Russia has amended its main laws governing the internet to allow the government to restrict access to the internet and to control internet traffic in emergency situations.
Federal Law No. 90-FZ of 1 May 2019 introduced a set of amendments to the Federal Law on Communications and the Federal Law on Information, Information Technologies and on Protection of Information (the Amendments). The Amendments are colloquially referred to as the “sovereign runet law” or the “law on the secured internet.”
The Amendments significantly change the legal landscape for the following categories of entities (the Regulated Persons):
- Telecommunication operators (telecom operators)
- Owners of communication networks, communication lines crossing the Russian border, and internet exchange points (IXPs)
- So-called “information dissemination organizers” (e.g., social networks, email service providers, and other resources allowing internet users to communicate)
- Entities holding autonomous system numbers (ASNs)
Unfortunately, the Amendments are rather vague and leave room for conflicting interpretation. The Amendments contain the generic set of concepts rather than clear rules. They contemplate that the Russian government, the Ministry of Communications, the Federal Security Service and Roskomnadzor, Russia’s internet regulator, should adopt a significant volume of implementing legislation to make the Amendments work.
Most of the Amendments will be in effect on 1 November 2019.
Below we summarize certain key concepts:
Comprehensive Database on Internet
- Roskomnadzor will assemble comprehensive data on the internet in Russia. The data would include information on network (IP) addresses; ASNs; communication lines and their infrastructure; IXPs; points where communication lines link with the communication lines crossing the Russian border; use of communication lines connected to the cross-border communication lines; traffic routes; location of the special equipment that telecom operators providing access to the internet (internet services providers, ISPs) and owners of communication networks must install. This special equipment includes the equipment to restrict access to websites blocked in Russia and the so-called “threat counteracting” equipment.
- Roskomnadzor will create a register of IXPs. Traffic must be routed only through IXPs included in the IXP register.
- The Regulated Persons must provide data to Roskomnadzor on the above matters.
Installment of Threat Counteracting Equipment
- ISPs must install specific “threat counteracting” equipment to be provided to them by Roskomnadzor free of charge. Although the Amendments are silent on the functions of this equipment, it is understood that it will be equipped with a deep package inspection software (the technology that allows analyzing the traffic, including encrypted traffic, or at least determine a website or application that generated transmission).
- An ISP that installed the threat counteracting equipment is released from the statutory obligation to restrict access to the websites blocked in Russia. This is because Roskomnadzor will be able to block the traffic itself, via this equipment.
- A telecom operator may not be penalized or de-licensed for network failures and disruptions caused by the threat counteracting equipment.
Mandatory Training Drills
- The stability, security, and integrity of functioning of the internet and public communication lines in Russia must be secured by all Regulated Persons. As part of this function, they must participate in training drills to be conducted by Roskomnadzor to simulate the disconnection of the Russian segment of the internet, and to test its autonomous running.
- The main purpose of the Amendments is to make sure that in emergency situations, the Russian segment of the internet is run autonomously within Russia; in other words, independently of any non-Russian telecom operators and within the Russian territory.
- An emergency situation will be declared by Roskomnadzor.
- The Amendments generically define emergency situations as those affecting the stability, security, and integrity of functioning of the internet and the public telecommunication lines. The more detailed definitions and rules on emergency situations are to be approved by the Russian government.
- Roskomnadzor, via a specially created Center for Public Networks Monitoring and Control, will be the body to take control over the internet if an emergency situation occurs.
- In an emergency situation, the Regulated Persons must reroute the traffic domestically (within Russia). Alternatively, Roskomnadzor may take control over the internet and route the traffic within Russia, by itself, via the threat counteracting equipment that all ISPs should have installed.
The National Domain Name System will be created for the Russian segment of the internet, including all .ru, .rf, and .рф addresses, as well as other addresses to be determined by Roskmonadzor; all domain name servers must be located in Russia. This rule will be in effect from 1 January 2021.
The Amendments are of a framework nature and in many instances refer to implementing legislation yet to be developed by the Russian government and other agencies. To make the law work, these agencies have to adopt about two dozen pieces of new regulation on many important matters, including on determining the emergency situations and on the centralized management of the internet in an emergency situation; on technical and other requirements to IXPs; on installing the special equipment; and on training drills.
Law clerk Kamil Sitdikov contributed to this post.