Russian Internet regulation has a relatively long history, with most changes having taken place in the last 10 years. In 2018, the so-called "Sovereign Internet" regulation was proposed. But only in 2021 did it really start to touch on Internet name and number resources. This article is about what such regulation means for the Russian Internet and how it could affect the rest of the Internet.
The Internet was first formalised in Russian legal space as the Public Services Telecommunication Network along with “telephony”. But until 2012 it was not described in regulation as “the Internet”. Instead, the related regulation used the term “data transmission” or the trendy 90s phrase “services télématiques”. (It's not just the RIPE founders who adored French words).
Telephony-style regulations were not harmful for operators, as there were no documents from ITU to regulate the Internet. The only difficulties came from collecting documents set for licensing and lawful intercept; aka the 'System for Operative Investigative Activities' (SORM).
Information control and regulation
In 2010, the number of Internet users in Russia started approaching daily audience numbers for the 'first' TV channel (Channel One Russia). It was at this time that officials started to realise the power of the Internet, as well as the potential dangers. Ideas about controlling the information spread via the Internet became a reality soon after. Also, protests were rising in relation to unfair parliamentary elections in 2011.
Officially, censorship is prohibited by the constitution, so only a few kinds of information could initially be restricted. This included information deemed “harmful for children”. So the first regulations were made in the name of “protecting children” and content blocking was implemented. Over time, other kinds of information to be restricted were added: i.e., copyright violations, terrorism propaganda, and so on up to poaching. Information about something illegal or illicit could also be considered illegal, such as Wikipedia pages about drugs.
More information flow controls were also added. More SORM - bulk wiretapping, traffic storage, obligatory identifications for WiFi or messaging services users. Each of these regulations is worth an article, explaining the official and real motivations, failed attempts, and consequent law practice.
A few things need to be said about these waves of regulation:
- They are not effective for the purposes declared: no decline in harm to children, drug crimes, financial crimes, or terrorist activity is reported
- They are not effective for the purposes not declared: for example, the first blocked “terrorists” were opposition leaders Kasparov and Navalny, but blocking has not stopped them from working and spreading information harmful for the regime
- The ineffectiveness of regulatory measures led to more of the same, like adding more regulatory subjects (news aggregators, search engines, VPN operators, bloggers, social networks,...), more penalties, or more doubtfully realisable responsibilities
- All regulation is written in very bureaucratic Russian language, not using common terminology
- All regulations are technical, even intention is to regulate information spread, because licensed operators and other subjects of regulations are here, have bank accounts and infrastructure and can be pressurised
- Most regulations that are harmful to Internet infrastructure are hidden in ministerial and regulator instructions so is not seen by lawyers and human rights protectors in the beginning of discussion
- Most of the regulations are ambiguous and so open to interpretation
The ineffectiveness of previous regulations and the continuous rise of protests led to another regulatory wave called “Sovereign Internet”. Officially, it was not called this. Rather, the relevant set of laws somehow came to be called “Federal laws introducing amendments to some legal acts”. I will not use such names here, and for official institutions I will also use public nicknames, otherwise this article would become completely unreadable.
“Sovereign Internet” regulation was a bit of a surprise. It popped up in parliament unexpectedly given all previous trends and, for the first time, contained relatively correct common terminology. The intention was to ensure Russian sustainability and security.
In short, it put obligations on new regulatory subjects; e.g., AS number holders, TLD and IXP operators. As a formal framework, it puts ASNs, IP addresses, and DNS into the regulatory space, placing obligations on holders of resources (“owners” in the language of the law; e.g. “Owner of the Number of the Autonomous System”) and introducing a number of registries and reports. As with other “patches” to existing Telecommunications and Information laws, a number of bylaws had to be created.
Public motivation behind this law appears to be completely different from what the associated bylaws (which we turn to next) are trying to achieve. Another example of false motivation here is the promise not to spend money from the federal budget for the application of this law. This allows approval from the Ministry of Economics to be skipped. And yet later we have seen such spendings.
An overview of bylaws, orders, instructions
Achieving real regulation of Internet number resources took more than two years, because bylaws, orders, and instructions on four different levels had to be created. Each subsequent bylaw had to be created in no more than half a year, but they require time to take force. So from law to the appearance of instructions specifying exactly what needed to be done with names and number resources, it took a little more than two years.
More than ten Government decrees on:
- Creation of the Center for Monitoring And Control of Public Services Telecommunication Network
- Extending powers of Ministry and Regulator
- Trainings on “sustainable, secure and complete functioning of” PSTN (Public Services Telecommunication Network - not just Telephony)
- Centralised control of PSTN
- “Technical Means for Countering Threats”
- LEA Cooperation for Owners of the Number of AS
- Creation Register of Internet Exchanges
Some government decrees already have been canceled or recreated due to running the “easing of regulations reform”.
A number of Telecom Ministry decrees on:
- Schedule on “Internet disconnection trainings”
- Number of “requirements” to “Owners of the Number of AS owning Technological Network”
RosKomNadzor (regulator) orders on:
- National Domains Name System operations and TLDs belonging to it
- Operations of Center for Monitoring and Control of the PSTN
- Reporting requirements for Owners of the Number of AS
- Verification and submission of information
- LEA interaction
- IXP operations
- Traffic localisation
I will skip IXP regulation, disconnection trainings and Special Means for Countering Threats as things here are especially unclear. Let's move on instead to number and name resources.
The newly created Center for Monitoring and Control of the PSTN (CMC PSTN) issued the following instructions related to number resources:
- To extend three RKN orders (47 pages total) 430 pages were issued on 6 sets of instructions (+xml schemas)
- Reporting connected operators, IXPs, their owners, connectivity lines, interconnection parameters, you name it…
- CMC PSTN instructions on registering for Address-Number Resources (RANR) via RKN service portal (54 pages)
- Reporting as-set, aut-num, inet6num, inetnum, mntner, organization, person, role, route, route6
- Possible import via whois from RIR database is also possible
- (Not import/export attributes of aut-num (yet?))
- Information System of CMC PSTN
- Obligation to connect to this Information system (only 7 page instruction) from all border routers
- BGP feed (only feed to)
- SNMP (v2 preferred)
- Netflow feed
- IP addresses of routers and protocol parameters have to be filled in .XLSX file sent to CMC PSTN
- Obligation to connect to this Information system (only 7 page instruction) from all border routers
Unlike all other federal normative acts, instructions from CMC PSTN were not published in advance nor discussed before being approved and put into force.
National Domain Name System
With regards the National Domain Name System (NDNS), CMC PSTN instructions (only 5 pages) were released on how to set up recursive, forwarders or root DNS servers:
According to these instructions, IP addresses belong to MSK-IX infrastructure, as long as one of approving signatures belong to MSK-IX staff member. IP addresses in BGP/SNMP/Netwlow instructions belong to datacenter, which is known to be formal parent of MSK-IX.
Additions to the Administrative Offences Code
But that’s not all. To enforce all this, additions have also been made to the Administrative Offences Code. In particular, to chapter 13 on “Violations of telecommunicatins regulations”. These additions are as follows:
- 13.42 violations in operation of Technical Means for Countering Threats
- 13.43 violations in IXP operation and usage of registered IXPs
- 13.44 violations of use of National Domain Name System
- 13.45 violations of Centralized Control of PSTN
- 13.46 violations of cooperation with LEAs
The first court cases have already been observed for articles 13.45 for non-reporting, 13.44 for non-usage of NDNS, some cases - non-exclusive usage of NDNS. Most companies held accountable are nothing to do with the telecommunication business, but are education institutions or mid-sized businesses with ASes who suddenly find themselves in the heart of Internet regulation.
In this Code, definitions of regulated subjects were loosened. So it's not “Owner of the Number of the AS”, but “set of network equipment with unique identifier”, which can extend the responsibilities to any IP address or domain name holders.
More to come
And there's more “Sovereign Internet” to come. These further topics are only kind of mentioned in the law, but there are still no bylaws and lower level regulation:
- Acceptance of the routing commands
- Validation of reported data
- “Internet disconnection” trainings quarterly
- Interconnection only for “properly reported” operators and IXes
Presenting this new law in 2019 at RIPE 79, my main thoughts were about the legal possibility of interference in BGP routing, like injecting fake Facebook or Twitter paths for performing effective platform level censorship without the need to burn energy on operators DPI or Technical Means for Countering Threats. But this possibility still has not been implemented, while route collecting BGP session have to be established.
Such sophisticated regulation raises a lot of concerns:
- Actual sovereignisation is done at the lowest level by non-public documents
- Not observed by lawyers, rights defenders, international community on the one hand, and laws discussion is irrelevant to network and DNS administrators on the other
- No more “one world one Internet”, Internet standards broken
- Bad regulatory example
- Any criticism by external Internet Governance becomes a rationale for more sovereignisation.
All the information above is, I think, really important for the RIPE community, mostly because the Russian Federation has become a bad example of Internet regulation, where proposals are made in a form that doesn't allow for a clear understanding of consequences.
But there are also practical concerns, related to compliance of non-Russian operators:
- Root server operators (including RIPE NCC): how are you going to operate in Russia?
- Content providers, caches, CDNs?
- Foreign IXPs who need to register in Russia to avoid punishment to Russian operators?
I’m finishing this article on the 25th of March, a month after the start of the “Special Military Operation” by Russian regime. And all the measures I have listed here appear to be ineffective to stop the flow of information considered undesirable by the regime. Facebook and Twitter are already blocked. Facebook and Instagram considered to be "extremist activities" of Meta inc. Technical Means for countering threats are not working as effectively as expected, and dependency on the global Internet cannot be repelled fast.
We are expecting more and more waves of Internet regulation in Russia. If the Internet even stays relevant on Earth…