This is the first in a series of updates on Russian Internet regulation where we’ll be bringing you a brief overview of the most pertinent digital policies currently being proposed, debated and implemented in Russia. While we’re not aiming to give a complete overview of all of the existing legislation, we’ll be covering those provisions and trends most likely to impact, and so be of interest to, the RIPE Community.
If there’s an overarching trend in recent Russian regulatory developments, it’s the focus on digital sovereignty and the demand for more local knowledge and control over the Internet infrastructure and data.
Legislative proposal on banning “masking web-protocols” (TLS 1.3, DoT, DoH...)
On 21 September 2020, the Ministry of Digital Development, Telecom and Mass Communications introduced a new legislative proposal to ban the use of encryption protocols that effectively secure and mask DNS queries – such as DNS Over TLS (DoT) and DNS Over HTTPS (DoH). Motivating this proposal is the concern that users may be able to access content that is blocked in Russia by using these protocols.
According to the proposal, there would be a requirement to block any Internet resource using such protocols within one working day of finding out that these protocols were in use. How exactly this blocking might be done has not been specified, but other existing legislation for illegal content blocking allows for a broad spectrum of methods ranging from blocking specific URLs all the way to blocking the entire IP address ranges that host the service. It is also unclear from the text of the proposal what is included under “Internet resource”. The term itself is usually used to describe websites, but listed protocols can be used, for example, by a browser.
The Minister commented on the proposal, saying that while it is obvious that DNS encryption protocols have certain advantages, it is also clear that they can be used to bypass the established content-blocking and parental control mechanisms. He also called for a compromise to be found between public and private interests.
The bill was published for public comments (deadline was 5 October 2020). The RIPE NCC took part in an industry consultation meeting which presented a document with comments from the industry. The industry has voiced concerns, for instance that direct implementation of the initiative might effectively lead to a ban on encrypted traffic.
The initiative follows the planned Internet security drills, which took place earlier in 2020, which were used to train to block DoT and DoH traffic. Such drills are conducted regularly with major ISPs participation (see more on this below).
Sovereign Internet Bill
Federal Law #90 (1 May 2019) aims to expand knowledge and increase control over local Internet infrastructure, including establishing new means for blocking illegal content.
According to the law, all ISPs, owners of technical networks, AS holders, IXPs and owners of communication lines crossing the national border must install special equipment on their networks to be provided by the regulator. That equipment will be used to block illegal and forbidden content.
In case of an emerging threat to integrity, security, resilience of local segment of Internet, the regulator is authorised to manage traffic routing directly or to provide obligatory routing policies to ISPs, AS holders, etc.
Operators, ISPs, owners of technical networks, AS holders, IXPs, and owners of communication lines crossing the national border must report their ASNs and respective IP addresses, routing policies, local and foreign network infrastructure, and so on, to the regulator.
IXPs are required to register with the regulator and follow regulatory rules, including rules regarding their resiliency and the stability of their operations. ISPs need to peer only via officially registered IXPs or via direct peering, which has to be reported. IXPs must not let clients connect to their network if they are not fulfilling the provisions of the law
Additionally, the National Domain Name System - characterised as a “complex/combination of interconnected software and technical means used to store and provide information about network addresses and domain names” – has been established. The aim of the system is to ensure that local connectivity and reachability of web resources remain intact if foreign DNS infrastructure becomes unavailable. It must be updated no less than once every 24 hours to ensure that it contains up-to-date information about domain names and respective IP addresses.
The law also formalises Internet security drills, which will be hosted regularly with participation being obligatory for ISPs and operators. One of the drills scheduled for early 2020 was intended to train systems to block DoT and DoH traffic, as mentioned above. There were four drills planned for 2020 in total, but because of COVID-19 none have yet taken place.
The local database of all Internet resources is currently being compiled, with all ASN holders receiving requests from the regulator to report the above-mentioned data about their resources and infrastructure. It has been officially noted by Russian government officials that the law is aimed at establishing more security and resilience of a “Russian segment of Internet”.
Federal Law #374 (6 June 2016), part of the so-called 'Anti-Terrorism Bill', included new regulation on legal interception and Internet data collection. It has expanded what data needs to be stored and how. The law is not new, but part of its implementation is being postponed due to COVID-19 and its economic impact on the industry.
According to the law, all metadata about packets being sent, received, delivered, or processed, as well as respective information about users, must be stored for one year by Internet companies or for three years by licensed telecommunications operators.
Internet companies and operators must store content - all voice, images, texts, audio, video and any other type of information for six months from when they were sent, received, delivered, processed.
Since traffic volumes are growing rapidly, operators must increase their storage capacity by 15% annually in the next five years after data storage equipment has been installed. If packets are encrypted, then decryption methods and information must be provided to law enforcement agencies (the blocking of Telegram was based on that provision).
All of the mentioned data needs to be stored using locally certified data storage equipment, and law enforcement must be granted direct access to that information.
The Russian government has made several postponements to the date of when the collection and storage of data needs to begin, and to the deadline for storage capacity increase - the industry is asking for a deadline postponement because of the economic impacts of COVID-19, and considering the size of investment needed to deploy data storage equipment in full accordance with the law.
Did you find this update useful? Does RU regulation affect your work or operations? Please share your comments or questions below! And if you'd like to stay up to date on these and other government and regulation topics, consider joining the RIPE Cooperation Working Group Mailing List.