Skip to main content

Interview with Andrei Soldatov on Digital Rights in Russia

Andrei Soldatov, interviewed by Human Rights Watch in April, is an investigative journalist, nonfiction writer and a top expert on Russia’s security services. His book “The Red Web,” co-authored with Irina Borogan, tells the story of the Russian internet and the Kremlin's war on digital freedoms.

How would you describe the current state of digital rights in Russia? Which developments do you identify?

I think today we are in an age of declining digital rights in Russia. This process began in 2012, but in 2019, things got really bad – we saw significant negative developments. The first one is the ‘sovereign internet’ law, which actually develops a system enabling the authorities, among other things, to switch off the internet in specific regions of the country or separate those regions from the rest of the country. The second law is on mandatory pre-installation of Russian-made apps, which means that every Russian user will have those Russian apps pre-installed on his or her smartphone. This law will come into effect in December 2020. The idea is to make Russian customers use Russian developers’ applications, which can be easier to control than foreign apps.

Several older laws have been ramped up with bylaws over the last years, such as the law on virtual private networks (VPNs) and internet anonymizers and the Yarovaya amendments. What do you think was the government’s strategy behind these laws?

The problem was that for years the government was trying to find an effective strategy. They tried this and that, and it was not always successful. For instance, we all remember this monumental battle over Telegram, when the government tried to block Telegram completely. But now they are using Telegram themselves, including lots of ministers, high-level government officials, and the Kremlin’s public relations teams. So the government is not consistent.

There was also a big battle over introducing blacklists of banned websites. This also was not very successful, I would say, because if you want to access this blocked information in Russia, it’s entirely possible using very simple methods. The same goes for the VPN law. It’s technically not very successful. So, the government has been trying to find effective means and in 2019, they found what could work. The sovereign internet law could be very effective. The idea is not to isolate the country completely. The government is aware that this would not be practical. They know that they are too dependent on the global net. But what they want is to have a tool to isolate specific regions where they face a crisis and prevent public protests from spilling over to other parts of the country, like what we saw in Ingushetia for almost a year and a half, with protests over the local land dispute with Chechnya.

And now, during the coronavirus crisis, it’s a big temptation for the government to use this legislation. For example, it’s easy to imagine that there’s an increase of infected people in one region, and you want to prevent panic from spreading. Now you have the ability to isolate this region, while saying this is only for the safety of local residents, and the public would most likely buy it.

The law on pre-installation of apps could also be very significant because it would make people live in a bubble of Russian-developed applications. If you would have that, you don’t need to find a way to make Google, Facebook, or Twitter cooperate anymore. The government spent a lot of resources over the last seven years to get these companies to cooperate with restrictive legislation, but these attempts were not really successful. But now the authorities can localize Russian users in a bubble of Russian social media and Russian email services, which would be much more effective. The authorities also understand that in a time of crisis, ordinary users, not activists, would disseminate sensitive information, and would most likely turn to the means they became used to, i.e. Russian apps.

So, you would say when it comes to the part of the sovereign internet law on the national domain name system (DNS) and cutting off the Russian internet from the rest of the world, this is not realistic, but it aims at censoring and isolating specific regions?

Exactly.

Would you say there’s simply no political will to isolate the whole Russian part of the internet, or do you think it’s also not technically possible to implement?

I think it’s both. The cost would be too high, and it wouldn’t make sense. When the Russian government introduced internet censorship in 2012, they mistakenly assumed that the most dangerous, subversive content comes from outside of the country. That’s why they tried to implement the blacklist system and to get Google, Twitter, and other giants to cooperate. But by now, it is clear that the most sensitive and subversive content about Russian authorities emerges from inside. It’s not really about foreign media broadcasting in Russia like RFE/RL or Voice of America. It’s about Alexei Navalny’s videos, it’s about citizen bloggers witnessing something outrageous, posting about it, and, on occasion, triggering street protests. It’s not about products developed in Washington, DC. They want to get control over content developed here, within the country.

Speaking of deep package inspection (DPI) technology, which is a big part of the sovereign internet law, what are the consequences for freedom of speech and the right to information?

The technical problem with the sovereign internet legislation is that even if you want to block a region, it’s difficult. You can block particular kinds of traffic, but you cannot block all traffic. It is clear by now that video, especially live streams, have the strongest effect, because they motivate people to do something. Watching something happening in real time is a much more emotional experience than reading about it. DPI helps deal with that exact problem. It might not cut off all traffic and communication, but it can cut off all videos, live streams, YouTube, etc.

How useful do you think DPI could be for censoring emails and messages?

It’s not that easy to implement on the technical side. The problem is the amount of traffic. DPI is very effective and very scary on the surface. But to make it work properly, you need to have huge analytical capabilities – that is, databases and huge servers to process the traffic. One thing is to install DPI on a company server to control emails send by your employees, which is easily doable and not very costly. But on a citywide or national level, it’s a completely different undertaking.

I don’t think Russia is capable of building the necessary facilities right now, so I think analyzing all messages is just not practical at the moment. I think to do that, you would have to have many people helping the system. The Russian system of internet censorship is also known for having very few people working for it. It’s just a couple of hundred, not thousands, of people which the government would need. So, there are some limitations here, fortunately.

Do you think it would be possible to ramp up implementation through bylaws as the government did with the VPN law and the Yarovaya amendments, and have it more rigorously implemented in the future?

I’m still skeptical. I think the primary goal of the Yarovaya amendments was to scare off Russian companies and to make them more cooperative. This was a strong strategy. If you can’t intimidate all your internet users because there are too many, you can intimidate internet companies. Given the fact that we still have a very hierarchical infrastructure of the internet in our country with very few companies, it’s enough to scare those few. This would have a huge impact on internet freedom and censorship. The government spent a lot of time looking for ways to scare these companies. That’s why the legislation was always so vague on the technical side. The first goal was not the actual implementation, but intimidation of those companies, although now they actually started thinking of how to implement it.

Would you say that the ultimate goal is also to scare users, since they don’t know whether their messages are read by anyone or might be censored, which then leads to some sort of self-censorship?

Not directly. With users, they use a different strategy. What they do is resort to this very broad list of criminal offenses which can be invoked against people posting content on social media. In particular, they prosecute people for supposedly inciting hatred and extremism. This has had a big impact on internet freedom in Russia, because now people just don’t understand what they are allowed to say. It’s very arbitrary, it differs from region to region. What people understand is that if you’re, for example, Navalny, and you have the publicity, you can say things that are critical and get away with it, but if you’re just an ordinary guy in a small region, you could go to jail for similar content, and nobody would know or care. This results in self-censorship. People think it’s better to be cautious.

I don’t see the government actively spreading the message that they censor and surveil users’ traffic through DPI. Sometimes they very actively advertise their surveillance plans. For example, in Sochi, before the 2014 Olympics, the government actively spread the message about surveillance in the city. We published a big story in The Guardian about the system they built to spy on all visitors, and the government actually promoted our article. They translated it and commented on it. The idea was to spread the message, “You are being spied on, even The Guardian says it, so you’d be better off not doing anything stupid.” Sometimes they resort to technical means to intimidate people, but I don’t see this with DPI. They use the law enforcement system and the judiciary for these purposes, and sometimes you don’t even know for what you’d be punished, so you’re just compelled to keep your mouth shut.

Do you think, still, that the government is now trying new technological means, to have them in place for later use?

Here again the problem is that facial recognition cameras – of which there aren’t that many, just 3,000 or 4,000, and mostly installed in the Moscow metro – would require a huge database. The cameras were mostly used to catch criminals, so at present, the database only includes the most wanted criminals. But now you would need to build a new, huge database with pictures of all Muscovites, of all people staying in Moscow, meaning maybe 15 or 17 million people, matching against pictures caught on facial recognition cameras. It’s a completely different kind of task.

They might be thinking of doing this right now, but it will take some time. If they are capable of doing it, of course it will stay, because it would be too costly to abandon it after the crisis. But again, from my experience, the problem will be building up such a huge database. Russian software is usually good when it’s a small-scale project, but when it comes to large-scale usage, they usually have to buy it somewhere. The Federal Security Service (FSB), for example, had been using an Oracle [American database technology company] database for years. We do not have this technology right now. Maybe we could develop it, but I think it would take years.

What do you think about the tracking of people’s phone and geolocation data?

This unfortunately could be done, since you don’t need a government-built database. You could use databases built by mobile phone operators. This could easily be done, for example if someone left their designated area, and they could immediately be fined. Russian mobile phone operators have been cooperative with Russian authorities for quite some time already, and these companies, historically, have been the best at implementing new technologies. Even DPI was first introduced by these companies, not because they wanted to spy on people but because they wanted to suppress expensive video traffic. Now it’s being used for completely different reasons and objectives. One of the big problems is how they avoid criticism, by saying that other countries, like France, are doing the same. They use mobile phone data to track people. The Russian government is always pointing a finger to the West and saying, “Look, we are only doing the exact same thing.”

Your tax deductible gift can help stop human rights violations and save lives around the world.

Region / Country