Today, Russia took another step in its ongoing crackdown on VPNs and similar technologies. However, contrary to some reports, the changes implemented today do not equate to a blanket ban on VPNs. The use of state-approved VPNs, which offer all functionalities except those deemed useful, remains legal. The new legislation criminalizes the promotion of VPNs to circumvent site blocking. Interestingly, Russia also wants its citizens to stay safe, issuing a warning that U.S. VPNs are susceptible to government surveillance.
VPN Usage in Countries with Internet Restrictions
In nations where internet access is subject to restrictions, ranging from broad government censorship to more specific site-blocking programs designed to protect copyright, citizens have become accustomed to using VPNs.
In Russia, where the government censors certain content and has implemented an anti-piracy site-blocking system, approximately 20% of the internet population regularly uses VPNs.
While accessing blocked websites and communicating with a degree of privacy has become fairly commonplace, the government prefers sites containing “illegal information” to remain out of reach. However, after a series of legal adjustments, advice, orders, and mixed messages often contradict the actual situation.
New Legislation: Not a VPN Ban, but a Ban on Illegal VPNs
The government insists that sites blocked by them, whether they are pirate sites or those labeled extremist by the state, are blocked for valid reasons. For instance, Facebook and Instagram are both blocked for being extremist platforms. Therefore, when individuals use VPNs to bypass these blocks, they are potentially putting themselves in danger.
Over the years, Russians have developed a liking for their VPNs. The government, recognizing this, has not abruptly taken them away. Instead, the authorities assess the quality and security of a VPN provider based on the operator’s willingness to cooperate with the government. Conversely, less cooperative foreign VPN providers operating in Russia are known to experience sudden connectivity issues.
Confronted with this untenable situation, some VPNs have decided to withdraw and not return. When new laws required VPNs to register with the government and leave a ‘back door’ open for officials to drop by for a coffee, almost all reputable foreign providers chose privacy over certification and began to exit. Meanwhile, local VPN companies that received official approval found themselves declared legal, while those without certification were legally prohibited from operating.
These rules now enable the government to identify safe, legal services. All registered services are state-approved, open to official visits, and would never consider undermining state censorship. In contrast, unregistered VPN providers, which are likely unsafe and potentially dangerous, value privacy and aim to assist users in bypassing site blocking. Consequently, 167 unregistered VPN providers and 200 email providers were blocked, as reported last October.
VPNs Remain Accessible, Calls for Further Measures
Although offering a service to unblock restricted internet resources has been illegal in Russia since February 2020, a significant number of VPNs remain available for Android and iOS devices.
In response to Russia’s invasion of Ukraine and the subsequent imposition of sanctions, the Kremlin has increased imports via unofficial channels while simultaneously restricting access to some Western tech platforms. With Google Play and Apple’s App Store becoming less useful, Russia introduced its alternative, RuStore, which, at last count, was also providing a large number of VPNs to the public without much restriction.
VPNs that can tunnel to the nearest pirate site or access the so-called extremists on Instagram continue to be popular in Russia. Advertising and recommendations contribute to the rapid dissemination of information, but for Moscow, this is unacceptable and requires change.
New Phase of Kremlin’s Plan Unveiled in Summer 2023
In the summer of 2023, a new phase of the Kremlin’s plan was released. The introduction of additional legislation meant that posting online information that promotes or advises on the use of VPNs, Tor, or similar tools to circumvent blocking was about to become a criminal offense.
Illegal to Promote Unblocking Tools
Starting today, publishing information about tools that undermine blocking in Russia, including advertisements for VPN services with circumvention capabilities, is a criminal offense punishable by fines of up to four million rubles (US$43,840). Roscomnadzor, the telecoms regulator, states that the law will not target the general public, but the distinction between online sellers is somewhat blurred.
Other enforcement measures at Roscomnadzor’s disposal include blocking any offending materials in the same manner as other content is blocked. Roscomnadzor will also strive to cleanse search engine results of mentions of VPN providers that are already blocked in Russia or deemed illegal. This latter group could be substantial, as any provider capable of unblocking without a government-issued license is automatically considered illegal.
VPN PSYOPs in Full Swing
In April 2023, a series of public service announcements (PSAs) were launched in Russia to discourage the public from using VPNs voluntarily. The videos focused on data leaks, blackmail, threats to personal information, and a seemingly psychic man who knew everything about his partner on their first date, simply because she used a VPN.
This campaign was orchestrated by ROCIT, the government-funded Center for Internet Technologies. Recently, ROCIT conducted a new study on VPNs, the results of which are published on its website. The findings are somewhat perplexing.
According to ROCIT, “A study was conducted on VPN services in terms of the content of their data processing policies and the applicable processing laws in the country of registration of the owner company.”
ROCIT adds, “Despite restrictions, regular data leaks and risks, a significant proportion of Russians continue to use VPN services,” noting that over one in five Russians use a VPN while 40% believe they’re unsafe.
The VPN providers studied by ROCIT include Lantern VPN, Psiphon, Safe Connect VPN, Tunnel Bear VPN, Proton VPN, AdGuard VPN, Express VPN, VPN Proxy Master, Surfshark, Cloudflare’s 1.1.1.1 +Warp Hide.me VPN and VPN – Super Unlimited Proxy.
While the names of the VPN providers were mentioned, the study by ROCIT did not provide further details about the assessment of these providers. However, ROCIT did arrive at several conclusions:
- Typically, VPN services operate with a standard set of data for online services. This includes account information, user IP address, payment information, and information about the user’s device.
- Most VPN services do not acknowledge at the policy level the collection of data about the resources visited by a specific user. They may collect statistical and analytical data, such as the volume of data transferred. Some services may also collect location data.
- The study points out that the jurisdiction offering the least guarantees for users is the United States, while Switzerland offers the most legal protection for users’ data. The United States has the Foreign Intelligence Surveillance Act (FISA), which permits surveillance of non-US citizens.
- Furthermore, US Executive Order No. 12333 allows for the interception of data transmitted through the States. The Stored Communications Act permits law enforcement agencies to access data stored by operators based on court orders.
It remains unclear whether users of VPN – Super Unlimited Proxy considered the above factors when developing their threat model. However, they are now on notice, and their numbers are in the millions.
Roscomnadzor, for its part, seemed somewhat devoid of ideas, ultimately concluding that criminals can use VPNs to commit crimes.