REPORTS
ANALYTICS
INVESTIGATIONS
  • USD98.06
  • EUR106.89
  • OIL75.54
DONATEРусский
  • 2387
POLITICS

Runet Sovereignty. How the Kremlin is building a national web with censorship even a VPN won't defeat

Under the pretext of war, the Kremlin began blocking access to independent media outlets on the Internet, including Dozhd and Ekho Moskvy, and The Insider stopped loading for many people. But this was only the beginning of the final phase of the battle against the free Internet, which is bound to culminate in the emergence of a «sovereign Runet». Preparations for its creation began back in November 2019, when the Interior Ministry's Main Investigation Directorate opened a criminal case against Alexei Soldatov, one of the founders of the Russian Internet, and his business partner Alexei Shkittin.
They were accused of handing over the administration of about 470,000 IP addresses to a company registered in the Czech Republic. Soldatov was arrested, Shkittin was put on the wanted list (Germany refused to extradite him, recognizing the case as political).
Andrei Lipov, then chief of a directorate in the Presidential Administration, and now head of Roskomnadzor, personally filed a complaint in the case. It's the battle over IP registries that will help make the Kremlin's dream of a fully controlled «sovereign Runet» come true, says Shkittin. In a conversation with The Insider, he explained exactly what a «sovereign Runet» would look like, why it would be impossible to bypass censorship, how Lipov is connected with the FSB and Usmanov, and why such Internet giants as Google and YouTube might be forced to leave Russia after all.


In November 2019, the Main Investigative Directorate of the Ministry of Internal Affairs opened a criminal case against one of the founders of the Russian Internet, Alexei Soldatov, and his business partner Alexei Shkittin; they were accused of handing over the administration of about 470,000 IP addresses to a company registered in the Czech Republic. Soldatov was arrested, Shkittin was put on the wanted list (Germany refused to extradite him, recognizing the case as political). Andrei Lipov, then chief of a directorate in the Presidential Administration, and now head of Roskomnadzor, personally filed a complaint in the case.
The battle over the IP registries will be the final stage of the crackdown on Russia's Internet freedoms and will allow the Kremlin to realize its dream of a «sovereign Runet,» explains Shkittin. Speaking with The Insider, Shkittin explained exactly what a «sovereign Runet» would look like, why it would be impossible to bypass censorship, how Lipov is connected to the FSB and Usmanov, and why the Internet giants like Google, YouTube, and Facebook may have to leave Russia after all.

Q: Who controls the Russian Internet today, and how?

Roskomnadzor was chosen as the main source of state control, which is joined by various agencies, as necessary; they either give it assignments or assist it (for example, Federal Antimonopoly Service, General Radio Frequency Center, State Radio Frequency Commission, etc.).

Alexey Shkittin
Alexey Shkittin

Practically nothing depends on the Ministry of Digital Development, Communications and Mass Media, and after the fall of its Deputy Minister Alexei Sokolov (who de facto was a FSB representative and tried to take control of Internet management), it is now essentially a «ministry of nothing». The real (political) power over the Internet is concentrated in the hands of the head of Roskomnadzor, Andrei Lipov, who is the author of the «sovereign Internet» project and has been tasked with bringing the project to life.

Q: Is Lipov competent enough to wield this power?

He is. Unlike his predecessor, Lipov is a competent person who understands the structure of the internet. But it's not just Lipov. The FSB is no less significant source of danger to Runet's freedom. Historically FSB together with Roskomnadzor was in charge of communication nodes and supervised deployment and operation of SORM (system for operative investigative activities) at those nodes. In fact, these functions allow the FSB to control all user traffic, not only in real time, but also (thanks to the Yarovaya Law) from several years back. In other words, if there's a criminal case is against you, all the «logs» of your actions may be available upon request. Combined with the control over the address and domain space, such a system of «wiretapping» provides control over network users.

Q: Is the creeping «sovereignization» of Runet just a matter of control, or is it also a matter of money? Does it have any specific beneficiaries?

How could it not? To understand what is going on, we need to pay attention to the Citadel holding company, which has concentrated and continues to concentrate in its hands the commercial component of the tools needed to control the Runet. The relatives of high-ranking FSB officers and ex FSB officers are behind Citadel, but in the end all roads lead to Usmanov's companies. In fact, all state wiretaps are now in his hands. According to our information, Usmanov's business structures were also behind Lipov's nomination as the head of the Roskomnadzor back in the days when he still worked in the Presidential Administration.

Q: Usmanov recently sold Vkontakte and Mail.ru (where Lipov's son and Kirienko's son worked, by the way); does this mean he is losing his position in controlling the Runet?

You must understand that the main lever of influence on all IT companies in Russia is in the hands of the state security (the FSB, Citadel, and RKN); Lipov and Usmanov act in concert with the top FSB officials. The second important lever, the national domains, is also controlled by Lipov and Usmanov. They may no longer own content-based companies like VK and Mail.RU, but they control everything from below through security and infrastructure management.

Q: How realistic is it for the state to gain full and ultimate control over the Internet infrastructure in Russia?

First of all, let's define the Internet infrastructure. Contrary to the common view, it does not include the popular Internet applications such as YouTube and VK. The foundation of the Internet is the logical infrastructure of IP registries, domain name systems and routing tables. Everything else exists on top of it (or below it, like cables or packet systems).

Q: What does «IP address registry infrastructure» mean?

Every network node has an address, and there is a route between every two nodes which is actually used to distribute information. The following mechanisms are of key significance: the IP-addressing and routing system (IP addresses, autonomous systems and BGP) and domain name systems, DNS, as well as the cable infrastructure, which includes all cables coming from abroad. This is exactly what's supposed to be controlled.

Q: When you say «supposed to be controlled», do you mean it's not yet under control?

Not yet, but if this infrastructure is taken under control, then, by using blocking the system based on the devices installed on network nodes, as well as by improving the mechanisms of DPI (deep packet inspection) and SORM, total control over the network can be achieved.

Q: So the only thing the state has yet to do is to establish control over the domain names and the IP-addressing system?

Half of this task has already been completed. In fact, Lipov's (read Usmanov's) companies took control of the national system of domain names, using a criminal case against me and Alexey Soldatov to eliminate the last obstacle that stood in the way to a sovereign Runet. The removal of Soldatov from the list of founders of the CC (National Domain Coordination Center) completely freed Lipov's hands, and, with little extra effort, he gained full control over the domain name infrastructure.

Q: Will the war accelerate their plans?

Definitely, the question is in the deployment of a pre-prepared scheme. Control over the IP-addressing space is obtained by introducing the RARN system, which is essentially a copy of the global IP addresses distribution system, but it is fully under the control of RKN. This replacement of the address space will let them build a registry, closed to external sources, and gradually all operators will be required to use it instead of the existing system of global IP distribution.

Q: It seems like a Russian nested doll, an Internet within the Internet?

Yes, a sovereign Runet will be an isolated system with its own domain names and address space, an imitation of the world wide web limited to a single country. Given the total control over the sources of foreign traffic (see how they rushed to inventory the cables installed along the borders) and the deployment of the deep packet inspection system, it will be impossible for the average user to gain free access to the world wide web or to create inside the country any resource undesirable to the authorities.
It is possible that operators with a direct cable connection will remain in contact with the outside world, but they are required to report to the RKN on such connections, and most likely these channels will also come under the control of the RKN.

According to the latest data, as early as March 1, the RKN required that all operators report on their foreign cable communication facilities. The main position of authorities is that all cables coming to the territory of Russia must be wholly owned by Russian companies. I think the shutdown will also affect operators at the physical level. So there is a high probability that during next months Runet will be able to replace the content and functionality of the Internet with a completely closed one from the inside. That is, the hatches will be battened down.

Q: How difficult will it be to bypass blockages in a «sovereign Runet»?

In the near future, the authorities will not be able to replace the content and functionality of such Internet giants like Googlе or Apple, so they will have to let some traffic in, at least in peacetime. And that means there will be ways to bypass blocking. In the event of total isolation mesh networks will become popular, where each user acts as a network node, passing the traffic on to his neighbor. There are many more options to resist the isolation. But we shouldn't pin our hopes on satellite Internet, because its access systems are very easy to monitor and detect.

Q: How will the Russian system differ from, say, the great Chinese firewall?

They are arranged very differently, because at the very early stage (when there were a little over 100,000 users) the Chinese Internet was fenced off by a powerful firewall, which grew along with the network and was fully integrated into it. The Chinese traffic control system is a hardware/software solution which took 30 years to be built; it would be unrealistic to expect a similar system to be built in a couple of years, no matter what the cost.

Q: And it did cost billions of dollars.

The costs were huge, and so was the number of specialists involved. The Chinese system is based on the same addressing and routing logic as the world wide web; the Chinese simply fenced themselves off using deep packet inspection equipment to block forbidden content. Most likely, filtering works based on a similar principle inside the firewall. In addition to the isolation, China is a NIR, that is, a national Internet registry, so the state is able to force all operators to use only their assigned IP addresses within the country.

Q: Can Russia do likewise?

No, because Russia is within the RIPE NCC area, which serves Europe, Central Asia and the Middle East. Under RIPE, any operator can use its IPs anywhere, even in another region.

Q: And how would a «sovereign Internet» be different from North Korea's «intranet»?

The situation in North Korea is generally quite primitive. The comrades there, without thinking twice, simply built a «local network», which boils down to a single autonomous system with two «uplinks» (i.e. two communication channels): from China and from Russia. Everything inside is simply an internal local network, where the rules and user rights are determined by system administrators. But North Korea has few Internet users, while Russia has more than 2000 providers and the need for international communication is obvious, at least for the banking sector and foreign trade.

Q: But isn't a «sovereign Runet» simply an extension of the «North Korean» model?

Not exactly. After Lipov's appointment as the head of RKN the Presidential Administration began touting the idea of creating their own analog of the Internet for the whole country, so that it would be technically similar to the original, but different on a logical level. They took the international system of IP distribution, copied it and created their own system based on a similar principle. Addresses are forcibly distributed through the RARN system among Russian providers, which then must stop announcing foreign addresses through their autonomous systems and begin to announce internal Russian addresses; plus all communication channels must be Russian. Then the Internet will kind of close in upon itself and will work properly, but without contact with the outside world.

Q: And it will be much easier to filter traffic.

Of course! There is no need for global international filtering, there will simply be no external traffic by default, except through gateways under the full control of Rostelecom and Co. And internal traffic will be decrypted by DPI (deep packet inspection) and blocked as necessary. It will be impossible to build a VPN tunnel or use the censorship circumvention tools built into browsers. So, the planned sovereign Internet is, in fact, a network management system closed at the logical level, or a sovereign segment of the international network which operates similar to the world wide web while being fully separate from it.
It will be impossible to build a VPN tunnel, as well as to use the built-in blocking bypass systems in browsers.

Q: Simply put, the Kremlin will have a switch that can cut off external channels at any time.

Exactly. After all, all the two thousand Russian providers are currently working with the global Internet; they block websites by orders of RKN fearing fines or punishment, but technically they disobey and restore full access in the event of, say, a revolution or war. The new system will principally rule out such a possibility, because RKN will be able to censor websites directly from their command center by simply removing the unwanted routing.

The domain name system, which Lipov calls the «system of national domains», will also be under control, the registry will be transferred to the Russian Federation and will no longer be in sync with the global registry; it will operate only within the country combined with a national system of IP addressing and routing, unrelated to the global registries. If they take control of all the external cables, which is exactly what they are doing now, the chance of complete isolation will increase to 100%.

Q: To make this work, the Internet giants must be convinced to switch to «sovereign Runet» IPs. What if they refuse?

To begin with, Google and Facebook are required by law to have servers in Russia, they have long started moving them to Russian data centers, where, of course, they only connect to Russian providers, because there are no others, and probably won't be. Now almost all of them, even the foreign providers, have registered Russian legal entities (and those who did not, I think, will be forced to, since there's already a law that foreigners may not own networks which cross the Russian border). So, by definition, the servers will have to be connected to Russian «uplinks».

Certainly at the moment, when everyone is working as usual, using international numbering and routing, all Russian providers are using IPs allocated to them by the RIPE, but as the «sovereignty» is forced upon the operators they will switch to RARN numbering because there will be no alternative to it in Russia. So, Google and Facebook will have no choice, because international numbering will simply stop working and their IPs will become useless, the Russian Internet will simply not see them.

Foreign traffic will be routed through a gateway, for example Rostelecom, in which addresses will be converted from internal to external and vice versa (like a tunnel), all under complete control of RKN, all traffic will be decrypted and analyzed. If there's a command «to batten down the hatches», the gateway will stop working, after which the Russian Facebook and Google services will have to somehow work autonomously, but whether they will be able to do so we do not know yet.

Q: Can international regulators say they don't like the idea of RARN and will not be dealing with it? Can the international community do anything at all to prevent RKN from creating a sovereign Runet?

No, if you create your own registry of addresses for use inside Russia unrelated to external use, then the global regulators will not affect it in any way. Let's say, on border crossings Rostelecom's traffic will convert from internal to external addresses and back again, but what will regulators do about it? Block that traffic? Delete Rostelecom's external IPs? This will cut off all the international services in Russia, but the internal network will still be functional.

Q: But as regards Google and Facebook, they will have to decide for themselves whether or not to work in Russia using the gateway. How likely are they to refuse to work in such a manner?

Of course, they will decide for themselves. I think they will try to adjust for as long as they are able to. Only if they are required to have an isolated segment in Russia, then they are likely to refuse to work in such a strange way because their system, after all, is an integral mechanism and cannot be used autonomously. Technically, they can work this way, but it will look very awkward. I think, they might eventually leave, particularly because the cost of landing in Russia will be too high with the sovereign Runet. Well, the issues of user privacy are not going anywhere either. I think they are now analyzing the situation, and, like many, they don't believe it will eventually come to this.

Q: It's hard to imagine how, say, YouTube could operate autonomously in Russia, even if it wanted to.

You need to understand how data caching and CDN work, and so on. I think they will first need to create a balanced data distribution and management mechanism, so that they can squeeze through the bottleneck of the sovereign Runet, but that's not what Google and the others would want. Like I said, they will probably just refuse to work under such conditions, because their systems do not provide for autonomy because of caching technology.

Q: But if the Internet giants leave, how will Russian business survive at all, if there are no domestic counterparts? Will the attempt to create their own Internet infrastructure simply break the Internet and ruin the economy?

Of course, they will break the Internet. Hasn't the idea of making everybody use the Elbrus or Baikal processors that can barely work nearly ruined everything? But still, they keep pushing them. They don't really care about the consequences; they are solving the immediate problem of taking full control of the network. If everyone is compelled to work through Mail.ru or corporate mail (departmental networks are now also required to store and retrieve data), they will be quite happy. Of course, they won't break the entire network, but they will make it look extremely miserable. The economy is unlikely to benefit from it, yet the Gosuslugi portal and the Tax Service website will work.



Subscribe to our weekly digest

К сожалению, браузер, которым вы пользуйтесь, устарел и не позволяет корректно отображать сайт. Пожалуйста, установите любой из современных браузеров, например:

Google Chrome Firefox Safari