Putin signs “Internet sovereignty” bill that expands censorship

Russian President Vladimir Putin has signed a controversial "Internet sovereignty" bill that strengthens the government's control over the Russian Internet.

Back in March, we reported on Putin signing two other bills that gave the Russian government the power to punish people for the online publication of fake news and insults to public officials. The latest bill focuses lower on the technology stack.

The New America Foundation published a detailed analysis of the bill back in February:

The law pulls "traffic exchange points" under the jurisdiction of the law. This year's proposed amendments define traffic exchange points as the "communications facilities" that "connect... and pass traffic between communication networks of telecommunications operators"—essentially what we refer to as Internet Exchange Points, or IXPs. The amendments set out that traffic exchange points must comply with orders from and share information with the Federal Service for the Supervision of Communications, Information Technology, and Mass Media—better known as Roskomnadzor, or Roskom. Traffic-exchange-point operators must also comply with requests from Roskomnadzor that they adjust their routing and develop the capacity to resolve domain names using the—as of yet incomplete—Russian national domain name system (DNS).

The second function of the law is to provide Roskomnadzor with authorities to centralize management over the Russian internet in cases where the "integrity, stability, and security" of the Russian Internet is threatened. The law sets out that Roskomnadzor will establish the "procedure, terms, and technical conditions for the instillation of technical means" for "countering threats," as well as the requirements for the use of this technology. Roskomnadzor can then carry out the "centralized management" of the Internet by managing these "technical means" of "countering threats" or by sending "binding instructions to telecom operators, network operators, and other persons having an autonomous system number." In addition, Roskomnadzor will be given authorities to block illegal information resources using this same technology, even when not acting as the centralized manager of the Internet. Currently, Roskomnadzor issues orders to telecoms to block undesirable information. The new authority and accompanying technology could allow Roskomnadzor to institute a national firewall similar to the Golden Shield in China.

New requirements are scheduled to go into effect on November 1, according to the Financial Times.

Officially, the bill is designed to protect the Russian Internet against foreign threats, including the risk that Russia could be cut off from the rest of the Internet. The Russian government is aiming to get the vast majority of Russian Internet traffic routed domestically in the next few years. That would make it harder for foreign governments, including the United States, to spy on or interfere with Russians' use of the Internet. Supporters of the bill have portrayed it as a response to America's allegedly aggressive cybersecurity efforts targeted at Russia.

But of course, centralizing control over Internet routing in Russia also gives the Russian government stronger powers to monitor, control, and censor its own population's Internet use. In an extreme case, it could allow the government to cut Russian Internet users from external sources. The changes to routing and DNS would make it easier for a domestic Russian Internet to continue functioning while it's cut off from the rest of the world.

Fears of such abuses inspired strong opposition to the legislation from civil libertarians, Russian opposition parties, and ordinary Russian citizens. But their opposition wasn't enough to stop the legislation from being approved by the Russian Duma (which is dominated by Putin's United Russia party) or from the Federation Council (the upper house of Russia's parliament).

Russia has been working on online "sovereignty" policies for several years. Back in 2014, we covered a new "data sovereignty" law that requires Russian citizens' data to be held on servers physically based in Russia. That effort was inspired in part by Edward Snowden's 2013 revelations that the National Security Agency had compelled US technology giants to cooperate with US surveillance efforts.