In countries where internet access faces restrictions, from general government censorship through to more limited site-blocking programs to protect copyright, citizens have grown comfortable with the use of VPNs.
In Russia, where the government censors certain material and has an anti-piracy site-blocking regime on top, around 20% of the internet population regularly use VPNs.
While accessing blocked websites and communicating in relative privacy is now fairly common, the government would like sites carrying “illegal information” to remain inaccessible. But after endless legal tweaks, advice, orders, and confused messaging that mostly contradicts reality on the ground, Russians may be a little confused by now.
New Law Isn’t a VPN Ban, Illegal VPNs Are Already Banned
Sites blocked by the government, whether they’re pirate sites or those branded extremist by the state, are blocked for good reasons, authorities insist. Facebook and Instagram, for example, are both blocked for being extremist platforms, so when people use VPNs to undermine blocking, they put themselves at risk.
Given that over the years Russians have grown fond of their VPNs, the government hasn’t immediately spoiled things by simply taking them away. Instead, authorities determine the quality and security of a VPN provider based on its operator’s willingness to cooperate with the government. On the other hand, less cooperative overseas VPN providers with a presence in Russia, are known to suddenly experience connectivity issues.
Faced with an untenable situation, some VPNs threw in the towel and never looked back. When new legislation compelled VPNs to register with the government, and leave the ‘back door’ open in case officials needed to call round for a coffee, almost all reputable overseas providers chose privacy over certification and began to leave. Meanwhile, local VPN companies with official approval found themselves declared legal, while those without certification were legally unable to do business.
That line in the sand now allows the government to identify safe, legal services; all are registered with the state, they enjoy coffee, and would never dream of undermining state censorship. Obviously unsafe and most probably dangerous, illegal VPN providers are not registered, enjoy privacy, and want to help users to circumvent site-blocking. As a result, 167 unregistered VPN providers and 200 email providers were blocked according to a report last October.
VPNs Still Available, Time For More Action
Providing a service to unblock blocked internet resources has been illegal in Russia since February 2020, but judging by the volume of VPNs still available for Android and iOS devices, not everyone got the memo.
In the wake of Russia’s invasion of Ukraine, imposition of sanctions prompted the Kremlin to step up imports via the back door while simultaneously winding up the drawbridge on some Western tech platforms. With Google Play and Apple’s App Store less useful than before, Russia launched its own variant, RuStore, which at last count was also offering VPNs to the masses, in large numbers and mostly without hindrance.
VPNs capable of tunneling to the nearest pirate site or accessing the extremists of Instagram, remain popular in Russia. Advertising and recommendations help to quickly spread the news but for Moscow, that’s unacceptable and needs to change.
In the summer of 2023, a new phase of the Kremlin’s plan was made public. With the introduction of yet more new law, posting information online that amounts to promotion or advice on how to use VPNs, Tor, or similar tools, for the purposes of circumventing blocking, was about to become a criminal offense.
Promotion of Unblocking Tools Illegal From Today
From today, publishing information about tools that undermine blocking in Russia, including ads for VPN services with circumvention capability, is a criminal offense punishable by fines of up to four million rubles (US$43,840). Roscomnadzor says the law won’t target the general public, but there are few bright lines to differentiate sellers online.
Other enforcement measures available to the telecoms regulator include blocking any offending materials in the same way blocking is carried out against other content. Roscomnadzor will also attempt to purge search engine results mentioning VPN providers that are blocked already in Russia or otherwise found to be illegal. The latter group could be sizeable since any unblocking-capable provider without a government issued license is automatically considered illegal.
And VPN PSYOPs, obviously
In April 2023, a series of PSAs appeared in Russia hoping to scare the masses away from VPNs by their own free will. The video shorts majored on data leaks, blackmail, threat to personal information, plus a seemingly psychic man who understood everything about his partner on their first date, purely because she used a VPN.
That campaign was put together by ROCIT, the government-funded Center for Internet Technologies. Right on cue, ROCIT conducted some new research on VPNs recently, the results of which are published on its website (Russian, pdf). They’re a little puzzling, let’s put it that way.
“[RCOIT] conducted a study of VPN services in terms of the content of their data processing policies and applicable processing laws in the country of registration of the owner company,” ROCIT’s conclusions begin.
“Despite restrictions, regular data leaks and risks, a significant proportion of Russians continue to use VPN services,” ROCIT adds, noting that over one-in-five Russians use a VPN while 40% believe they’re unsafe.
The providers studied by ROCIT read as follows: Lantern VPN, Psiphon, Safe Connect VPN, Tunnel Bear VPN, Proton VPN, AdGuard VPN, Express VPN, VPN Proxy Master, Surfshark, Cloudflare’s 1.1.1.1 +Warp Hide.me VPN and VPN – Super Unlimited Proxy.
Other than their names, no further information is provided about the assessment of the providers, with the same going for the study itself. Nevertheless, ROCIT reached the following conclusions:
VPN services, as a rule, operate with a standard set of data for online services: account information, user IP address, payment information, information about the user’s device, and so on.
In addition, VPN services for the most part do not recognize at the policy level the receipt of data about the resources visited by a specific user. Statistical and analytical data, such as the volume of data transferred, may also be collected. However, some services may collect location data.
The study also notes that the jurisdiction that provides the least guarantees for users is the United States, and the most protected from a legal point of view is the personal data of users in Switzerland. The United States has the Foreign Intelligence Surveillance Act (FISA), which allows surveillance of non-US citizens.
In addition, US Executive Order No. 12333 applies, which allows the interception of data transmitted through the States. And the Stored Communications Act allows law enforcement agencies to obtain data stored by operators based on court orders
It’s hard to say whether users of VPN – Super Unlimited Proxy factored in the above when developing their threat model, but they’re on notice now and there are millions of them.
For its part, Roscomnadzor seemed a little short on ideas, eventually concluding that criminals can use VPNs to carry out crimes.
