Another component of internet-browsing is about to become criminal in Russia.
On Sept. 21, Russia’s Ministry of Digital Development, Communications, and Mass Media (Minkomsvyaz) released a draft law that would criminalize the use of internet protocols that, in its words, encrypt a website name. The specific protocols the law is targeting are a jargony alphabet soup: TLS 1.3, ESNI, DNS over HTTPS (DoH), and DNS over TLS (DoT). But they’re important encryption techniques that are already, to varying degrees, deployed online, including in Russia.
This marks another step in Russia’s push for a domestic internet that the state could tightly control and isolate from the world at will. (That’s the vision, anyway.) The draft law also highlights the authoritarian assault on the open internet playing out in the sometimes-overlooked domain of standards.
Shared protocols allow devices of all different types, produced by many different manufacturers, to communicate with one another through an agreed-upon set of technical rules for behavior. These standards are developed by a wide variety of experts in multistakeholder bodies. Whenever you log onto the internet, you receive an internet protocol address—a product of these kinds of shared protocols. Without said rules, internet communication would be a mess: Any time you landed in a country, you’d have to head over to the airport gadget shop and make sure you didn’t need a new, country-specific device to communicate with others. Similarly, if you and your friends didn’t have the same kind of smartphone, there’d be less guarantee of text or phone call compatibility.
Authoritarians, particularly in China and Russia, have long had qualms with these open and interoperable standards for those exact reasons: It’s harder for governments to control data flows when there are no centralized chokepoints for authorities to seize, or when protocols themselves cloak user communications behind a veil of encryption, or when experts in some far-away meeting are deciding the technical protocols used to route data in their borders.
That’s why, in recent years, Moscow and Beijing have asserted more direct state control of internet standards domestically. Within China’s borders, for instance, the state has altered key components of the internet’s data routing system to put the state more firmly in the driver’s seat, sharply diverging from how internet routing functions outside China and on the Chinese internet’s periphery. Practically speaking, that means Beijing has more control over which data goes where. Russia and, in particular, China have also become more vocal in supporting their preferred, closed standards in international forums—ones that could allow greater control. In other words, they’re working on exporting a model of closed standards. They hope that more state influence over internet standards development will help them advance their goals of creating greater “sovereignty” online.
This draft law is one of only many actions the Russian government has taken to undermine shared internet protocols within its borders. The Kremlin has been trying for years—most notably under a 2019 law—to wrest control within Russia of the Domain Name System, the internet’s “phone book” for addressing traffic. In the Kremlin’s view, controlling the Domain Name System would give it tighter rein over how traffic flows in the country as well as which devices are compatible with this envisioned Russian domestic internet. The specific protocols named with the recent draft law encrypt otherwise-visible information about a user’s destination that’s linked to their data packets. For state authorities relying on access to that data for content censorship and surveillance, encryption is more than a mere thorn in the side.
Naturally, the draft law cites the enforcement of information control laws as justification for criminalizing these protocols’ use. These laws target child pornography, for instance, but they also target what many democracies would call protected political speech, like sharing knowledge of corruption or drawing attention to pervasive and often violent homophobia in Russian society. Russia’s internet and media regulator, the explanatory note says, has difficulty identifying the real network addresses of devices on external systems when these encryption protocols are used, reducing its ability to restrict online information.
In practice, surveillance, censorship, and internet isolation are deeply entangled in Russia. As with DNS, the Kremlin has made control of key internet protocols a central part of its plan for a domestic, isolatable internet in Russia. Part of that is moderating content, yes. But part of that is also being able to watch those communicating online, through pervasive surveillance add-ons to Russia’s digital infrastructure; it’s also about being able to develop key chokepoints for the internet in the country, so that it’s easier to exert control over the infrastructure than it is with a more decentralized system, both in software and in hardware. For a government with a far less technically sophisticated and established internet censorship system than the one run by counterparts in China, the Kremlin’s somewhat scattershot and roadblock-filled internet censorship approach depends on knowing who is saying what, when, and to whom. That allows the Russian state to use physical coercion—showing up and throwing someone in jail for saying the wrong thing online—alongside technical internet restrictions.
It’s extremely likely that the draft law will be enacted—after all, this is a country whose ruler once declared his plan to establish a “dictatorship of the law.” But internet control is a complicated wish, and this plan may not work exactly to the Kremlin’s liking. Historically speaking, when fine-grained filtering attempts have failed, the Kremlin has relied on sweeping techniques with collateral damage for citizens’ ability to access other websites. As the independent Russian news outlet Meduza reported, Russian internet and search giant Yandex already uses some of these protocols, which underscores the importance of company compliance here.
Standards are a growing point of conflict for the global internet, and they have been for some time. The multistakeholder bodies where these technical rules are developed are increasingly marked by a contest between a free, open, and interoperable internet model and one that prioritizes tight state control over information flows and internet architecture. Russia criminalizing the use of relatively agreed-upon internet protocols which directly employ encryption is just an illustration of this authoritarian movement against internet standards that underpin the web as we know it.