To protect 'digital sovereignty,' Russia threatens to block Google, Facebook

Russia, like most countries, is struggling to balance public desire for privacy with the government's interest in monitoring potentially criminal activity. But the Kremlin's approach strikes observers as too heavy-handed.

Russia's freewheeling cyber-universe has grown by leaps and bounds in recent years, and now has more than 80 million users, or about 60 percent of the population. But in the name of "digital sovereignty," authorities are stepping up efforts to corral it, part of a worldwide race between galloping online technology and the desires of law enforcement to keep tabs on all that activity.

Critics say the battle lines are forming around the challenge of encryption, which companies are increasingly upgrading in the post-Edward Snowden era to satisfy the privacy concerns of customers.

In Russia, authorities are fighting back with a tough law that comes into effect Sept. 1, requiring all global Internet platforms, such Twitter, Google, Facebook, and Apple, as well as cyber-businesses of all kinds, to store the data of Russian users on in-country servers. In another signal, the Russian communications watchdog Roskomnadzor last week demanded that Apple and Google remove items of "extremist content" that are banned under Russian law.

Moreover, it pointedly warned that due to the encryption employed, Russian servers may be forced to take down entire platforms in order to block one piece of objectionable content.

The idea is that data stored on Russian servers will be protected from the prying eyes of the US National Security Agency. However, experts say it may also rope off Russian cyberspace and make it easier for Russian authorities to control what their own citizens are posting and reading on the Internet.

The main way Russian authorities have been doing that so far, since passage of a 2012 law enabling an official blacklist, is through a cumbersome register of banned websites that Russia-based Internet Service Providers (ISPs) are required to block.

The list currently contains over 10,000 websites, mostly for content even an ardent civil libertarian might have trouble defending, such as child pornography, pro-terrorist agitation, and sites that glamorize suicide. Some are more overtly political, including the Livejournal blog of Russian anti-corruption politician Alexei Navalny, the news service Grani.ru, and the web page of exiled anti-Kremlin activist Gary Kasparov.

"Many of these prohibitions are reasonable, no one is denying that," says Stanislav Kozlovsky, head of Russian Wikimedia. "But one emerging problem is that big companies are now switching" from conventional to "https" secured websites which are much harder for law enforcement to crack.

"In these cases, one particular piece of content can't be simply excised, and the only way to block it would be to pull down the whole platform. What I don't understand is why [the authorities are] doing it this way. Why don't they just go after real child pornographers?"

The encryption balance

Last week Roskomnadzor sent out warning letters to Google, Twitter, and Facebook, reminding them that they are required by Russian law to hand over data about any Russian blogger – effectively any user – who has more than 3,000 readers daily. Any user of the services who posts items calling for "unsanctioned protests and unrest" must be blocked, and due to the companies' use of https encryption, that could force Russian ISPs to block the entire site.

"In our letters we regularly remind companies of the consequences of violating Russian legislation," Roskomnadzor spokesman Vadim Ampelonsky told journalists.

In another warning, Roskomnadzor demanded Google and Apple drop applications that enabled users to download banned extremist material, including Adolf Hitler's book Mein Kampf and the works of a well-known Islamist writer. According to Russian media reports, the two companies subsequently complied with Roskomnadzor's order.

"There are real extremist works out there which could be dangerous," says Alexander Verkhovsky, head of the Moscow-based Sova Center, which tracks extremist groups in Russia. "But the laws are very badly formulated, and it sends law enforcement off to do useless things a lot of the time, like cracking down on Nazi toy soldiers and such. It's easy to find material to ban, and I guess that's why the list just keeps growing."

In barely three months, the new law requiring all companies that operate in Russian cyberspace to store the data of all Russian users on local servers will come into effect. Experts say the law is a sweeping declaration of "digital sovereignty," but it's also impossible to guess how it may be enforced.

"Unfortunately, technology is moving much faster than the ability of legislation and law enforcement to keep up with it," says Andrei Kolesnikov, director of the Coordination Center for Ru.net Domains.

And while Russia may be using its own unique mixture of threats and ill-focused laws to try to address the encryption challenge, it's a global issue.

"After Snowden's revelations, people started encrypting everything. You get this pushback, and law enforcement scrambles to catch up. That's why I don't really worry about Russia's Internet, despite all the concerns people express," Mr. Kolesnikov says. "It's just too big and dynamic, and it's basically developing fine."