Russia’s Internet Freedom Shrinks as Kremlin Seizes Control of Homegrown Tech
Corporate mergers and backstage coercion have expanded Putin’s control.
This month, two Russian firms separately announced plans that would put them in direct competition: Yandex, the internet and search company, acquired the online bank Tinkoff, while the banking giant Sberbank unveiled a suite of technology products just two days later. As the Moscow Times reported, “analysts also point out that Russia is long-overdue a digitization surge, and there could easily be room for both to emerge winners.”
But behind this is another conflict—the Kremlin’s ever expanding attempts to bring technology firms in Russia under the state’s control. Both companies have played a role in these efforts; Yandex has been under Kremlin pressure to give the Russian government more influence over its decisions, and Sberbank is a state-owned enterprise. (The latter is sanctioned by the U.S. government.) Corporate takeovers such as Yandex’s acquisition of Tinkoff are pushing Russia’s major tech companies into ever growing conglomerates, controlled either directly by the government or by other actors trusted to advance Kremlin internet policy.
But the Kremlin’s toolkit of coercion is much broader, and more international, than this one tactic. The Russian government has recognized the scale of political and economic power now wielded by internet companies and sought to channel that power toward its own ends.
Since Russia’s 2014 war against Ukraine, the Russian government has carried out a rapidly escalating crackdown on internet freedom, but the hostile attitude toward freedom of information underlying Russia’s internet policy has changed little since Vladimir Putin first took office in 2000. The Kremlin’s strategy for the internet has in many ways mirrored the approaches used early in the Putin era to bring Russia’s major broadcast and print media—then the major means of information dissemination—under effective government control.
At that time, the internet played no meaningful role in how most of the Russian public read the news or communicated with one another and therefore escaped major attempts at government interference. In the 20 years since, however, as the importance of online traditional and social media has grown dramatically in Russia (as in most of the world), controlling the internet has become a higher priority for a government willing to use ever more authoritarian tactics.
In addition to its efforts to control online media outlets, the Russian government—in recognition of the internet’s power as a tool for communication—has prioritized maximizing its surveillance potential and enlisted social media and other tech companies in this push. Through publicly enacted measures, it has created a legal and technological framework for the internet in Russia under which only encryption (rather than any legal protection) can effectively prevent the authorities from viewing the content of any internet traffic within the country.
A third goal, which receives surprisingly little attention relative to its potential significance, is to enlist Russian internet companies in the government’s foreign espionage efforts. This topic may be downplayed due to well-justified cynicism: It would of course be naive to assume that the Russian government is alone in such conduct, as authoritarian and democratic governments alike regularly demand user information, most often calling it necessary for the criminal justice process. But Russia has had a unique case made public.
In April 2014, Pavel Durov—the founder of VKontakte (now known as VK), Russia’s most popular social media platform—published a letter he’d received the previous December from the country’s Federal Security Service (FSB), which is responsible for domestic security but also foreign electronic surveillance. The letter demanded the personal data of users running popular VK groups involved in the Ukrainian Euromaidan protests, a movement that would ultimately result in the ouster of Ukrainian President Viktor Yanukovych. The FSB’s demands demonstrate the power of the government to requisition user data from privately owned social media companies expressly in order to conduct espionage abroad.
What sets this apart from the surveillance practices of most democratic governments (including the United States) is the lack of any political or legal checks that could serve to protect users’ privacy. When Edward Snowden’s 2013 disclosure of the PRISM program revealed that U.S. intelligence was collecting data from social media platforms, such surveillance became a major story in U.S. politics. U.S. tech companies responded with outrage on their users’ behalf, changed their practices to better protect user data from government collection, and took the government to court to challenge its surveillance practices, earning praise from the American Civil Liberties Union and other privacy activists. In Russia, where the Putin regime had already destroyed judicial independence, asserted control of most media outlets, and seriously weakened civil society, Durov’s revelation had little impact on public discourse around surveillance, and the tech sector (already by that point largely under Kremlin control) produced no comparable response.
VK’s story is illustrative of many of the different tactics broadly employed by the Russian government in its efforts to gain control. When Durov published his letter from the FSB four months after receiving it, he had already fled Russia. That final conflict was only the latest in a string of highly public confrontations between Durov and the Russian government that included an incident when Durov refused a prosecutor’s order to take down VK pages being used to organize protests against Russia’s fraudulent parliamentary elections, provoking a police special forces raid on his apartment.
Raids by masked and armed police on the offices of tech companies and the homes of their owners are a regular feature of Russia’s tech industry—as they are to some extent in all profitable parts of the Russian economy. These extortion tactics are often paired with corporate ownership maneuvers aimed at bringing those companies under the ownership of state-controlled companies or Kremlin-friendly businessmen. In the case of VK, the personal pressure against Durov occurred against a backdrop of a yearslong effort by Mail.ru—a Russian tech giant owned by the billionaire and close Putin ally Alisher Usmanov—to acquire a controlling stake in VK. When Mail.ru succeeded in this effort a few months after Durov fled Russia, the company added Russia’s most popular social network to a product portfolio that already included its namesake email service (the most used webmail provider in Russia) and Odnoklassniki, the country’s second-most popular social network.
This represented a remarkable corporate consolidation of Russia’s biggest online communications platforms, equivalent to Facebook following up its merger with Instagram by also taking control of Gmail. Corporate consolidation in the tech sector poses problems for freedom of expression and information everywhere. In Russia, however, the primary driving force behind such consolidation is not the companies’ own economic motivations but rather the government’s political aims.
In the case of Mail.ru, these platforms were now under the control of an owner ready and willing to use his immense wealth and power to censor anti-Putin press coverage and to attack Putin critics. That merger, however, was not the end of the Kremlin’s use of corporate takeovers as an instrument to control the country’s tech giants. Yandex, which in addition to operating Russia’s most used search engine maintains a news aggregator that is the single-most popular news source on the Russian internet and therefore a priority target for the Russian government, has similarly been subject to aggressive corporate takeover tactics. But Yandex’s recent ownership restructuring did not directly result from these tactics; instead, the most proximate cause was the threat of new legislation that would limit or prohibit foreign ownership of Russian tech companies.
In this case, the relevant legislation was directly intended to pressure Yandex into a corporate restructuring—evidenced by the fact that the legislation was introduced in 2018 during a Sberbank takeover attempt and then withdrawn after Yandex voluntarily restructured. Other legislation, however, has constrained the activities of Russian companies in a number of ways going well beyond ownership.
The Russian government surveillance system known by the acronym SORM has given the FSB access to all Russian telecommunications infrastructure since the 1990s, with updates implemented to capture more internet and mobile phone communications as technology evolved. Telecommunications companies have little ability to push back, as SORM gives the FSB the capability and the legal right to collect data from private companies without those companies’ knowledge.
A 2012 law allowing Russia’s internet oversight agency, Roskomnadzor, to order the blocking of websites supposedly engaged in criminal activity has been used extensively to censor political speech, leaving publishers and users of blocked sites no legal recourse. Most recently, the “Yarovaya” and “sovereign internet” laws—which entered into force in 2018 and 2019, respectively—have imposed new surveillance and censorship requirements on tech companies and undermined any remaining legal or technical capacity that they might have to protect user privacy from surveillance or supply users with uncensored information, including from outside the country.
All of this leads to a grim conclusion: Barring dramatic political reforms, the Russian tech business sector can no longer be a source of independent action on behalf of a free internet in Russia, and Russians seeking to use the internet for private communications and uncensored information will have to turn elsewhere. The outlook for international companies, while certainly more optimistic, is also less clear.
Moscow’s goals when it comes to international technology companies—those incorporated in other countries but operating in Russia—are quite similar to those it pursues with domestic firms. Authorities want to maximize surveillance potential, disrupt any possibility of domestic political unrest as a result of those companies’ content or services, and continue projecting disinformation through the internet.
Recent battles over data localization, or the mandated storage of certain kinds of data within Russia’s borders, exemplify the Kremlin’s desire to maximize its own surveillance potential through foreign companies. Like many authoritarian governments that viewed the internet’s free information flows as a threat to regime security, Moscow required in 2014 that companies with data on Russian citizens store it locally. Firms could maintain copies of the data elsewhere, but the data itself had to sit in Russian servers, well within the broad legal and political jurisdiction of the Russian security services described above. In recent years, U.S. companies like Facebook and Twitter have seemingly just ignored these orders and continued paying the trivial, court-ordered fines, but pressures are likely to grow as Putin further pushes for a domestic internet.
Russia’s moves to cement state control over data storage fit into a broader picture of government efforts to centralize internet data flows, designed at the internet’s inception to prioritize fast and reliable delivery above all else, to enable more effective government management and surveillance. Though the process is often purely technical, the objectives are fundamentally political. In practice, these measures allow the Russian government to surveil dissidents, ensure the privacy of Russian citizen data against perceived malicious foreign access, and extend state information control in the digital domain.
Simultaneously justifying two of the Kremlin’s other main goals in this sphere—disrupting the potential for political pluralism enabled by foreign tech platforms and projecting the state’s own disinformation through those same vectors—requires a kind of argumentative gymnastics. The Russian government has for years required foreign internet companies operating in Russia to remove content it deems “false.”
Should companies not comply, the Kremlin has vested powers in Roskomnadzor to initiate technical blocks on those websites. Although these blocks are often evaded or poorly implemented, the government has still managed to pressure foreign companies to remove content related to the COVID-19 crisis. This minimizes the presence of state-critical or -contradictory information online in Russia. At the same time, Russian government propaganda outlets often have a large presence in major Western platforms like Twitter and YouTube, and officials raise vocal objections anytime those firms take action against Russian state-controlled news outlets.
These inherent contradictions in the Russian government’s approach to international tech companies—the Kremlin wants these companies to operate in Russia but only on the Kremlin’s own terms; it pressures companies to suppress free speech inside Russia but howls when Russian government messaging abroad is met with wariness—mean that there is still space for international companies to effect a certain extent of internet freedom for Russian citizens. This operating space, however, is under constant threat from the Russian government and is likely to be the site of several major conflicts in coming years.
First, international firms may continue to push back against certain elements of Russian state internet control. U.S. firms that have mostly resisted complying with data localization rules have not indicated any changed willingness to follow Kremlin pressure. Though, resistance of this kind won’t apply to every area online; it’s important to not group different components of internet control here. Content takedowns, for example, are one domain of internet control in the COVID-19 pandemic where the Russian government was quite successful in getting even U.S. social media companies to remove information from their platforms, within Russia, that officials deemed “false.”
Second, the struggle to maintain a “free internet” in Russia will increasingly be defined by technical dimensions. The Russian government in June decided to reverse its ban on Telegram, the encrypted messaging app, essentially because it lacked the technical capacity to block it. (Ironically, this comprises a certain kind of payback for none other than Pavel Durov—Telegram’s creator—who since losing VK and fleeing Russia has built his messaging app into one of the world’s most popular.)
The government is not conceding defeat in the technical battle for control, however. The sovereign internet law that came into force in 2019 provides a plan for developing pernicious new technical censorship capabilities, including—perhaps most ominously—the ability to selectively censor content on international social media platforms in Russia while maintaining plausible deniability. It also required domestic internet companies to centralize their architecture so authorities could potentially cut off the Russian internet from the rest of the world in the event of a security incident, broadly defined. Thus, it will be incumbent on supporters of internet freedom to continue developing anti-censorship technology and maintain the kind of technical edge that has allowed Telegram to continue operating in Russia without compromising on surveillance or censorship. (Full disclosure: One of the authors of this article works for a company that develops anti-censorship software.)
And with Moscow advancing internet control domestically, officials will continue seeking the normalization of this practice on the global stage. Recently, these efforts have focused on the United Nations, where for years the Russian state has proposed alternative cybercrime treaties that seek to justify its repressive internet policies and practices, clashing with free and open internet norms upheld by democracies worldwide. In December 2019, for the first time, one of these proposals passed, an indicator of broader support among governments for tighter internet control. This was not an accidental occurrence. Instead, it spotlights growing efforts by Russia, China, and others to spread their authoritarian worldview and undermine a global free and open internet model amid much democratic uncertainty on the future of the internet.
These outcomes should also serve as a reminder to tech companies, policymakers, and anyone who cares about maintaining an open global internet that internet freedom is neither inevitable nor permanent. Russia’s domestic internet sector, once a model of pluralism and independent thought, has been thoroughly subverted to the ends of the government. As a once global internet splinters into national enclaves, it will take a concerted opposition effort to maintain international norms affirming that the internet should be a tool supporting rather than suppressing freedom of expression and information.
Dylan Myles-Primakoff is the director of business development for the NewNode project at Clostra and a nonresident senior fellow at the Atlantic Council’s Eurasia Center.
Justin Sherman is a nonresident fellow with the Atlantic Council’s Cyber Statecraft Initiative and a research fellow with the tech, law, and security program at American University’s Washington College of Law. Twitter: @jshermcyber