORD (FSB, Ministry of Internal Affairs, Federal Protective Service, and other security agencies). Only after this does Roskomnadzor begin to search for and contact the hosting provider of the service, then the service itself, which is given 30 working days to connect to the registry of banned sites. If the service refuses, the agency initiates the process of blocking the service itself for refusing to filter traffic for Russian users. Technically, Roskomnadzor can add websites, technical domains, and IP addresses of VPN services to the registry, but the effectiveness of this approach is questionable, as shown by ongoing attempts to restrict access to messengers like Zello and Line, which Russian users continue to use despite bans.

According to Sarkis Darbinyan, lead lawyer at RosKomSvoboda, Roskomnadzor has not yet prepared regulations clarifying the difference between personal and corporate VPN services:

“The law states that it does not apply to corporate VPN networks, but there is currently no way to distinguish them from services used for personal needs. It’s possible that the first blocks will ultimately affect the commercial and banking sectors.”

So far, only Russian VPN and anonymizer services have expressed willingness to cooperate with Russian authorities, which is expected since they may face certain pressures. Many foreign services, however, have stated from the outset that they will not comply with Russian law and continue to hold this position. In the first days after the VPN regulation law took effect, seven such companies made their stance clear:

• TorGuard
• PrivateVPN
• GoldenFrog (creator of VyprVPN)
• Tunnelbear
• Zenmate
• TgVPN
• ExpressVPN

In response to user comments, the service Browsec indirectly confirmed that complying with 276-FZ is not part of its plans. ExpressVPN and PrivateVPN once again demonstrated their commitment to protecting users, and CactusVPN shared the same view, stating: “We have always supported freedom of speech and the right to free access to information and privacy online, and we condemn any actions aimed at restricting these rights in Russia or any other country.”