The Kremlin is pushing for a “sovereign internet”. But at what cost?
As Russia’s moves towards a “sovereign internet” gather speed, Russia’s IT sector is weighing up the cost of isolation.
“The best programmers are actively leaving the country,” Pyotr, the head of a St Petersburg IT start-up, tells me.
“Many major western companies left Russia long ago. Start-ups and investors have left because of the political and economic situation. Even organisations with roots in Russia have repositioned themselves towards western projects.”
Today, Russia’s digital sector is working at half strength. Recent “sovereign internet” legislation could weaken its position further. The law’s authors believe it will ensure the Russian internet’s “safe and sustainable operation” in case of external “threat”.
But if the law goes through, Russia’s tech businesses will be face a threat from within - locked behind an iron firewall, the country’s IT sector may just simply fade away.
The new law is not aimed at maintaining the smooth functioning of the internet in Russia, but controlling information. The draft bill proposes a number of key elements: Roskomnadzor (RKN), Russia’s Federal Supervision Agency for Information Technologies and Communications, will hold a register of Internet Exchange Points, which will mean that operators may only use data centres that are under its control;
Operators must install equipment “to counteract threats to reliability”, which will help pinpoint sources of traffic and to which Roskomnadzor will have authorisation control; After this equipment is installed, Roskomnadzor will be able, “in case of threats” (as defined by the agency itself), to take centralised control of networks;
Operators and service providers must attend training sessions on guaranteeing internet functionality, which will lead to official interventions;
Operators will need to report any use by them of trans-border networks (i.e. networks crossing state frontiers), justify the necessity of this use and record all the traffic passing through them;
Roskomnadzor is initiating the creation of a national domain name system, where decisions will be taken unilaterally, from the top down (a special NGO will be set up for this purpose).
Each of these points throws up questions. How will the system work? Who will be responsible for what? Who will provide the bulk of the finance? The only thing that is clear is that isolating the Runet will be expensive and murky. There has as yet been little discussion of what will be paid by businesses and what by users, but it’s likely that private providers and operators will bear the brunt of the cost.
IT companies and specialists will probably have three notional choices: to accept Roskomnadzor’s demands and resolve bureaucratic issues in compliance with the limitations it has imposed; to create alternative networks and organise work on an “ad hoc” basis; or to physically move capacity outside the “sovereign” internet.
The situation is obviously reminiscent of China’s “Golden Shield” internet project, otherwise known as "The Great Firewall of China”. China’s information security programme has been in development since 1993, and has been operating since 2003. Today, China’s internet is an independent economic space regulated by many elements: infrastructure, communication, filtration and even self-censorship. The project’s political and ideological aspects were aimed at creating new norms of maintaining content security, restricting access to the free expanse of communication and global services and keeping track of criticism of the regime.
These two decades of regulated development have given the Chinese internet its own practices, products and structures. There is an equivalent, or even a more relevant localised version, of practically every global service. China’s information and communication technology market is fully competitive on a global level, as well as providing for local demand. And this totalitarian regime has quite quickly become the norm for users, making them citizens of their powerful national internet.
In practice, the Runet isolation project may take a number of forms, depending on the level of threat to the everyday work of developers
The same kind of development is, however, not possible in the Russian context. It’s not a question of a potential shortfall in financial, technological and human resources. It’s more the fact that over the last 20 years, Runet users have enjoyed free and unlimited access to the web, without perceptible barriers, filters or restrictions. Back in 2012, Russia occupied 30th place in the Free Internet ratings, while in 2017 it had already sunk to 50th place.
Today, any attempt to impose restrictions, as well as promoting the idea of a “good user” as a “good citizen”, provokes confusion and criticism in Russia. But real monitoring and regulatory actions will become a training ground for creativity around “how to avoid blocking”. Russia’s project of a “sovereign internet” is doomed to failure, even when presented as an “information security” measure.
In practice, the Runet isolation project may take a number of forms, depending on the level of threat to the everyday work of developers.
Today, we can observe the echoes of the partial blocking of resources that was particularly obvious on the wave of last April’s war between Roskomnadzor and the Telegram messenger app. Technical glitches on the first evening brought down hundreds of thousands of websites, including social media sites Facebook, VKontakte, Odnoklassniki and Twitter. And although the problem was quickly fixed, instructions momentarily appeared on the internet, instructing users on how to avoid Roskomnadzor blacklists and even running short courses on surviving digital isolation. Professional communities and savvy users can easily avoid the blocks; they are more likely to affect ordinary users and impinge on the Russian audience’s experience of the web.
While everyone waits for further details, which the Russian government should announce by November 2019, I discussed the law and its possible consequences with representatives of Russia’s IT sector.
This turned out to be far from simple: the news about the Runet going it alone is either not taken seriously or completely ignored. Only a few IT specialists agreed to share their thoughts, and they all requested anonymity - this means that their reflections will be general. These sources work both for Russian and international companies engaged in the Russian market, and are involved in software design for both business and home use.
The price of isolation
The developers I talked to believe that problems with Russia’s “sovereign internet” law will come at the technical input stage, especially bearing in mind the fact that similar, smaller initiatives haven’t yet been implemented completely - such as the “Yarovaya Law”, SORM telecommunications interception and site blocking.
Experiments with individual companies, including Yandex, have confirmed that there are no technological fixes that can guarantee the sustainable operation of an internet network under official control. Deep filtration systems (DPI), which the law proposes to use to control internet traffic, have a considerable slowing down effect on speed, which comes at a cost to everyone using the web – both individual users and businesses.
Other IT specialists note that the process requires not just technical, but also organisational measures. In practice, this means that for the “sovereign internet” project to be completed, a new scheme of relations and responsibilities between the large number of state subcontractors and the manufacturers of the relevant systems needs to be developed. This is where the companies that will benefit from a “sovereign internet” come from (e.g. software and hardware producers), but also those who will directly lose out (such as internet operators). And this doesn’t even include the indirect costs, which are impossible to estimate at present.
The imagined “master switch” to turn off Russia’s internet could remain nothing more than a stage prop
The specialists whom I talked to stress that just about anything can happen to a project between its outset and conclusion. For example, if the conditions under which measures “to counteract threats to reliability” are supposed to be used remain the same (e.g. in extreme circumstances), then no one will suffer from these measures. The imagined “master switch” to turn off Russia’s internet could remain nothing more than a stage prop.
Developers admit, however, that the system will probably be used for regulatory and monitoring functions, including the monitoring of civic activity. We can now see the genesis of this project in Roskomnadzor’s blacklists and legal measures designed to limit speech, such as Russia’s recent law on disrespecting state authorities. Against the background of these specific initiatives, the potential effect of Runet’s isolation depends on political willpower: either the project will limit itself to large providers and the development of a “secure infrastructure”, or will be implemented on a wide scale, which will definitely turn into an ideological project.
A conflict of ideologies
The “Runet” bill is being developed as part of the Russian state’s “digital economy” programme, introduced as a priority in 2017. But the idea of a “sovereign internet” contravenes this policy by definition, since a digital economy is closely connected with cross-border links and assumes freedom of communication.
Conversations about preparations to isolate the Runet, however, have been happening since 2006-2007, and even then experts’ assessments excluded the likelihood of a complete shutdown of the Russian internet “due to external threats”. The political situation, teams from relevant ministries and strategic policy directions have changed - and digital sovereignty has only now made it on to the agenda.
The ideological element of the bill has been received ambiguously, mostly in terms of similar situations and examples, from the most neutral to the more critical. Some people are comparing it with the Mir card payment system introduced in 2017, designed to be an alternative to the globally used SWIFT in case Russia lost access. Now Mir (“World”) has become the dominant payment system for public sector organisations in Russia, but this is no longer seen as an issue - all other cards can be used as well.
A more serious ideological issue is the Telegram app and the attempts to block it. Here, professional consensus is also lacking: some people see these attempts as stupid and pathetic, while others have welcomed the technical facilities used by Roskomnadzor. There are also some who see this as a political standoff that should have been technically won by the messenger company. Yet the Telegram case demonstrated two important aspects of the IT world. First, any badly designed technical restriction contains a weakness that specialists will notice and use to their advantage. Second, the professional community will show solidarity in order to protect its freedoms and spaces, even if that means teaching users to set up a VPN (Virtual Private Network).
Finally, the example of the Chinese internet is becoming increasingly politicised. It operates almost completely within a firewall – an inter-connected screen that prevents free exchange of traffic. And although it’s not clear how this was developed technically, even the Russian-language internet is full of recommendations on how to get round it. China’s internet has been able to work efficiently thanks to a highly developed internal market and high digital capacity, not to mention exceptionally loyal developers who don’t want to mix business with politics.
China’s isolated internet is part of a massive totalitarian project which, among other things, includes a system of total surveillance and social status on the basis of personal data. When the founder of a Chinese start-up, which developed facial recognition technology that went on to be used by government agencies, was asked about the consequences of his work, he replied: “We aren’t running so far ahead so as to find out whether AI will be in conflict with humans. We’re just trying to earn money.” Russian designers partly understand and even sometimes justify this attitude, but still, their professionalisation took place in a period of free internet access.
Relocating behind the firewall
Putting the draft law into practice might affect the development of Russia’s IT market, which grew out of multinational cooperation and isn’t limited by state boundaries.
In the Russian segment of the internet, partial blocks have become the norm over the last few years, which is no surprise. The general trend towards state control of the internet’s free space still, however, angers people. A protest against the draft law took place back in March, and since the news of its progress in April even staff at IT companies have been criticising various aspects of it. For the moment, its effects are very minor and have barely touched daily lives and professional activities, and while we can avoid them fairly easily, isolation isn’t a serious danger.
Nonetheless, the IT sector assumes constant free access to information and an absence of hard limits to the spread of its developments. But for Russia’s IT-sector, isolation would risk its intellectual and technical resources and hence its IT reputation on a global level.
Some people working in the area suggest that the bill will have little impact on the current labour market, as it won’t involve changes in technology, or that its effect will be minimal. Others believe that this initiative will increase professional mobility and migration – a natural reaction on the part of IT specialists to the existing restrictions and confusion.
According to a development engineer at one Russian company, “programmers have the most freedom in the sector, but Western companies headhunt our specialists for their high qualifications and relatively low recruitment costs”.
Depending on the extent of the barriers that will be imposed, specialists will also look at their own outgoings to see how the restrictions will affect them personally or directly obstruct their professional lives. Russia already suffered an IT brain drain in 2012-2014, and the isolation of the Runet might be the next significant factor in this trend. On the other hand, new market niches may emerge, connected with the maintenance of the equipment needed for the operation of the upcoming changes. The Runet issue could lead to lifestyle choices – to leave or to stay: the situation is unstable and unpredictable in general.
Major companies operating in Russia, such as DataArt, EPAM, SAP, JetBrains and Wrike are now busy opening offices in other countries and are happy to relocate their workforce out of Russia. This way, they can hope to not only retain workplaces for their staff, helping them move, but also maintain their market position and reputation.
As a result, some professionals will choose internal “migration” within their companies and some will leave to look for more freedom and better working conditions elsewhere, but the greater part will stay where they are. For them, their next choice will hang on the development of the IT sector itself: isolated from global development, it can only rely on its own capacity and resources, which are pretty limited in Russia. We may reasonably expect stagnation in Russia’s IT sector - extremely undesirable in a developing digital economy.