Full Report
Senior researcher Ksenia Ermoshina spoke to the New York Times about how Russians may start acquiescing to the limits imposed by state censorship. The post A Cat-and-Mouse Game of Russian Internet Restrictions and Evasion appeared first on The Citizen Lab.
Analysis Summary
# Regulation/Compliance: Russian Sovereign Internet Law & State Censorship Mandates
## Overview
This compliance profile addresses the Russian government's escalating legal and technical mandates designed to centralize control over the domestic internet (Runet). Under the guise of national security and "sovereign internet," these regulations require the implementation of Deep Packet Inspection (DPI) technology to filter content, block prohibited applications/websites, and dictate the flow of mobile and broadband data.
## Key Details
- **Issuing Authority:** Roskomnadzor (Federal Service for Supervision of Communications, Information Technology and Mass Media)
- **Effective Date:** Primary legislation (Sovereign Internet Law) effective Nov 2019; ongoing escalations through 2024-2026.
- **Jurisdiction:** Russian Federation (Geographic)
- **Status:** In Effect (with active enforcement and technological evolution).
## Requirements
### Mandatory Requirements
1. **TSPU Installation:** ISPs must install "Technical Means of Countering Threats" (TSPU)—specialized DPI equipment provided and controlled directly by Roskomnadzor.
2. **DNS Centralization:** Usage of the National Domain Name System (MSDNS) to ensure resolution remains within state control.
3. **App/Site Blocking:** Immediate compliance with the centralized registry of prohibited websites.
4. **Data Localization:** Storage of personal data of Russian citizens on physical servers located within the Russian Federation.
5. **VPN Restrictions:** Prohibition of VPN services that do not comply with the state’s blacklist of prohibited resources.
### Recommended Practices
1. **Redundancy Planning:** For businesses, maintaining localized offline versions of critical operational data.
2. **Platform Migration:** Transitioning corporate communications to state-approved or "locally compliant" platforms (e.g., VK, Telegram where compliant) to avoid sudden service outages.
## Affected Organizations
- **Industries:** Telecommunications, Internet Service Providers (ISPs), Tech Platforms, E-commerce, and any entity processing citizen data.
- **Organization Size:** All sizes, though ISPs bear the primary technical burden.
- **Geographic Scope:** Any entity operating within or providing digital services to the Russian Federation.
## Compliance Timeline
- **Nov 2019:** Sovereign Internet Law takes effect; initial TSPU rollout.
- **2021-2024:** Mandatory DPI/TSPU installation expanded to major mobile and broadband nodes.
- **2025-2026 (Active Phase):** Escalated throttling of Western platforms (YouTube, WhatsApp) and systematic shutdown of mobile data during "unstable" periods.
## Implementation Guidance
### Assessment Phase
- Audit all external dependencies (APIs, Cloud Storage, SaaS) located outside of the local jurisdiction.
- Map data flows to identify cross-border transfers that violate localization laws.
### Implementation Phase
- Deploy mandated TSPU hardware if operating as a licensed ISP.
- Implement traffic routing through state-controlled exchange points.
- Integrate with Roskomnadzor’s automated blocking systems.
### Validation Phase
- Connectivity testing during government-mandated "Internet drills" (periodic isolation tests).
- Regular audits of DNS settings to ensure alignment with the National DNS.
## Technical Requirements
- **DPI (Deep Packet Inspection):** Granular traffic analysis to identify and throttle specific protocols (e.g., VPN protocols like OpenVPN, WireGuard).
- **Traffic Shaping:** Ability to degrade connection speeds for non-compliant platforms.
- **Regional Kill-switches:** Capability for the state to disable mobile internet in specific geographic coordinates during civil unrest.
## Penalties & Enforcement
- **Fines:** Significant administrative fines for ISPs failing to route traffic through TSPU.
- **Other Consequences:** Immediate blocking of services; revocation of operator licenses; criminal liability for executives in extreme cases of non-compliance.
- **Enforcement:** Direct remote control of ISP traffic by Roskomnadzor via the TSPU.
## Related Standards
- **NIST/ISO Alignment:** Directly conflicts with ISO 27001 principles regarding availability and NIST frameworks regarding the "Open, Interoperable, Secure Internet."
- **ITU-T:** Alignment with specific state-led standards for "internet sovereignty."
## Resources
- Official Documentation: [hXXps://rkn[.]gov[.]ru/] (Defanged)
- Research Analysis: [hXXps://citizenlab[.]ca/research/the-architecture-of-digital-repression/] (Citizen Lab Research)
## Practical Recommendations
1. **Resilience Strategy:** Organizations operating in this region must expect "chilling effects" where users migrate to less secure but "available" state-approved apps.
2. **Security vs. Availability:** Cybersecurity specialists must warn users that "what works" (state-sanctioned apps) likely compromises end-to-end encryption and privacy.
3. **Connectivity Audits:** Frequently test the accessibility of corporate VPNs and internal tools against the evolving DPI filters.