First Monday

Controlling free expression by infrastructure in the Russian Internet: The consequences of RuNet sovereignization by Liudmila Sivetc



Abstract
Russia has been coaxing foreign Internet companies into building the Yarovaya-Law infrastructure, by listing them as “information disseminators”. This infrastructure, aimed at storing content data collected by information disseminators, might develop into a state-controlled content layer for the sovereign Russian Internet, presenting a new digital lock to curb free expression. However, by the summer of 2020, the building of the Yarovaya-Law infrastructure had faltered due to cost and implementation obstacles; this may now have hindered the continuation of the RuNet sovereignization strategy.

Contents

Introduction
Data localization
Discussion
Conclusion

 


 

Introduction

Since 2012, Russia has been expanding control over the RuNet, “which for a long time provided a space for alternative media and free speech.” [1] The roots of this control lie in the ruling regime’s attempt to limit political freedom in the country [2], a process which has negatively contributed to “a steady decline of freedom of expression in Russia over the past two decades” [3]. As researchers have already found, “the most visible element of this decline” (my emphasis) is the extensive control that the Kremlin has exerted over the media [4]. However the less visible element — the control of the RuNet infrastructure, which Russia has been seeking to achieve — has less frequently been identified as an issue correlated with endangering free expression. This article adds to the discussion on infrastructure-based censorship by analyzing Russian legal materials through the prism of controlling free expression by means of the infrastructure of the Internet.

As already elucidated in scholarly literature, in recent years [5], Russia has set an ambitious goal of creating a digitally sovereign cyberspace (Freiberg, 2014, Nocetti, 2015a; Kukkola, et al., 2017; Kukkola, 2018; Kukkola and Ristolainen, 2018; Musiani, et al., 2019, Stadnik, 2019). Russia’s Doctrine of Information Security (2016, point 8b) declares the sustainable and safe functioning of the Russian Internet (RuNet) as one of the country’s core national interests. This policy is further developed in the Strategy of Information Society Development for 2017–2030 (2017), which states that Russia possesses the right to mediate political discourse in the RuNet (point 34a) and aims to establish a centralized state control over the national Internet infrastructure (points 29a and 33b). More precisely, the “Strategy of Information Society Development” states that the critical infrastructure of the Russian Internet (henceforth, RuNet infrastructure) should emphasize Russian sovereignty (Strategy, 2017, points 32b, 29, 29a). Critical infrastructure, as vaguely defined in the Critical Internet Infrastructure Act (Law № 187-FZ of 2017, points 2b and 7), consists of a telecommunication backbone, the Internet, and other information and telecommunication systems, as well as automatic systems controlling these networks.

Russia’s focus on sovereignizaton through the RuNet infrastructure is hardly surprising. As the relevant scholarly literature demonstrates, acquiring control over the Internet infrastructure leads to control over the Internet as a whole (Musiani, et al., 2016). As Mueller (2010) notes, states have fought to control the Internet infrastructure in the same way as they have always fought for resources and strategic advantages. Moreover, according to Lessig (2006), the attempts by states to have control over Internet infrastructure affects practices of self-expression. As Balkin (2014) notes, states strive for control of the Internet infrastructure because over time, the Internet infrastructure merges with the infrastructure of digital speech. Online content can only be accessed through the Internet infrastructure: the chain of telecom operators and Internet access providers in the physical layer, the central protocol and standards in the logical layer, and online platforms in the application layer. Consequently, Internet infrastructure is an infrastructure for digital speech as well. This merger enables states to control digital content through Internet infrastructure.

The control over infrastructure is implemented via digital locks. I offer this concept as a means of referring to various technology-based tools that governments install into Internet infrastructure to control what content is available for users. Digital locks can be compared with “road-blocks” that states, as Balkin [6] explains, might place in the streets to block the movement of vehicles, e.g., trucks delivering newspapers to readers. In contrast to these physical blocks, which “would have been highly visible, logistically difficult, and costly in terms of legitimacy” [7], digital locks invisibly and effectively block data traffic in digital space. Balkin [8] refers to speech control by infrastructure as the new school of regulation practices, like Web site filtering and blocking, that might be perceived by Internet users as parts of the Internet infrastructure necessary for normal information flow in the digital landscape. Although I build on and borrow from Balkin’s theory, I prefer using the term “digital lock” to emphasize a material, infrastructural dimension on which the new school practices are based. This infrastructural dimension is especially important since this article discusses an entire infrastructure as a digital lock rather than filters or firewalls, which elevates the new school regulations to the macro level.

Bearing in mind the insights offered by Internet infrastructure-focused theories, I argue that the sovereignization of the RuNet infrastructure enables Russia to control free expression on the Russian Internet. Under the European Convention on Human Rights (Article 10), which Russia ratified in 1998, freedom of expression means

“freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers.”

However, the Convention stipulates limitations on this freedom if they

“are necessary in a democratic society, [for instance,] in the interests of national security, [and] public safety [.]”

Russian authorities have been referring to these interests as the justification for expanding state regulation of the Russian Internet [9]. In 2011, Russia declared that state regulation was needed to combat unlawful online speech (Cross, 2014). This goal was implemented through stringent legislation introduced swiftly after the protest movement “For Fair Elections” of 2011–2012, which was enabled to a significant extent by disseminating information via social media platforms [10]. This legal expansion, called “blitzkrieg” (Eremenko, 2014), “legal haste” [11], and “occupation” of RuNet (Lonkila, et al., 2020) has been assessed as a threat to free expression by many scholars and Internet freedom watchdogs [12]. Snowden’s revelations regarding the United States’ mass surveillance apparatus (Borogan and Soldatov, 2013) and the anti-Russian sanctions imposed after the 2014 Crimea incident fuelled domestic political debates on the RuNet’s digital independence (Stadnik, 2019). In April 2014, President Putin called the Internet a project of the U.S.’s Central Intelligence Agency (CIA), which threatens Russia’s security (Agamalova and Golitsyna, 2014). In the autumn of 2014, the Security Council, an advisory presidential body, assessed whether the domestic Internet infrastructure would be able to function in adverse circumstances, for instance, in the case of an attack from outside the country (Golitsyna, 2014). National security and public safety as grounds for RuNet sovereignization are also mentioned in the Doctrine (2016) and Strategy (2017).

This article analyzes the sovereignization of RuNet through the prism of its infrastructure. While previous research demonstrated how Russia uses control over the infrastructure for political aims (e.g., Ermoshina and Musiani, 2017), this article focuses on how free expression is endangered by RuNet infrastructure sovereignisation. In my view, the most dramatic infrastructure-based implications stem from localizing the RuNet infrastructure and localizing data collected and stored by this infrastructure onto Russia’s territory (Doctrine, 2000; Doctrine of Information Security, 2016; Programme of Information Society, 2014; Programme of Digital Economy, 2017; Strategy of National Security, 2015; Strategy, 2017). I claim that by filling the localized RuNet infrastructure with localized content, Russia is trying to implement the idea of creating a “unified information space” [13] under state control.

Regarding infrastructure localization, Russia has achieved limited results. According to an official estimation made in 2014, the critical RuNet infrastructure was placed abroad in its entirety (Kantyshev and Golitsyna, 2016). To change the situation, in 2016, Russia planned to copy 99 percent of the critical Russian Internet infrastructure by 2020 (Kantyshev and Golitsyna, 2016; Golitsyna, et al., 2016). It was proposed to localize three infrastructural points of centralized control: IP addresses and the domain name system; Internet exchange points; protocols and standards (Minkomsvyaz, 2016); this would bring Russia closer to the Chinese situation (Deibert, et al., 2011), but with national specificities (Stadnik, 2019).

However, on 1 May 2019, Russia adopted the RuNet Sovereignty Act (Law № 90-FZ), which limited infrastructure localization strategies exclusively to the copying of IP addresses and of the domain name system, with a horizon of 2021. This copied database is to be used to enable the functioning of a so-called sovereign RuNet infrastructure, to which Russia plans to re-channel data flow in the case of an emergency when the stable and safe functioning of the RuNet infrastructure faces problems.

This article seeks to analyze in detail the “other way” of sovereignizing the RuNet: data localization, including the localization of personal data, metadata, and content data, with a focus on the implications for free expression brought by this data sovereignization. Moving in direction of data sovereignization, Russia adopted legislation in 2014 to localize the storage and collection of metadata. In 2016, Law № 374-FZ, known as the Yarovaya Law, extended the scope to content data. Ermoshina and Musiani (2017) previously discussed how Russia has tried to achieve hyper-localization of data and communication flows by introducing these laws. This article analyzes the Yarovaya Law and relevant legislation to explain the functioning of Yarovaya-Law infrastructure as a new digital lock for online free expression [14]. I examine in particular the regulation of foreign Internet service providers, like Zello, WeChat, Snapchat, and Telegram, to highlight their role in building this lock. Additionally, I discuss the results of regulating free expression by the Yarovaya-Law infrastructure and suggest that these results negatively affected RuNet sovereignization by infrastructure localization.

My theoretical framing relies on Internet infrastructure-centric approaches, which I apply to my empirical evidence. I examine legal documents, including but not limited to the Yarovaya Law and other relevant acts for its implementation, case law regarding data localization, reports by the Federal Service for Supervision of Communications, Information Technology and Mass Media (RosKomNadzor [Роскомнадзор], henceforth RKN), the list of information disseminators, as well as correspondence between RKN and three foreign companies — Zello Inc., Snap Inc., and Telegram Messenger Limited. The materials are chosen due to their relevance to data localization and the phenomenon of the Yarovaya-Law infrastructure. The materials were studied by using desk document analysis as a method of presenting an analytical overview following the order of legislative amendments.

 

++++++++++

Data localization

Personal data localization: Regulation of foreign Internet companies

Russia introduced data localization the requirement to keep and process data within national jurisdiction — in 2014 (Law № 242-FZ of 2014). This requirement came into force on 1 September 2015 (Law № 526-FZ of 2014), outlining the obligation to process personal data [15] of Russian citizens by using databases placed within Russia’s territory. The requirement introduced the permanent storage of personal data in Russia. Moreover, the requirement had a broad scope [16] as it presupposed the localization of personal data used in all spheres of online activity rather than only in certain businesses, for example in online banking. The data localization law also sets out four exceptions to the data localization rule (Article 18, part 5 of Law № 242-FZ), two of which are relevant to foreign Internet companies. First, the data localization obligation can be lifted by an international agreement. For instance, airline companies do not have to comply with the data localization rule. Secondly, the exception is included for professional journalists and mass media, as well as for those who process personal data for a scientific, literary, or another creative activity. The law did not prohibit companies from keeping data outside Russia [17], but mandated them to localize at least a copy of their databases in Russia. In case of non-compliance, RKN can block Web sites belonging to infringing companies after obtaining a relevant court injunction (Article 2 of Law № 242-FZ).

According to Alexandr Zharov (2017), the head of RKN from 2012 to 2020, the personal data localization rule affected approximately 2.5 million companies. Reportedly (Rozhkov, 2017), Apple, Samsung, Lenovo, eBay, PayPal, Alibaba Group, Booking.com, and Viber localized databases with personal data in Russia. Notably, Samsung and Lenovo, as reported in the press (Kantyshev, 2015), followed the localization requirement even before the rule came into force in September 2015. In November 2016, according to Walker (2016), Russia blocked for the first time a company for non-compliance with the data localization law — LinkedIn Corporation, a U.S.-based provider of the online platform, used by approximately six million Russians. Later, as reported by Zharov (2017), LinkedIn applications were deleted from Russian versions of the App Store and Google Play.

In the case of LinkedIn, the Moscow City Court decided that, although the Internet’s “trans-border, decentralized, and virtual” [18] (my translation) operations had indeed posed difficulties to defining the clear limits of an Internet company’s activities, Russian civil law provided a solution to this problem. Article 1212 of the Civil Code stipulates that Russian law applies in relations between a foreign company and Russian consumers, if the relevant foreign law gives less protection to a Russian consumer than the domestic law offers. The application of this rule has two conditions. First, when the relations concern a foreign company’s professional activity, and second, when a foreign company operates its business in Russia or targets its territory in other ways. According to the court, the targeting of Russian consumers by LinkedIn could be proved by two facts: by a version of the Web site in the Russian language, and by advertisements in Russian. Thus, the court ruled that LinkedIn must comply with the data localization requirement and, since the company had not placed databases in Russia, access to www.linkedin.com must be blocked. However, the court arrived at this conclusion without any analysis of U.S. law and clarifications as to why personal data protection under U.S. jurisdiction is worse than in Russia. Furthermore, the court did not explain how the localization of personal data in Russia can protect the data privacy of Russian citizens when the law allows LinkedIn to collect and process in parallel the same data in the U.S. as well. Two subsequent court decisions barred Russian organizations from storing personal data abroad, using the same phrase to justify localizing personal data as needed

“especially in adverse international conditions of policy and trade [... when] personal data placed abroad can be unlawfully accessed, copied and disseminated, as well as used to discredit Russian citizens” (my translation). [19]

On 2 December 2019, Russia introduced fines for companies which had not localized personal data in Russia (Law № 405-FZ of 2019). The fine for non-compliance was set to between one and six million rubles for a first breach of the laws and six to 18 million for a repeated breach (part 8 of Article 11.13 of the Code for Administrative Offences). On 13 February 2020, Twitter and Facebook were fined four million rubles each (Litvinenko, 2020).

The localization of meta- and content data: Regulation of foreign Internet companies

Russia introduced the requirement to localize metadata in the country and make it accessible for investigative agencies in 2014 (the Data Localization Act, Law № 97-FZ of 2014). Metadata includes information about facts regarding the receiving, transmitting, delivery, and processing of users’ communications, and also data about how users participate in communications. Building on the Information Act, the Data Localization Act added two Articles, 10.1 and 15.4. According to Article 10.1, any entity involved in activities of information dissemination on the Internet (henceforth, “information disseminators”) must collect and store metadata of all users of their services on facilities located on Russian territory for a period of six months. The category embraces Internet providers, whose services include reception, transmission, delivery, and all operations of services including messaging functions aimed at Internet users.

This group of Internet service providers is not limited to messengers, like Facebook Messenger or WhatsApp. It also includes all Internet companies disseminating user-generated content, like YouTube, or offering file-sharing, like Google Docs. In addition to the metadata localization obligation, Article 10.1 obliged information disseminators to provide Russia’s investigative bodies and security services with access to stored data. Furthermore, under the Article, RKN included all information disseminators in a special list [20]. For that purpose, Article 10.1 specified that information disseminators must send information to the agency on the following: where the company is registered, what domain name it uses, post and electronic addresses of its hosting provider, and the description of the company’s online activities. According to Article 15.4, if RKN found that the information disseminator had infringed Article 10.1, the agency would contact the company and present a time limit for complying with the rule (not less than 15 days). If the information disseminator did not follow the rule, the company’s Web site could be blocked via a court injunction or an RKN decision.

On 6 July 2016, the metadata localization scheme was amended by the Yarovaya Law (Law № 374-FZ of 2016). The official objective of the law is to use localized data to fight terrorism. The first set of amendments came into force on 20 July 2016. Since then, information disseminators must collect and store metadata for one year, instead of six months. Importantly, they are mandated to collect and store the content of users’ communications, namely, text, video, voice, pictures, and keep this content for six months. Furthermore, information disseminators must provide Russia’s investigative bodies and security services, like the Federal Security Service (FSB), with encryption keys with which users of their services encrypt communications. On 29 July 2017, the rules were amended once more (Law № 241-FZ of 2017). and a decision by RKN as being sufficient grounds for blocking was excluded. Thereby, a court injunction became the only legitimate course of action to block an information disseminator’s Web site. This rule entered into force on 1 January 2018. The Yarovaya Law also introduced fines, of up to one million rubles, for non-compliance with the rules. Consequently, Telegram was fined 800,000 rubles in 2017 (Cimpanu, 2017). In 2019, Russia also introduced fines of six to 18 million for repeated breaches (Law № 405-FZ of 2019).

Yarovaya Law infrastructure

The Yarovaya Law “outpaced the actual technological development of the country” [21]. The realization of the law requires new, “multilayered technical infrastructure” [22]. As one of components, the Yarovaya Law infrastructure needs new facilities to collect and store content data. These facilities could function as repositories to which information disseminators could stream collected content to make it accessible by intelligence agencies. Consequently, an information disseminator ought to build its depository or hire it from another provider. The total costs of building the Yarovaya Law infrastructure have been hard to estimate. Nevertheless, some calculations have been made by telecom companies. According to preliminary estimations in 2016 (Arhangel’skaia, 2016), the costs might be 2–5.2 trillion rubles (approximately, 28 billion–74 billion euros). In spring 2017 (Tishina and Afanas’eva, 2017), experts lowered these figures to costs from one hundred billion to one trillion rubles (approximately 1.4 billion–14 billion euros). In summer 2017 (Tishina and Novyi, 2017), the Russian Union of Industrialists and Entrepreneurs dramatically increased the figures to 17 trillion rubles (approximately 240 billion euros).

Several telecom and Internet companies, as well as professional associations, expressed their unwillingness to pay the costs, but offered to build a unified infrastructure which would store all collected content (Ser’gina, et al., 2017; Ermoshina and Musiani, 2017). Such a unified and state-controlled infrastructure was proposed in September 2016 by the State Corporation RosTech, comprising 700 organizations in the high-tech industrial sphere (Kantyshev, 2016a; Ser’gina and Nikol’skii, 2016). Notably, following the RosTech proposal, the collected content would not stay under the control of Internet companies but, instead, would be transferred in real time to state-controlled data repositories to become available for investigative and security bodies.

Nevertheless, the Russian government did not follow the RosTech proposal and in 2018 adopted a series of rules to implement the building of the Yarovaya Law infrastructure on the basis of SORM — lawful interception equipment. SORM functions across the country by automatically intercepting telephone, mobile, and Internet traffic to which the FSB and other law enforcement authorities have remote access (Privacy International, 2013). In 2015 the European Court of Human Rights (ECtHR) touched upon the SORM issue in the case of Roman Zakharov v. Russia (paras 114, 116122, 126, 127, 269272). The court issued the following statement on the usage of the SORM system by

“the secret services and the police to intercept directly the communications of each and every citizen without requiring them to show an interception authorisation to the communications service provider, or to anyone else, is particularly prone to abuse.” (para 270).

However, in my view, the court’s negative assessment of mass surveillance did not affect the functioning of the SORM-based Yarovaya Law infrastructure, following the analysis of a series of rules introduced by the Russian government in 2018. The “Rules on the Storage of Content by Disseminators of Information via the Internet” [23], a one-page document issued on 26 June 2018, sets out in point 2 that only content produced by Russian citizens or in Russian territory must be collected and stored in Russia, and made accessible for Russian security and investigative agencies. The Rules (2018, point 3) also state that information disseminators must store content data on facilities “used by the information disseminator in information systems exploited by this company” (my translation). The same sentence was used in Rules on Cooperation between Internet Information Disseminators and Investigative Agencies, amended on 18 January 2018 [24]. The combined reading of these two documents allows this article to conclude that collected and stored content data should be placed by information disseminators on their facilities. This conclusion is indirectly supported by the Rules on the Storage of Content by Telecoms, issued on 12 April 2018. Regarding telecom companies, the Russian government decided that they must collect and store data on “technical means of accumulating information owned by the company” (my translation of the “Rules on the Storage of Content by Telecoms,” 2018, point 2). All of these “Rules” required Internet companies to guarantee access to this localized data by the FSB. The FSB should be able to connect to these facilities to obtain remote access to information. Thus, in contrast to the RosTech scheme, localized content data remains under the control of Internet companies rather than the State. Nonetheless, these documents did not explain who would control localized data after the FSB has received access to it.

However, the SORM system was unable to store all content data localized under the Yarovaya Law. SORM-3, the last version of the system applied in 2014, keeps content only for 12 hours [25]. Consequently, the Rules on the Storage of Content by Telecoms (point 6) removed the factual start of content data collection and storage from 1 July to 1 October 2018. Moreover, the same rule shortened the duration of storage from six months to 30 days and stipulated that every year the storage capacity is to be increased by 15 percent so that in five years facilities can store 100 percent of content for six months. In my view, this means that initially the SORM infrastructure’s capacity was limited to 25 percent. Another problem of utilizing the SORM infrastructure was the absence of an efficient analytical system to process a huge amount of stored information [26]. However, such a system could be developed in the future, and has already been proposed by the FSB (Kantyshev, 2016b).

Foreign companies as builders of the Yarovaya Law infrastructure

Although the creation of physical facilities to store collected content data is far from complete, the Russian government has already begun recruiting companies to build a facility. In July 2017, the list of information disseminators, operated by RKN, included 85 companies. Nine of them were foreign companies, for instance, WeChat and Threema, providing messenger services; Depositfiles and Letitbit, offering file-sharing services; OperaSoftware, providing an online browser service; and Vimeo, offering video-hosting services (Shadrina, 2017). According to the list of information disseminators, by summer 2020, the number of listed companies had almost doubled to 192. The number of foreign information disseminators had also increased to 16, including Tinder, an online dating application.

Before 1 January 2018, RKN actively utilized the opportunity to block foreign Internet companies using data localization rules and without a court oversight for non-compliance. For instance, RKN ordered the blocking of the online activities of Blackberry Messenger, LINE, vChat, and Imo.im (Trunina, 2017). Zello Inc., based in the U.S., was also among the blocked companies. The company’s service — Zello — presents a free of charge application to transmit voice messages in a way similar to a hand-held radio. According to Zello Inc., its application was used by more than 400,000 Russians and played an important role in connecting participants of several anti-government rallies (Gavrilov, 2017). As the correspondence between Zello and RKN shows, in March 2017, RKN notified the company that Zello Inc. had infringed Article 10 of the Law on Information, and consequently would be blocked unless the company “fulfill the demand [of the Article] in three working days.” [27] Zello Inc. declared that the compliance with the rules was impossible and did not answer RKN (Gavrilov, 2017). Consequently, the agency ordered Internet access providers to block the company’s Web site, zello.com, on 10 April 2017 (RKN, 2017).

In contrast to Zello’s position, the three following examples demonstrate that foreign companies can make the choice of complying with the Yarovaya Law rather than having their online activities blocked. In May 2017, RKN blocked WeChat, one of the world largest messengers, owned by TencentHoldings, a Chinese company (Trunina, 2017). The provider preferred to follow the Yarovaya Law rules and RKN consequently unblocked WeChat (Trunina, 2017).

In August 2017, Snap Inc., a U.S. company and the owner of the Snapchat messenger, faced blocking but avoided it by providing RKN with all the necessary information. RKN included the company in the list of information disseminators on 10 August 2017 (RKN, 2017a). However, subsequently, Snap Inc. claimed that, when submitting this information, it had not realized that it would entail the obligation to collect and store users’ metadata in Russia (Proshkin, 2017). RKN answered by making available correspondence between the agency and the company. These letters, in RKN’s opinion, showed that Snap Inc. knew for what purposes the information was required by the agency [28]. An analysis of their correspondence leads to the conclusion that both parties are formally right. RKN indeed “asked [the company] to confirm the possibility of inclusion” of Snap Inc. details, provided in the same e-mail, in the list. RKN mentioned that it was needed “to perform the duties prescribed by” Article 10.2. Snap Inc. sent to RKN an e-mail message

“to confirm receipt of [...] correspondence and to confirm the accuracy of the information in [RKN’s] email.”

Therefore, it appears that RKN’s notifications are formulated in such a way that allows the Russian government to mislead foreign companies providing services used by Russians, in areas under Russian jurisdiction.

The third example brings to the fore the fulfillment of the obligation introduced by the Yarovaya Law, namely, the obligation to provide Russia’s investigative and security services with encryption keys to decode users’ messages. This obligation became a stumbling block for RKN and Telegram Messenger Limited, a U.K.-based company, whose messenger Telegram counts seven million users in Russia (Kantyshev, et al., 2017) [29]. The company sent all the necessary information about itself to RKN and was included in the list on 28 June 2017 (RKN, 2017b). Before that date, the parties exchanged remarks in the media (Kantyshev, et al., 2017). RKN threatened Telegram with blocking and, at the same time, stressed that the agency only required, at that stage, registration on the list (RBC, 2017). According to RKN (2017c), the agency had

“only one but simple demand to fill in the required form with details of the company operating Telegram. And to officially send it to RKN so that these details could be included in the list of information disseminators” (my translation).

RKN (2017c) stressed that

“[i]ncluding Telegram in the list means only Telegram is willing to work under Russian laws. The current legal status of Telegram will not change in Russia.” (my translation).

Telegram’s founder, Pavel Durov, who emigrated from Russia in 2014, insisted that all the information needed was already known to RKN from open sources and highlighted that the company would not hand over encryption keys to Russia’s security services to comply with the Yarovaya Law (Demchenko and Kolomychenko, 2017).

After RKN included Telegram on the list, the agency declared itself to be satisfied and the company’s services for RuNet users would be covered by Russian jurisdiction (RKN, 2017d). However, Telegram did not provide the FSB with access to messages [30]. The FSB reacted by sending two letters to Telegram, published by Durov in September 2017 on his page on the Russian social media platform VKontakte. In the letter sent on 31 August, he was informed that Telegram had infringed the obligation to provide Russia’s security services with encryption keys, which constituted an administrative offense, according to Article 13.31 of the Code for Administrative Offences; and consequently, this offense would be officially recorded on 14 September [31]. The letter sent on September 14 contained a record about Telegram’s offense [32]. According to the record, the FSB required Telegram to submit the encryption keys on 14 July 2017. However, Telegram did not respond. Furthermore, Telegram did not send its representatives to the court hearing, which was conducted in absentia. On 16 October 2017, Telegram was fined 800,000 rubles for non-compliance with the Yarovaya Law obligation to divulge encryption keys [33]. Telegram appealed but lost on 12 December 2017 [34]. Then, Telegram changed its tactic. Firstly, the company attempted to challenge the mechanism of passing information necessary for decoding to the FSB. For that purpose, Telegram filed a suit before the Russian Supreme Court in which the company insisted on the unlawfulness of the FSB’s Order № 432 of 19 July 2016 on grounds that the Order does not presuppose receiving a court injunction before submitting encryption keys (Vedomosti, 2017). However, this motion was denied on 20 March 2017 (Rozhkov, 2018). The Supreme Court [35] noted that information on encryption keys was unequal to information contained in encrypted messages and therefore the former did not deserve the same protection as the latter, including such a safeguard as a court injunction before access. It is worth noting that if Telegram had won the case, this would only have led to adding a court-injunction requirement as a prerequisite to the obligation to submit encryption keys but not to eliminating the obligation as such. Secondly, after bringing an action in the Supreme Court, Telegram complained to the ECtHR. Telegram claimed that the Yarovaya Law and the Order violated inter alia Article 10 of ECHR, preventing states from exercising unlimited interference in matter of the freedom of expression [36].

Russian authorities did not wait for the ECtHR’s assessment and acted following the Yarovaya Law. On 12 April 2018, RKN asked the court to order the blocking of Telegram services on the Russian Internet. The next day, the Taganskii District of Moscow City Court issued a blocking decision. On 16 April, RKN required Internet service providers to block access to Telegram and started by blocking IP addresses used by the company on different hosting platforms. This led to several waves of accidental blocking, which negatively affected millions of other Web sites because they shared with the targeted company IP addresses provided by Amazon Web Service (Balashova, et al., 2018), as well as by Google Cloud and Microsoft Azure (Gordeev and Li, 2018). However, the case did not lead to a total blocking of Telegram in Russia. On 16 April 2019, after a year of attempts to block Telegram, RKN acknowledged its failure (Interfax, 2019). The agency had been blocking IP addresses used by Telegram, but the company had been constantly migrating to new addresses and developing new ways to circumvent the blocking (Kuznetsov, 2019; 2018). RKN admitted that the only result achieved was a slowing down of Telegram services when the agency blocked the new IP addresses of Telegram (Interfax, 2019). On 18 June 2020, RKN decided to stop blocking Telegram (RKN, 2020). The agency (RKN, 2020) did not explain this change but said that RKN

“assesses positively the readiness expressed by the Telegram founder to resist terrorism and extremism” (my translation).

Durov (2020) “welcomed” the unblocking of Telegram.

 

++++++++++

Discussion

Implications for foreign Internet companies

Although the law on personal data localization marks an important step in the sovereignization of RuNet, it cannot lead to controlling online content, which is the aim of the Yarovaya Law. Nevertheless, Russia might use the personal data localization requirement to test whether foreign Internet service providers would be willing to place their databases under Russian jurisdiction and thereby demonstrate a willingness to assist Russia further in data sovereignization. Indeed, many companies localized their databases to avoid blocking of their online activities in Russia [37]. This might inspire Russia to proceed in further building the Yarovaya Law infrastructure. The builders of this infrastructure are and will be the “information disseminators”, as named in the list; therefore, being included in the list has important consequences. As the examples of Zello, WeChat, Snapchat, and Telegram demonstrate, Russia directly connects a particular company’s inclusion in the list with its compliance with Russian data localization law. As the example of Snapchat shows, RKN notifications mislead foreign companies by bringing them under Russian jurisdiction. Furthermore, the example of Telegram shows that inclusion in the list triggers the obligation to hand over encryption keys to the FSB. As the Meschanskii District of Moscow City Court stated in the case of Telegram,

“[the company] was registered in RosKomNadzor of Russian Federation, register number 90-PP, 28 June 2017, and consequently Russian legislation applies to it [Telegram], in particular, [...] Article 10.1, in accordance with which the dissemination of information in the Russian Federation is carried out freely if [Telegram] complies with demands prescribed by the Russian legislation” (my translation) [38].

Following this court decision, after a foreign company was registered on the list, it was considered to have placed itself under Russian jurisdiction and consequently must comply with Russian data localization obligation.

Therefore, although inclusion in the list appears at first glance to be a mere administrative procedure, it leads to serious consequences. Moreover, a foreign company might not anticipate these consequences when receiving a letter from RKN, as the example of Snapchat demonstrates.

The Yarovaya Law infrastructure as an illustration of RuNet infrastructure localization

Two obstacles appear on the way of building the Yarovaya Law infrastructure, and using for the purposes of free expression regulation.

The first obstacle is the enormous costs needed for the creation of the infrastructure. The total costs have never been disclosed but they must exceed, by wide margin, the costs calculated for building the infrastructure segment of mobile telecommunication companies. These companies, as well as information disseminators, are mandated by the Yarovaya Law to collect and store content data they transmit. Several telecom and internet companies, as well as professional associations, have lobbied for the State to undertake the costs of building the infrastructure. However, the total costs of the Yarovaya Law infrastructure are likely to be insurmountable for a single actor, even the Russian state. Indeed, Russia has adopted a less expensive solution — the SORM-based scheme for the Yarovaya Law infrastructure. This scheme counters the State’s ambitions to collect and store all content and the absence of suitable facilities. Consequently, the cost problem with data localization might affect plans for localizing the RuNet infrastructure and explain why the RuNet Sovereignty Act was downsized and limited the infrastructure localization to the RuNet Domain Name System. Notably, the other two points of centralized control — protocols and standards, as well as Internet exchange points and traffic peering agreements — are left outside the scope of infrastructure localization, although not without regulation. The law obliges owners of Internet exchange points to install on their facilities an additional control infrastructure to re-channel data flows according to routs defined by the government in the case of an emergency. Moreover, the law sets out that in such an event, data should only flow for those Internet access providers who are connected to this additional control infrastructure [39]. This condition corresponds to the Critical Internet Infrastructure Act (Law № 187-FZ). This law obliges providers, listed by the State as companies functioning within Russia’s critical Internet infrastructure [40], to install attack-preventing filters. Under the RuNet Sovereignty Act, such filters will be part of the additional control infrastructure. Furthermore, providers connected to the additional control infrastructure must use the state-controlled copy of the RuNet Domain Name System [41]. Thus, the additional control infrastructure presents a system of digital locks integrated into that part of the RuNet infrastructure that is located in Russia. These locks are intended, as the law says, to affect internal data flows between a local sender and a local receiver of data packages [42].

The second obstacle for the Yarovaya Law infrastructure is the difficulty of enforcing “by infrastructure” Russian jurisdiction on foreign companies. As the case of Telegram shows, Russia faced issues in blocking those foreign builders who have refused to contribute to the Yarovaya Law infrastructure. Instead of demonstrating to foreign companies that unwillingness to cooperate with the Russian government would lead to blocking their Web sites on the Russian Internet, the case revealed that a foreign company can reject cooperation and still offer its service for Russian Internet users. This dynamic, which from the Russian state’s standpoint is a failure, has challenged the building of the Yarovaya Law infrastructure. Without the practical possibility of blocking Web sites, the infrastructure may be used only for the content collected and stored by domestic information disseminators and those foreign sites who indeed want to cooperate. Moreover, the case may demonstrate to foreign, as well as domestic companies, that fines are the only tool available for the Russian government to enforce compliance with the Yarovaya Law. As long as foreign companies are willing to pay fines, they can provide the FSB with encrypted information or completely disregard the Yarovaya Law. Indeed, only two foreign companies were registered on the list in 2018, GetMeet Ltd from Cyprus and SIA “Film.fm” from Latvia. In 2019, the list displayed only one foreign information disseminator — Match Group, the provider of Tinder. Nevertheless, the role of this United States-headquartered company may be significant in building the Yarovaya Law infrastructure. The unblocking of Telegram in June 2020 may also have related consequences, but it is too early to say if Telegram will have an active role in this regard. Without solving the problem of how to implement blocking in practice, Russia is hardly capable, at present, of enlisting foreign information disseminators as builders.

The RuNet Sovereignty Act may be the next step in this direction, with its introduction of a new, state-controlled system to filter out and block illegal content by DPI technologies. This system aims at making the blocking of companies, like Telegram, more efficient. However, in the summer of 2020, it was still hard to predict whether Russia will adopt suitable DPI technologies and implement the new state-controlled filtering. If the new blocking system does not surmount the technological obstacle, Russia will have to step back from data localization, which eventually will be likely to also slow down the pace of infrastructure localization.

Implications for free expression and its control by Yarovaya Law infrastructure

By the summer of 2020, Russia decided to build the Yarovaya Law infrastructure based on the SORM scheme. In contrast to the RosTech proposal, the SORM scheme leaves content data on facilities controlled by Internet companies rather than by the State. However, if the SORM-based Yarovaya Law infrastructure develops according to the plans, it can present a digital, infrastructural lock to curb free expression. The 2018 Rules leave unclarified the crucial issue of control over the content collected and stored by information disseminators. If the control belongs to the State, Russian authorities can try to merge the locked content with the sovereign RuNet infrastructure, in which state-controlled filters block access to unwanted content. If Russian authorities coopt all companies as information disseminators, this new censorship practice will have a devastating effect on RuNet content layer. Nevertheless, in the summer of 2020, at the time of writing, this did not correspond to the actual state of things. Russian authorities have coopted in a prominent Russian Internet company providing search engine services (Yandex) and two social network platforms (VKontakte, and Odnoklassniki). These companies, whose services are more popular in Russia than their foreign counterparts, were among the first to register on the list of information disseminators in 2014. These companies’ contributions to the Yarovaya Law infrastructure might be merged with the sovereign RuNet infrastructure after censorship by state-controlled filters and made accessible for Russians in the case of an emergency under the RuNet Sovereignty Act. In such an event, free expression in Russia can be affected in a new way which questions whether the previous theories of content regulation are still adequate. Lessig’s (2006) “code is law” mantra acknowledges, among other things, that the Internet infrastructure, initially the result of a series of design choices elaborated by private companies, might be reconfigured following architectural solutions favored by governments. The government inserted digital locks in the Internet infrastructure to filter out and block undesired content, as it is discussed in Balkin’s theory of new-school speech regulation (Balkin, 2014). Critics of Balkin’s theory have stressed that negative implications caused by these locks for online free expression can be answered if private companies reveal these locks and make their functioning transparent to the public (Nunziato, 2014). However, neither the theories nor the criticism to them has addressed content regulation in conditions such as those prompted by the Yarovaya Law infrastructure, i.e., limiting the national content layer to content localized in an infrastructural lock.

 

++++++++++

Conclusion

Although Russia has made several steps on the way to RuNet sovereignization through data localization, the results of the strategy as of 2020 appear to be mixed, especially in terms of content data collection and storage. Due to the cost and implementation obstacles, Russia has not completed the Yarovaya Law infrastructure, and it has not found a satisfactory solution for the State to enact the blocking of Internet companies for non-compliance with the Yarovaya Law. The same obstacles and the moderate results in data localization may impede the RuNet infrastructure localization. The RuNet Sovereignty Act has represented a step back in the infrastructure localization strategy, by limiting it to the RuNet DNS. However, the situation can change negatively if Russia manages to build the SORM-based Yarovaya Law infrastructure for content collected and stored by a few but prominent information disseminators, like VKontakte, Yandex and possibly — in the near future — Telegram. If this scenario unfolds, Russia will have significantly advanced in creating a sovereign RuNet infrastructure that should function in the case of an emergency. From a theoretical standpoint, the sovereignization of the Russian Internet materializes as the State’s attempt to artificially merge online content with the Yarovaya Law infrastructure. In this digital lock, free expression would be subject to a double pressure: by code (Lessig, 2006), or by infrastructure (Musiani, et al., 2016), as well as by law which regulates content due to its localization in Russia. The convergence of both the infrastructure and the legal instruments under tighter state control are likely to provide new opportunities, in the close future, for Russian authorities to censor free expression. End of article

 

About the author

Liudmila Sivetc is a doctoral candidate at the University of Turku, Finland.
E-mail: liusiv [at] utu [dot] fi

 

Notes

1. Wijermars and Lehtisaari, 2020, p. 1.

2. Lonkila, at al., 2020, p. 18.

3. Lonkila, at al., 2020, p. 2.

4. Lonkila, at al., 2020, p. 3.

5. According to Julien Nocetti (2015a; 2015b), the idea of nationalizing the Russian Internet is not so new and originated from the late 1990s. Following Budnitsky and Jia (2018), the idea was introduced in 1998 for the United Nations in a draft resolution “Developments in the Field of Information and Telecommunications in the Context of International Security”.

6. Balkin, 2014, p. 2,297.

7. Ibid.

8. Balkin, 2014, p. 2,300.

9. Wijermars and Lehtisaari, 2020, p. 2.

10. Regarding these protests, see Gabowitsch (2017).

11. Nocetti, 2015a, p. 2.

12. Sivetc, 2019b, p. 30.

13. Ristolainen and Kukkola, 2019, p. 56.

14. Regarding Web site blocking as a digital lock, see Sivetc (2019a).

15. According to Article 3.1 of Law 152-FZ (2006), personal data includes any information which relates directly or indirectly to an identified or identifiable natural person. In essence, the definition of personal data given in Russian Law is similar to the definition by the EU’s GDPR, Article 4.1. Yet, in contrast to the EU regulation, the Russian Law does not distinguish the data controller, a person who, according to GDPR, Article 4.7, decides on the “purposes and means of the processing”, and the data processor, a person who, according to Article 4.8, manages the processing of data on behalf of the controller. Russian Law combines these two figures under the definition of the data operator.

16. Regarding differences between data localization in a broad and narrow sense, see John Selby, 2017. “Data localization laws: Trade barriers or legitimate responses to cybersecurity risks, or both?” International Journal of Law and Technology, volume 25, number 3, pp. 214–215; doi: https://doi.org/10.1093/ijlit/eax010.

17. A bill banning the possibility to store process personal data not only in Russia but also abroad was introduced in summer 2020.

18. Moscow City Court, Case 33-38783/2016, Judgment of 10 November 2016, p. 3.

19. Spasskii District of Rjazanskaja oblast’ Court, Case 2a-128/2017, Judgment of 16 March 2017; and Korablinskii District of Rjazanskaja oblast’ Court, Case 2a-167/2017, Judgment of 15 June 2017.

20. The name of the list is “Реестр организаторов распространения информации в сети ‘Интернет’,” at https://rkn.gov.ru/opendata/7705846236-InformationDistributor/data-20171101T0000-structure-20161206T0000.xml.

21. Ermoshina and Musiani, 2017, p. 45.

22. Ibid.

23. The Rules were adopted by Government Resolution N728 of 26 June 2018.

24. The Rules were adopted by Government Resolution N21 of 18 January 2018.

25. Ermoshina and Musiani, 2017, p. 44.

26. Ermoshina and Musiani, 2017, p. 45.

27. Zello Inc. made the notification, written both in Russian and English, accessible at https://drive.google.com/file/d/0B-WySugklgXleXlnSWJINkxCQ2M/view.

28. RKN made available the correspondence, done both in Russian and English, at https://vk.com/doc267674468_449128759?hash=0c75b32c96c4fe5221&dl=bac54c99e1a014cbea; the link to the letters is available at https://vk.com/doc267674468_449128766?hash=ff4da1fc224f48a06e&dl=333de840ad03b1e13c.

29. On the Telegram ban case, see in this special issue the dedicated article by Ksenia Ermoshina and Francesca Musiani.

30. As follows from Telegrams complaint before the Russian Supreme Court, case АКПИ17-1181. 20 March 2020. The screened copy of the judgment is available at https://www.agora.legal/fs/a_delo2doc/69_file_VSRF.pdf.

31. The letter is available at https://vk.com/doc1_451499486?hash=bb2bafc08f7fd8ce07&dl=612cc5b7becbbe7ae5.

32. The letter is available at https://vk.com/doc1_451499493?hash=f45613990541c82af8&dl=136a40c575bfa82136.

33. Magistrate court N383 of the Meschanskii District of the Moscow City Court, case 5-1794/2017, 16 October 2017.

34. The Meschanskii District of the Moscow City Court, case 12-3227/2017, 12 December 2017.

35. Supreme Court, 2018, p. 5.

36. The text is available in Russian at http://agora.legal/fs/a_delo2doc/65_file_Telegram_ESPCH_Dop.pdf.

37. As already stated in the article, Facebook and Twitter did not follow the personal data localization requirement and were fined in February 2020.

38. The Meschanskii District of the Moscow City Court, 12-3227/2017, 12 December 2017, p. 2.

39. Point 4 introduced by Law № 90-FZ in Article 562 of Law № 126-FZ on Communication.

40. Law № 187-FZ aims at guaranteeing the stable functioning of the Russian critical information infrastructure in case of computer attacks (Article 1). The critical information infrastructure includes inter alia information the systems and underlying telecom lines owned or operated by domestic companies (Article 2. 6-8). If a special governmental agency decides that systems and lines owned or operated by these companies are significant, such companies will be included on a list depending on the degree of significance, from one to three (Articles 6, 7). Although the companies on the list receive state assistance in resisting computer attacks, first, by providing with relevant information and, second, by intercepting attacks via filters installed in companies’ equipment, the companies are obliged to safeguard their virtual and material facilities at their own expense (Article 10).

41. Point 4 of Article 562 introduced by the Law № 90-FZ.

42. Point 6 of Article 651 introduced by the Law № 90-FZ.

 

References

Anastasia Agamalova and Anastasia Golytsina, 2014. “Путин уверен, что интертет возник как спецпроект ЦРУ,” Vedomosti, at https://www.vedomosti.ru/technology/articles/2014/04/24/putin, accessed 6 November 2020.

Elizaveta Arhangel’skaia, 2016. “Операторы предсказали рост цен на связь в 2–3 раза из-за ‘закона Яровой’,” RBC, at https://www.rbc.ru/technology_and_media/29/06/2016/5773fe0a9a7947e8c8aeffa8, accessed 23 June 2020.

Anna Balashova, Mariia Kolomychenko, and Ivan Kuranov, 2018. “Попал под Раздачу: как из-за Telegram Блокируют Адреса Amazon,” RBC, at https://www.rbc.ru/technology_and_media/16/04/2018/5ad4b5c59a794739885fa03a, accessed 23 June 2020.

Jack M. Balkin, 2014. “Old-school/new-school speech regulation,” Harvard Law Review, volume 127, number 8, pp. 2,296–2,342, and at https://harvardlawreview.org/2014/06/old-schoolnew-school-speech-regulation/, accessed 14 April 2021.

Irina Borogan and Andrey Soldatov, 2013. “Russian surveillance state,” World Policy, at http://www.worldpolicy.org/journal/fall2013/Russia-surveillance.

Stanislas Budnitsky and Lianrui Jia, 2018. “Branding Internet sovereignty: Digital media and the Chinese–Russian cyberalliance,” European Journal of Cultural Studies, volume 21, number 5, pp. 594–613.
doi: https://doi.org/10.1177/1367549417751151, accessed 14 April 2021.

Catalin Cimpanu, 2017. “Russia fines Telegram $14,000 for not giving FSB an encryption backdoor” (16 October), at https://www.bleepingcomputer.com/news/government/russia-fines-telegram-14-000-for-not-giving-fsb-an-encryption-backdoor/, accessed 14 April 2021.

Sharyl N. Cross, 2013. “Russia and countering violent extremism in the Internet and social media: Exploring prospects for U.S.-Russia cooperation beyond the ‘reset’,” Journal of Strategic Security, volume 6, number 4, pp. 1–24.
doi: http://dx.doi.org/10.5038/1944-0472.6.4.1, accessed 14 April 2021.

Ronald Deibert, John Palfrey, Rafal Rohozinski, and Jonathan Zittrain (editors), 2011. Access contested: Security, identity, and resistance in Asian cyberspace. Cambridge, Mass.: MIT Press.

Natalia Demchenko and Mariia Kolomychenko, 2017. “Павел Дуров согласился на внесение Telegram в реестр Роскомнадзора,” RBC, at http://www.rbc.ru/technology_and_media/28/06/2017/5953a8419a7947282cacd076, accessed 23 June 2020.

Doctrine, 2000. “Доктрина информационной безопасности Российской Федерации,” at http://pravo.gov.ru/proxy/ips/?docbody=&nd=102417017, accessed 23 June 2020.

Doctrine of Information Security, 2016, “Доктрина информационной безопасности Российской Федерации,” at http://kremlin.ru/acts/bank/41460, accessed 23 June 2020.

Pavel Durov, 2020. “Durov’s Channel,” publication made 22 June 2020, available at https://t.me/s/durov, accessed 19 July 2020.

Alexey Eremenko, 2014. “Russia to make Internet providers censor content — Report,” Moscow Times, at https://themoscowtimes.com/articles/russia-to-make-internet-providers-censor-content-report-41922, accessed 6 November 2020.

Ksenia Ermoshina and Francesca Musiani, 2017. “Migrating servers, elusive users: Reconfigurations of the Russian Internet in the post-Snowden era,” Media and Communication, volume 5, number 1, pp. 42–53.
doi: http://dx.doi.org/10.17645/mac.v5i1.816, accessed 14 April 2021.

European Convention for the Protection of Human Rights, 1956, at https://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/005, accessed 14 April 2021.

European Court of Human Rights (ECtHR), 2015. Roman Zakharov v. Russia (Application no. 471431/06), 4 December, and at https://hudoc.echr.coe.int/, accessed 14 April 2021.

EU General Data Protection Regulation, 2016 N2016/679, at https://op.europa.eu/en/publication-detail/-/publication/3e485e15-11bd-11e6-ba9a-01aa75ed71a1/language-en, accessed 14 April 2021.

Philip Y. Freiberg, 2014. “Putin’s Russia — On a path to cyber sovereignty?” (24 January).
doi: http://dx.doi.org/10.2139/ssrn.3108579, accessed 14 April 2021.

Mischa Gabowitsch, 2017. Protest in Putin’s Russia. Cambridge: Polity Press.

Alexey Gavrilov, 2017. “О возможной блокировке Zello в России,” at http://blog.zello.com/2017/04/08/%D0%BE-%D0%B2%D0%BE%D0%B7%D0%BC%D0%BE%D0%B6%D0%BD%D0%BE%D0%B9-%D0%B1%D0%BB%D0%BE%D0%BA%D0%B8%D1%80%D0%BE%D0%B2%D0%BA%D0%B5-zello-%D0%B2-%D1%80%D0%BE%D1%81%D1%81%D0%B8%D0%B8/, accessed 23 June 2020.

Anastasiia Golitsyna, 2014. “Совет безопасности обсудит отключение Россииот глобального интернета,” Ведомости, at https://www.vedomosti.ru/politics/articles/2014/09/19/suverennyj-internet, accessed 23 June 2020.

Anastasiia Golitsyna, Elizaveta Ser’gina, and Piotr Kozlov, 2016. “Государство Хочет Контролировать Маршруты Интернет-Трафика в Стране,” Ведомости, at http://www.vedomosti.ru/politics/articles/2016/02/11/628508-gosudarstvo-hochet-kontrolirovat-rossiiskii-zarubezhnii-internet-trafik-strane, accessed 23 June 2020.

Vadislav Gordeev and Irina Li, 2018. “Google Отключила Возможность Обхода Блокировок через её Домен,” RBC, at https://www.rbc.ru/technology_and_media/19/04/2018/5ad862e99a794797fa3b96e5?from=materials_on_subject, accessed 23 June 2020.

Pavel Kantyshev, 2015. “Samsung переводит данные клиентов в Россию,” Vedomosti, at https://www.vedomosti.ru/technology/articles/2015/06/11/596114-samsung-perevodit-dannie-klientov-v-rossiyu, accessed 24 June 2020.

Pavel Kantyshev, 2016a. “Ростеху нужно 10.3 млрд рублей на разработки для закона Яровой,” Vedomosti, at https://www.vedomosti.ru/technology/articles/2016/09/05/655653-rostehu-zakona-yarovoi, accessed 23 June 2020.

Pavel Kantyshev, 2016b. “ФСБ предлагает доработать систему прослушки для исполнения закона Яровой,” Vedomosti, at http://www.vedomosti.ru/technology/articles/2016/08/10/652405-fsb-predlagaet-dorabotat-sistemu-proslushki-dlya-ispolneniya-zakona-yarovoi, accessed 23 June 2020.

Pavel Kantyshev and Anastasiia Golitsyna, 2016. “Рунет Будет Полностью Обособлен к 2020,” Ведомости, at https://www.vedomosti.ru/technology/articles/2016/05/13/640856-runet-obosoblen, accessed 13 May 2020.

Pavel Kantyshev, Elizaveta Ser’gina, and Anastasiia Golitsyna, 2017. “Telegram получил последнее предупреждение,” Vedomosti, at https://www.vedomosti.ru/technology/articles/2017/06/26/695944-telegram-preduprezhdenie, accessed 23 June 2020.

Korablinskii District of Rjazanskaja oblast’ Court, Case 2a-167/2017, judgment of 15 June 2017.

Juha Kukkola, 2018. “New guidance for preparing Russian ‘digital sovereignty’ released,” Finnish Defence Research Agency, Research Bulletin, number 1, at https://puolustusvoimat.fi/web/tutkimus/-/1948673/tutkimuskatsaus-venajan-federaation-hallituksen-digitaalisen-talouden-ohjelmasta, accessed 23 June 2020.

Juha Kukkola and Mari Ristolainen, 2018. “Projected territoriality: A case study of the infrastructure of Russian digital borders,” Journal on Information Warfare, volume 17, number 2, pp. 83–100, and at https://www.jinfowar.com/journal/volume-17-issue-2/projected-territoriality-case-study-infrastructure-russian-digital-borders, accessed 14 April 2021.

Juha Kukkola, Mari Ristolainen, and Juha-Pekka Nikkarila, 2017. “Game changer: Structural transformation of cyberspace,” Puolustusvoimien tutkimuslaitos (Finnish Defence Research Agency), Julkaisuja (publication) 10, at https://maavoimat.fi/documents/1951253/2815786/PVTUTKL+julkaisuja+10.pdf/5d341704-816e-47be-b36d-cb1a0ccae398/PVTUTKL+julkaisuja+10.pdf.pdf, accessed 23 June 2020.

Aleksandr Kuznetsov, 2019. “Telegram продержался ровно год,” at https://www.iguides.ru/main/other/telegram_proderzhalsya_rovno_god/, accessed 23 June 2020.

Aleksandr Kuznetsov, 2018. “Telegram теперь точно не заблокировать. В приложениях появилась поддержка MTProto Proxy,” at https://www.iguides.ru/main/os/telegram_teper_tochno_ne_zablokirovat/, accessed 23 June 2020.

Lawrence Lessig, 2006. Code. Version 2.0. New York: Basic Books.

Law № 126-FZ, Federal law of the Russian Federation, “On communication,” 7 July 2003, at https://cis-legislation.com/document.fwx?rgn=5060, accessed 14 April 2021.

Law № 149-FZ, Federal law of the Russian Federation, “On information, information technologies, and information protection,” 27 July 2006, at https://www.legislationline.org/documents/id/17757, accessed 14 April 2021.

Law № 152-FZ, Federal law of the Russian Federation, “On personal data,” 28 July 2006, at https://iapp.org/media/pdf/knowledge_center/Russian_Federal_Law_on_Personal_Data.pdf, accessed 14 April 2021.

Law № 242-FZ, Federal law of the Russian Federation, “Amending certain legislative acts of the Russian Federation as to the clarification of the processing of personal data in information and telecommunications networks,” 21 July 2014, at https://wilmap.law.stanford.edu/entries/federal-law-no-242-fz, accessed 14 April 2021.

Law № 97-FZ, Federal law of the Russian Federation, “Amending federal law ‘On information, information technologies and protection of information’ and other legislative acts of the Russian Federation concerning putting in order information exchange using information and telecommunication networks,” 21 July 2014, at https://wilmap.law.stanford.edu/entries/federal-law-no-242-fz, accessed 14 April 2021.

Law № 526-FZ, Federal law of the Russian Federation, “On introducing amendments to Article 4 of the Federal law ‘On introducing amendments to certain legislative acts of the Russian Federation with regard to personal data processing in information and telecommunications networks’,” 13 December 2014.

Law № 374-FZ, Federal law of the Russian Federation, “‘On combating terrorism’ and certain legislative acts of the Russian Federation regarding the establishment of additional counter-terrorism measures and public security,” 6 July 2016, at https://wilmap.law.stanford.edu/entries/federal-law-374-fz-amending-federal-law-combating-terrorism-and-certain-legislative-acts, accessed 14 April 2021.

Law № 187-FZ, Federal law of the Russian Federation, “Amending legislative acts of the Russian Federation concerning the questions of protection of intellectual rights in information and telecommunication networks,” 2 July 2013, at hhttps://wilmap.law.stanford.edu/entries/federal-law-no-187-fz, accessed 14 April 2021.

Law № 241-FZ, Federal law of the Russian Federation, “On amendments to articles 10(1) and 15(4) of the federal law on information, information technology and information protection,” 29 July 2017, at http://publication.pravo.gov.ru/Document/View/0001201707300031?index=0&rangeSize=1, accessed 14 April 2021.

Law № 90-FZ, Federal law of the Russian Federation, “On amendments to the Federal law ‘On communications’ and the federal law ‘On information, information technologies and information protection’,” 1 May 2019.

Law № 405-FZ, Federal law of the Russian Federation, “On the introduction of amendments to the Administrative Offenses Code of the Russian Federation,” 2 December 2019.

Iurii Litvinenko, 2020. “Суд оштрафовал Twitter and Facebook за отказ перенести данный в Россию,” Vedomosti, at https://www.vedomosti.ru/technology/articles/2020/02/13/822980-twitter, accessed 23 June 2020.

Markku Lonkila, Larisa Shpakovskaya, and Philip Torchinsky, 2020. “The occupation of Runet? The tightening state regulation of the Russian-language section of the Internet,” In: Mariëlle Wijermars and Katja (editors). Freedom of expression in Russia’s new mediashere. London: Routledge, pp. 17–38.
doi: https://doi.org/10.4324/9780429437205, accessed 12 April 2021.

Milton Mueller, 2010. Networks and states: The global politics of Internet governance. Cambridge, Mass.: MIT Press.
doi: https://doi.org/10.7551/mitpress/9780262014595.001.0001, accessed 12 April 2021.

Minkomsvyaz, 2016. “Bill on ‘Autonomous Russian Internet,’ ID of the project 01/05/11-16/00058851,” at http://regulation.gov.ru/projects#npa=58851, accessed 24 June 2020.

Francesca Musiani, Benjamin Loveluck, Françoise Daucé, and Ksenia Ermoshina, 2019. “Souveraineté numérique: l’Internet russe peut-il se couper du reste du monde?” (18 March), at https://theconversation.com/souverainete-numerique-linternet-russe-peut-il-se-couper-du-reste-du-monde-113516, accessed 25 May 2019.

Francesca Musiani, Derrick L. Cogburn, Laura DeNardis, and Nanette S. Levinson (editors), 2016. The turn to infrastructure in Internet governance. New York: Palgrave Macmillan.
doi: https://doi.org/10.1057/9781137483591, accessed 12 April 2021.

Magistrate court N383 of the Meschanskii District of the Moscow City Court, 2017. “Case 5-1794/2017,” 16 October 2017.

Meschanskii District of the Moscow City Court, 2017. “Case 12-3227/2017,” 12 December 2017.

Moscow City Court, 2016. “Case 33-38783/2016,” 10 November 2016.

Julien Nocetti, 2015a. “Russia’s ‘dictatorship-of-the-law’ approach in Internet policy,” Internet Policy Review, volume 4, number 4, pp. 1–19.
doi: https://doi.org/10.14763/2015.4.380, accessed 12 April 2021.

Julien Nocetti, 2015b. “Contest and conquest: Russia and global Internet governance,” International Affairs, volume 91, number 1, pp. 111–130.
doi: https://doi.org/10.1111/1468-2346.12189, accessed 12 April 2021.

Dawn C. Nunziato, 2014. “I’m still dancing: The continued efficacy of First Amendment and values for new-school regulation,” Harvard Law Review Forum, volume 127, number 8, pp. 367–372.

Privacy International, 2013. “Lawful interception: Russian approach” (4 March), at https://privacyinternational.org/blog/1296/lawful-interception-russian-approach, accessed 15 July 2020.

Programme of Digital Economy, 2017. “Программа Цифровая экономика Российской Федерации,” at http://static.government.ru/media/files/9gFM4FHj4PsB79I5v7yLVuPgu4bvR7M0.pdf, accessed 23 June 2020.

Programme of Information Society, 2014. “Государственная программа Информационное общество,” at https://digital.gov.ru/ru/documents/4137/, accessed 23 June 2020.

Maksim Proshkin, 2017. “Snapchat не собирается выполнять требования Роскомнадзора после попадания в реестр,” Novaja Gazeta, at https://www.novayagazeta.ru/news/2017/08/11/134334-snapchat-ne-sobiraetsya-vypolnyat-trebovaniya-roskomnadzora-posle-popadaniya-v-reestr, accessed 23 June 2020.

RBC, 2017. “Роскомнадзор исключил доступ к переписке при включении Telegram в реестр,” at http://www.rbc.ru/rbcfreenews/595155f29a79477337fa7e3f, accessed 23 June 2020.

Mari Ristolainen and Juha Kukkola, 2019. “Closed, safe, and secure — The Russian sense of infromation security,” In: Vladlena Benson and John McAlaney (editors). Emerging cyber threats and cognitive vulnerabilities. London: Academic Press, pp. 53–71.
doi: https://doi.org/10.1016/B978-0-12-816203-3.00003-4, accessed 12 April 2021.

RKN, 2020. “О мессенджере Телеграмм,” at https://rkn.gov.ru/news/rsoc/news73050.htm, accessed 19 July 2020.

RKN, 2017a. “Операторы связи ограничат доступ к приложению Zello,” at https://rkn.gov.ru/news/rsoc/news43955.htm, accessed 24 June 2020.

RKN, 2017b. “Руководитель Роскомнадзора о ситуации с мессенджером Telegram,” at https://rkn.gov.ru/news/rsoc/news47008.htm, accessed 24 June 2020.

RKN, 2017c. “Администрации и пользователям Telegram,” at https://rkn.gov.ru/news/rsoc/news46796.htm, accessed 24 June 2020.

RKN, 2017d. “Руководитель Роскомнадзора о ситуации с мессенджером Telegram,” at https://rkn.gov.ru/news/rsoc/news47008.htm, accessed 24 June 2020.

Roman Rozhkov, 2018. “Telegram не отдаёт ключи,” Kommersant, at https://www.kommersant.ru/doc/3579067, accessed 25 June 2020.

Roman Rozhkov, 2017. “Twitter перенесёт базы данных в Россию к лету 2018,” Kommersant, at https://www.kommersant.ru/doc/3275630, accessed 23 June 2020.

Rules on Cooperation between Internet Information Distributors and Investigative Agencies, 2018, introduced by Government Resolution N21, 18 January 2018.

Rules on the Storage of Content by Telecoms, 2018, introduced by Government Resolution N445, 12 April 2018.

Rules on the Storage of Content by Disseminators of Information via the Internet, 2018, introduced by Government Resolution N728, 26 June 2018.

Russian Supreme Court, 2018. “Case АКПИ17-1181, 20 March 2018,” at http://www.consultant.ru/document/cons_doc_LAW_296706/, accessed 12 April 2021.

John Selby, 2017. “Data localization laws: Trade barriers or legitimate responses to cybersecurity risks, or both?” International Journal of Law and Technology, volume 25, number 3, pp. 214–215; doi: https://doi.org/10.1093/ijlit/eax010, accessed 12 April 2021.

Elizaveta Ser’gina and Aleksei Nikol’skii, 2016. “Идея ‘Ростеха’ создать для операторов единое хранилище данных не прошла,” Vedomosti, at https://www.vedomosti.ru/technology/articles/2016/11/22/666358-ideya-rosteha-proshla, accessed 23 June 2020.

Elizaveta Ser’gina, Valerii Kodachigov, and Pavel Kantyshev, 2017. “Эксперты обсудят отмену закона Яровой,” Vedomosti, at https://www.vedomosti.ru/technology/articles/2017/01/11/672598-eksperti-otkritogo, accessed 23 June 2020.

Liudmila Sivetc, 2019a. “The blacklisting mechanism: New-school regulation of online expression and its technological challenges,” In: Mariëlle Wijermars and Katja (editors). Freedom of expression in Russia’s new mediashere. London: Routledge, pp. 39–56.
doi: https://doi.org/10.4324/9780429437205, accessed 12 April 2021.

Liudmila Sivetc, 2019b. “State regulation of online speech in Russia: The role of internet infrastructure owners,” International Journal of Law and Information Technology, volume 27, number 1, pp. 28–49.
doi: https://doi.org/10.1093/ijlit/eay016, accessed 12 April 2021.

Spasskii District of Rjazanskaja oblast’ Court, Case 2a-128/2017, Judgment of 16 March 2017.

Ilona Stadnik, 2019. “Sovereign RUnet: What does it mean?” Internet Governance Project (12 February), at https://www.internetgovernance.org/research/sovereign-runet-what-does-it-mean/, accessed 20 March 2021.

Strategy of National Security, 2015. “Стратегия национальной безопасности Российской Федерации,” at http://kremlin.ru/acts/bank/40391, accessed 23 June 2020.

Strategy of Information Society Development for 2017–2030, 2017. “Стратегия развития информационного общества на 2017–2030 годы,” at http://pravo.gov.ru/proxy/ips/?docbody=&nd=102431687, accessed 23 June 2020.

Iuliia Tishina and Anna Afanas’eva, 2017. “К ‘закону Яровой’ подключилось кабельное,” Kommersant, at http://www.kommersant.ru/doc/3235190, accessed 23 June 2020.

Iuliia Tishina and Vladislav Novyi, 2017. “‘Пакет Яровой’ включат в счёт,” Kommersant, at https://news.rambler.ru/articles/37400300-paket-yarovoy-oplatyat-abonenty/?updated=news, accessed 23 June 2020.

Anna Trunina, 2017. “Пользователи Telegram рассказали о рисках блокировки мессенджера в России,” RBC, at http://www.rbc.ru/technology_and_media/16/05/2017/591a47379a79472093b1f761, accessed 23 June 2020.

Vedomosti, 2018. “ФСБ отказалась рассматривать переписку в мессенджерах как охраняемую законом тайну,” at https://www.vedomosti.ru/technology/news/2018/03/20/754290-fsb-perepisku-v-messendzherah, accessed 23 June 2020.

Shaun Walker, 2016. “Russia blocks access to LinkedIn over foreign-held data,” Guardian (17 November), at https://www.theguardian.com/world/2016/nov/17/russia-blocks-access-to-linkedin-over-foreign-held-data, accessed 23 June 2020.

Mariëlle Wijermars and Katja Lehtisaari (editors). Freedom of expression in Russia’s new mediashere. London: Routledge.
doi: https://doi.org/10.4324/9780429437205, accessed 12 April 2021.

Alexandr Zharov, 2019. Cited in “Роскомнадзор отчитался об успехах в замедлении работы Telegram,” Interfax, at https://www.interfax.ru/russia/658375, accessed 23 June 2020.

Alexandr Zharov, 2017. “Глава Роскомнадзора: логично контролировать точки входа интернета в страну,” interview to editor in chief Igor Chernyak, AIF.RU, at http://www.aif.ru/society/web/glava_roskomnadzora_logichno_kontrolirovat_tochki_vhoda_interneta_v_stranu, accessed 32 Jume 2020.

 


Editorial history

Received 2 April 2021; accepted 7 April 2021.


Copyright © 2021, Liudmila Sivetc. All Rights Reserved.

Controlling free expression “by infrastructure” in the Russian Internet: The consequences of RuNet sovereignization
by Liudmila Sivetc.
First Monday, Volume 26, Number 5 - 3 May 2021
https://firstmonday.org/ojs/index.php/fm/article/download/11698/10127
doi: https://dx.doi.org/10.5210/fm.v26i5.11698