The science of Russian Internet censorship and surveillance
34:57 Share

If you're listening to these words, you've probably already heard enough about Russia to know that people living there have been subjected to more and more government control over the internet. You might know that Russia's federal censor has been throttling YouTube playback speeds for the last month or so, just like it slowed Twitter data transfer speeds back in 2021. And throughout August, Russian internet users

I've reported sudden and widespread outages in access to popular apps and services like Telegram, WhatsApp, Skype, Wikipedia, Pornhub, Discord, Twitch, and even the Russian social media service Vkontakte. What you might not know is how all this works technologically, and Lord knows I'm in this boat with you. Also, many aspects of the Russian authorities' growing control over the web and how it leverages the internet to shore up the country's repressive political regime, that's not as straightforward as you might expect.

So let's talk once again about the Kremlin's internet policy, about throttling YouTube and bottling up platforms like Telegram. Welcome to the Naked Pravda.

Howdy, folks. Welcome back to the podcast. Welcome back to the show. I'm your host, Kevin Rothrock, the managing editor of Meduza's English Language Edition. By my count, this is at least the sixth time I've done an episode focused on the Russian internet, and most of these shows have been about censorship. So it's no exaggeration to tell you that we've been here before. And that's a bummer, because Russians have been involved in a lot of inventive work online, but the authorities' crackdown has only gotten worse over the years, and the state's surveillance has also opened the door for more of the Russian language.

to some spectacular criminal opportunities. We'll get to that in a bit, but first let's talk about a widespread disruption on August 21st that knocked out Russians' access to a whole host of popular online services, including the messengers WhatsApp and Telegram. The federal government's media regulator, Raskolnadzor, immediately commented on the outage, claiming that the cause was a massive distributed denial of service or DDoS attack. But cybersecurity experts are calling BS on this explanation.

This was at least the third major disruption to Russians' telegram access since the start of the month, following similar outages reported on August 12th and August 19th. Then, as now, experts argue that the state authorities are likely testing their capacity to block telegram.

To find out more about what is apparently happening here, I welcome back to the Naked Pravda Sarkis Darbinyan, a senior legal counsel at RKS Global, a digital rights advocacy group that promotes human rights in the digital sphere. Earlier this year, RKS released a report titled State of Surveillance, a study on how the Russian state, through laws and technology, carries out digital surveillance. ♪

Well, yeah, we have lots of messages from the users that report that lots of hundreds of services do not work and everything started from Telegram. And I believe this is similar to the scenario of 2018 when a Russian censor tried to block Telegram. So the same thing again.

It started with Telegram and then other services started to fall, WhatsApp, Discord, Skype, even the service and website of one of the state bodies of Roskomnadzor, this is the structure, Center Monitoring and their site also didn't work. And of course it doesn't look like the DOS attack on telecom operators, what Roskomnadzor is trying to say, but

I think perhaps it's a black screening scenario with the shutdown of all foreign services that don't comply with many repressive Russian laws. Or maybe they're just trying to test the systems. This is DPI-based system that is being used a couple of years for centralized management on Internet virus, Kumnadzor.

And of course the situation is different than it was in 2018 because at that time Roskomnadzor didn't have that equipment or the networks of operators and it couldn't manage the traffic itself that was a delegated system of repression by the hands of internet service providers. And now they can do that and what we think they could test the system for blocking Telegram or maybe some other messengers.

for now, and now they have deployed the technological capability and are trying to tweak it so that it works to restrict access to social networks, to messengers. Right, right, right. So I thought that the Deepak inspection was like a really kind of surgical targeted way to do censorship, but it seems as though they may have like overstepped here and they're blocking things they didn't intend to, or at least that's happened in the past. Can you explain

How does DPI accidentally take down more than is intended? Or if we see something censored by DPI, we should expect, okay, or we should assume they meant to take that down exactly, or is that not always the case? Well, mostly we do not understand how this DPI works, but as we know for now, it works through SNI technology and understanding that the user is trying to connect with the server, he's just throwing down some of the packages, and that's why the

Internet connection may be slow. That's how they throttle YouTube and other services. And of course, the only thing that can work here is VPN. And we see how grows this demand on VPNs for Russians right now for proxies. But of course, there is very little understanding how it's happening. Mostly, we cannot monitor this because Roskomstvoboda for about 20 years was

monitoring the register of blocked website. And this kind of blocking is unregistered blocking. They do not show it. You cannot see it. You cannot understand it. You can just feel it after the user's report and after testing some tools that tell if the service is available or not.

The last time the Russian authorities publicly turned their attention to Telegram was in March 2024 in the wake of a horrifying terrorist attack on a concert hall outside Moscow. Afterward, Telegram founder Pavel Durov said the platform was blocking thousands of accounts that he said were sending messages to Russian-speaking Telegram users, urging them to commit more terrorist attacks.

A day before that announcement, Vladimir Putin's press secretary, Dmitry Peskov, had called on Dorov to monitor Telegram more closely, though Peskov was careful to add that the Kremlin had no imminent plans to block the messenger in Russia. According to studies conducted earlier this year, nearly half of Russians over the age of 12...

use Telegram. Pavel Dorov says the platform's monthly user base has jumped from 500 million accounts in 2021 to about 900 million today. Dorov also vehemently denies rumors that Telegram cooperates with the Russian authorities, saying that competitors spread these allegations.

Earlier this month, while Putin was visiting Baku, Russian-speaking Telegram channels circulated more rumors that Durov was trying to score a one-on-one meeting with Russia's president. Without any corroboration, the Telegram channel Baza wrote that such a meeting was planned, but ultimately didn't take place because Putin supposedly vetoed the idea. Meanwhile, the independent business news outlet The Bell reported that Durov never planned to meet with Putin and was in Azerbaijan at the same time as the president, by mere coincidence.

I know that you mentioned just a moment ago the 2018 to 2020 blocking of Telegram. And I wonder, I can't remember if I asked you this the last time you were on the podcast, but I know that there's a sort of a lot of suspicion surrounding Pavel Durov and Telegram, and even this whole two-year period where the messenger was supposedly being blocked, but never really worked very well. What's your view of whether or not Telegram secretly kind of

abides by Russian censorship or kind of like shares some information because it seems like there's not really a consensus among a lot of people who track this. It's like some people are convinced that Durov is just like playing poker with Putin every night.

and sharing everything with him, and others see him as a true warrior for free information or something like this. What's your view? Well, yeah, there is a lot of conspiracy. And, of course, we do not understand the whole truth. There was some news that some people wanted the meeting of Mr. Durov and Mr. Putin in Azerbaijan, Baku, but Putin declined and he said he doesn't want to have this appointment with Mr. Durov.

We don't know is that true or not, but it can be true. Of course, Durov is a very tricky guy and what he says sometimes is just, you know, marketing thing to sell his service and to say the world that he has the most secure service. But still, there are a lot of questions for Telegraph.

And I should remind that the server part of the code is still closed. But I don't think that he has some kind of, you know, channel, separate channel for FSB, for Russian security offices, that they have control over the messages that are being promoted there. Of course, Telegram is a very useful tool for them also to collect information.

And that's what we emphasized in the report. Russian law enforcement and FSB and police, they use these different tools like Eye of the God and some others to get information, to collect information about the user's activity.

The Glasbulga, or God's Eye, Telegram bot is a particularly nefarious tool used to dig up information about people drawing on both open source data and private records stolen or leaked illegally onto the internet. It's one of those nasty corners of Telegram that draw criticism from many cybersecurity experts. For example, I got an earful about Telegram's dark side when I asked for an assessment from Philip Dietrich, a

a project officer for the risks of the Sovereign Internet for Russia and Beyond project at the German Council on Foreign Relations Center for Order and Governance in Eastern Europe, Russia, and Central Asia. Yes, that's a mouthful, and Philip's business cards must be printed on A4 sheets of paper.

Here's what Philip told me about Telegram. You know, this is exactly what I tell everybody if they ask me about Telegram. I always say, you don't know, so don't use it. You know, this is the biggest, I believe that this is the biggest problem about the service because lots of things about the service are quite obscure. Not much is known about the exact functioning of the service. Not much is known about server locations. Like if you try to dig deep into Telegram, even the like corporate structures and all of this,

Again, I think there is actually, if I'm not totally wrong, isn't the Russian sovereign fund or something, aren't they like, don't they have parts? Like, didn't they invest into Telegram? Didn't the UAE fund invest in Telegram?

In 2021, the Russian Direct Investment Fund, or RDIF, announced that it had invested in Telegram together with a Dubai-based investment fund, acquiring bonds in Telegram Group Inc. However, Telegram spokespeople say the investment talks fell through. Additionally, at the same time, RDIF's partner in Dubai separately announced a joint investment in Telegram with another Dubai-based fund.

The Russian Direct Investment Fund is Russia's sovereign wealth fund established in 2011 by the Russian government to invest in companies of high growth sectors in the Russian economy in collaboration with other investors around the world. It's been a long time that I've been digging into Telegram.

And I didn't really find anything, you know, so I was kind of like, and nobody really does, you know, for instance, complete contrary, like to Signal, you know, we know so much about Signal, we know so much about the functioning of it, you know, that it's already, you know, Signal is, if anybody asked me, it's like, yeah, like use that. Do you think that the dangers of using Telegram is that it's vulnerable to...

or because there's just poor corporate practices? And what's the nature of the... I know that what you've said is that because we don't know, it's therefore dangerous sort of by default. But specifically for Russians, let's say, because that's kind of the context of these questions. If you're an average Russian internet user, what is the nature of the danger? So they have just... It happened actually quite recently. There was a tool that...

was able to find the username and the proper phone number behind Telegram accounts.

Which is a crazy breach of privacy. This is literally when they're saying, okay, you're secure, your identity is protected, and then there is actually a tool that bypasses that. I know that there are so many databases online where Telegram accounts are linked to phone numbers on the dark web. If you go there, you can find a ton about people. So yeah, maybe go check whether you're on that database. Just make sure that your identity is actually protected. It's

It's so obscure, like just use a different messenger. People and we as well, you know, try to contact Pavel Durov and stuff and I try to talk to him and all of this just,

And the problem is also, you know, if you have a company that's based in the EU, right, you know, at least, you know, that there are like quite strict data protection laws, you know. And we also know, I mean, you know, probably not everything is perfect here. I mean, so many things go wrong all the time. But we certainly know that, you know, like, I mean, big tech firms, you know, have gotten into lots of trouble because of these institutions. And I am just not sure whether the UAE can provide something similar. ♪

and is the fact that telegram communications by default are not end-to-end encrypted that's yeah they're not encrypted that's useful to the russian officials right because that means that any communications passing through telegram that are not in the special secret chats are fully visible through storm well uh this they still have some kind of encryption but this is not an end-to-end encryption that is used in secret chats and

Of course, less than 5% of Telegram users use these secret chats. But still, I think Telegram is a good tool for communication. And we were waiting for six years for the decision from the European Court of Human Rights on the Telegram case. And finally, it came out this spring. And the conclusion of the European Court was pretty correct.

So they're saying that any force to make weakness of the encryption is going to damage the right of the users for privacy. And that's why it can be considered to be a legitimate request.

Some background here. In 2018, the authorities announced plans to block Telegram in Russia because the platform refused to provide the FSB with the encryption keys used for secret chats. For the next two years, Russia's censor tried and largely failed to block the messenger. At the start of that fight, the digital rights group Raskom Svoboda, not to be confused with Raskom Nadzor, filed a class action lawsuit in Russian courts on behalf of Telegram users demanding that the FSB's actions be declared illegal.

illegal. Russian courts refused to hear the lawsuit, so the group took its case to the European Court of Human Rights, which didn't issue its first ruling in this litigation until February 2024. If most telegram communication is not end-to-end encrypted but has some encryption, then presumably, so then what exactly is it that the Russian authorities can get from telegram traffic that's useful? I mean, I know that a lot of

Russian officials, and there's all these sort of quasi-government-affiliated channels that are very active on Telegram, and there's the whole Voennyi Korrespondenty movement, I guess. And so clearly, like, there's an enormous presence of Russian public-facing individuals and organizations that are active on Telegram, and there's that usefulness to it, I guess, because there's a big audience. But, like, from a technical standpoint, from a surveillance standpoint, is Telegram particularly...

good for the Russian authorities or is it kind of neutral or bad or what's... Well, if we are talking about the SORM, the state system for surveillance, of course they do not see who are you trying to connect with. They just see that you're using Telegram.

Just the metadata. Right, right. Just the metadata that the user was, I don't know, using Telegram 500 times a day. For other kind of information, they should use the surveillance on another level, right? On Telegram's level. And for this purpose, they have these bots.

that collect the metadata and they can give the report about people who you were talking, groups you were visiting, commands you were sharing and all other data with telephone number, IP address, lots of different kind of information. And this is being collected through these tools that are presented

on market and there are some other tools that are also being bought by the states by procurement. Andrei Zakharov made that investigation about Damon Laplace and other tools that are being bought by different regions in Russia.

In March 2024, investigative journalist Andrey Zakharov reported that regional police departments in Chechnya and at least two other regions of Russia had signed contracts in 2023 to use something called the "insider system." This system uses leaked databases to de-anonymize Telegram users. Police departments reportedly use this service together with another social media monitoring system that allows them to track groups online and search for individual activists.

One of the interesting things about the RKS report, I thought, was it covers the legal aspects of how Russian internet surveillance and censorship tools are distributed. And it talks about SORM, it talks about how the police also have access to this information, but it's not really as good as the FSB. They either have to go through the FSB or they have to go through the internet service providers or the social networks and file these requests. Or

They can do these informal sort of corrupt approaches where they're using contacts or they're basically buying leaked or stolen information. Most foreigners, I think, when they hear Russian Internet surveillance, they think more of the SORM and the FSB side of things. After recording this interview, my editor pointed out to me that many people probably don't actually know about SORM. So here is a quick rundown.

SORM, Russia's System for Operative Investigative Activities, is a series of technical means designed by Russian law enforcement agencies to monitor Russian communication networks.

SORM has grown and expanded in basically three generations. There's SORM 1, a system for wiretapping telephone conversations. Then there's SORM 2, a system for tracking internet traffic sources. And now we've got SORM 3, a system for collecting information from all types of communication and requiring telecom operators to store it for long periods of time.

And it's only the ones who actually follow the news or track this stuff sort of professionally or as a really devoted hobby that they know about this whole market for kind of like profit-driven information that's pulled by the police using surveillance powers. Can you explain for listeners sort of how prevalent the earning money side of this is? Because I think that people expect the political persecution side of things, the SORM, the FSB stuff. They

They've sort of been led to expect that by now from, you know, Russia, the totalitarian state and so on. But then the corrupt side of things is a little, is harder to understand, I think. Can you explain for the average outsider what exactly this is? Well, when you have easy access

access to the system and you can get the information from this system and you don't have any control, any system of control by the court, by the prosecutor, or by his boss. Of course, many of the police officers and other people working in the state agencies

try to earn money and sometimes they just sell the information. That's what's happening in Russia every time. Of course, we shouldn't forget that this year Russia ranks first

in the world for a number of databases leaked to the darknet. I think that was a report of positive technologies and Group IB that there was about 150 databases of pretty big internet

stores and retail and of course these are millions of lines and that they help to get the date of any kind of user that still being a you know consumer of different digital goods and of course police try to get this data on this market because uh

It's more easy to get it without any formal requests and waiting lots of time to collect the information about the object of surveillance. So, of course, this becomes a huge problem. And I think there is no solution even in Russian police system how to solve this thing. I wanted to also ask about SORM specifically and about the holocaust.

the hardware that's required for Russian internet censorship and surveillance. Just like on a very physical, literal level, what is the equipment that's being used? Does every ISP and every major social network have to plug in a box or do they have to like route a connection to the FSB's headquarters?

Presumably, at some point when a service gets to a certain size or decides to comply with existing laws or with even informal orders, somebody in the IT department is told to go plug something in. What exactly has to happen? Well, yeah, this is some equipment that is produced by American and Chinese companies. I mean, the hardware, yeah? And

Even now, after the sanctions came to Russia, they still have lots of channels to buy this equipment through Central Asia, through proxy countries. And on another side is software working with this hardware.

And the software is being produced in Russia by Russian manufacturers. I think, of course, they share practices and ideas with their colleagues from China and Iran right now, what we see. But it's a box and software that is now being installed locally.

on all of the networks of all internet service providers and not only service providers but from 2018 also all of the internet companies, big internet companies should do the same.

Of course, in this report we try to collect everything that is now known from the legislation, from the legal practices, from the media. But of course, when doing this report, we have found that there are some new practices. We discovered new aspects of old practices and identified new ones.

And of course, one of the most controversial is profiling after the leak of data from General Radio and Frequency Center that was known as Russian sensor files. We know that Russian authorities also try to make profiles on internet users. And there are thousands of names still are not being called and deemed to be a foreign agent. But of course, that can be used in repressive aims.

In November 2022, a Belarusian hacker group called Cyber Partisans announced that they had hacked into the internal network of a subdivision of Raskolmadsor, known as the Main Radio Frequency Center. After studying the leaked data, journalists concluded that this little-known entity within Russia's federal censor actually plays a key role in the state's online surveillance.

Among other things, the main radio frequency center helps block independent media outlets, writes reports on potential foreign agents, censors Yandex search queries about the war, and so on.

When YouTube playback speeds start crashing for Russian internet users, some of the most cited information used to measure these service disruptions has come from an anti-censorship activist who blogs under the name ValdikSS. This person is also the founder of Goodbye DPI, a software designed to bypass deep packet inspection-based internet censorship. For example, in mid-July this year, ValdikSS shared data showing that...

Almost all internet service providers in Russia were slowing access to YouTube through the domain googlevideo.com without affecting traffic over Google's IP addresses, including the IP addresses of Google Global Cache's servers. I've translated articles about this myself, but I'll be honest with you. I don't really understand what all these words mean, the words I just told you. Not totally sure. So I asked Philip Dietrich at the German Council of Foreign Relations to explain it again to me.

So when you establish a connection, let's say, you know, you open YouTube on your browser, when you establish a connection, the main layer, you know, the first layer is kind of the IP layer. It's just, you know, how like servers like basically know who each other is. So, you know, your computer has an IP and then the server has an IP. The first thing that gets transported is the question, oh, you know, which IP are you? Oh, this is the right IP I want to get to you. This is the first kind of, this is very much in a nutshell. And I'm not talking about DNS or anything like that. That was just, it's just too complicated.

And then, you know, to establish that connection, there's something called a handshake. And this goes through a protocol called TLS. And the protocol in itself contains encrypted parts. But the problem is that the initial handshake that happens between your browser and the server is not encrypted.

So there is a part that is openly visible to, for instance, let's say any kind of like telecommunications operator. So they will know that you are on YouTube. They will not know what kind of video you're looking at. So this is basically, so the information, you know, like the stuff that gets transmitted in the long run, they don't know what that is, but they know that you are on YouTube. Even if you're using a VPN or not then? No, not then. VPN is still, I can explain the VPN afterwards, but not if you're using VPN, it's even, it's more complicated.

So what happened with this guy on the forums posted basically is that there is actually another things. It's an extension of the TLS protocol, which is called SNI server name identification. So essentially, you know, you like Google has tons of servers and on these servers, there is a variety of services that are stored on these servers.

But a lot of these servers have share the same IP address. So for instance, with the same IP address, you could reach services like YouTube, but also like other Google services that are all under the same IP address because they're on the same server. So the server kind of needs to know, okay, what part of the Google services does the user want to access? So do you want to go on YouTube? Do you want to go on Google Drive? Do you want to go on Google Docs? And so basically there is something, the extension of this TLS protocol is called the SNI, server name identificator.

that then determines which part of the server you want to go to. For instance, for YouTube, it's Google Videos. And then the server knows, oh, okay, you want to go to Google Videos. The problem with this SNI extension is that it is openly visible.

And based on the current information that we have is that the state, the Russian authorities, managed to basically find these SNIs and they are blocking them. Or at least they're dropping the packets. So this is maybe one of the potential explanations. All of this is, you know, hype, like, potential explanations based on the evidence we have. And there's unfortunately not that much evidence.

The thing is, you know, most of the time, always the common denominator with Russian propaganda is that there is always a little bit of truth to it. You know, the story isn't entirely bogus. There is always some kind of truth to it. And then, you know, it's like it goes into a totally different direction. So it is true that Google sent Global Cash Service to Russia. We know that. These are basically Google servers that they send there for free. And the only thing that

the internet service providers have to do is they have to like, you know, give them power and like have them running, but they're all managed by Google. What are these servers? These servers are something that in non-Google terms, you would call it a CDN, the content delivery network.

So what this basically does is imagine, you know, like let's say you are in Novosibirsk, right? And you try to open a YouTube video. What would happen is that because YouTube doesn't have their own data center in Russia, the video would actually come from Finland and travel all the way to your Novosibirsk, which is pretty inefficient.

So what do they do? So the local service providers, they cache these videos on servers. And once the video, one person has opened that video, it gets cached there. So then all the other people and those viewers that watch the same video then have it very, very quickly because it's already cached. How slow would YouTube be without these servers and these local CDNs? That's a good question. I mean, it would depend on the region. There must be countries that don't have Google Global Cache in them.

Is YouTube unusable in those countries? They're present, like, almost everywhere. But the internet without CDNs would certainly completely break because then all the information would go over the backbone network and the backbone network just couldn't handle that amount of data. You know, you would basically pull every single bit of information directly from the server and it would never be cached locally, which...

would just, it would literally, that would break the internet. But Russia is presumably surrounded by Google Global Cash, even if like all the, even if Russia, say 15 years from now, doesn't get any new ones and they've let them all die. If you're sitting like in Moscow, you can't be very far from the ones that are in the Baltics or Poland or something like that, right? So the closest data center, as far as I know, is

probably the one in Finland. But yeah, so you're right. The thing is, you know, the country surrounding Russia, as soon as they're in established internet connection, YouTube will never go completely offline, but it depends on the region where you are. And that maybe answers your question with the VPNs, the one that you brought up before, because this is a very interesting one. It's like, okay, but if you use a VPN, how does that work?

So essentially, if you use a VPN, let's say, you know, you're in Moscow. What happens, the VPN client does multiple things. It encrypts your connection and it reroutes your connection out of the country. So your connection would go from your browser to the local server.

ISP in Moscow to the VPN server which is outside of the country. Then it would go, again this is also simplified, then it would go from the VPN server that is outside the country, let's say Finland, it would go to the YouTube data center, then back to the VPN, then back to the ISP in Moscow, and then back to your computer. Which means that the entire process is encrypted and the ISP in Moscow simply doesn't know what you're doing because the process is encrypted.

And what does the ISP see? Does it see that you're going to Finland or does it not even see that much? That's a good question. I mean, the ISP, so the initial connection, yes. The initial connection because... The handshake? Yeah. But that's only once the VPN connection is established, the ISP basically doesn't really know anything. The only thing they know is that you're using a VPN protocol most of the time. The thing is just that these protocols now are encrypted.

which the VPN protocols are always encrypted, but they're obfuscated, which means that they resemble normal protocols now. They're getting like very smart about that. So before, you know, it was quite easy for an ISP to detect, oh, this is just normal. And it's just a normal VPN protocol, whatever, you know, open VPN or whatever kind of protocol you want to name. And,

and they would just easily block it. But now these protocols actually look like normal connections. Like they're crazy, they got crazy complicated in a way that it's much, much harder for ISPs or any DPI technology to block them.

The problem is just, again, you know, as I explained the connection, this connection, again, goes over the backbone network. So imagine all the Russians turn on the VPN, and there is this possible situation where so much traffic goes over the backbone network that it would actually completely throttle the entire Russian internet because, you know, just think about a tube of, like, water flowing through. If it's full, it's full. Like, there's no more capacity. Whether this will happen or not is very hard to predict specifically

It's almost impossible to predict, but it could be one potential reason why the Russians have been so reluctant to fully block YouTube because it could actually lead to an internet crash. Because using VPNs bypasses the CDN architecture of the internet. Correct. And overloads part of it that wasn't designed to carry it that way. That is correct. Yeah, exactly. Okay.

Thanks for tuning in, folks. This has been The Naked Pravda, a podcast from Meduza in English. Remember that undesirable status back in Russia means our entire news outlet now relies on readers and listeners around the world to support our work. Please visit our website for information about how to become a contributor with one-time or recurring pledges. Thanks again. Until next week. ♪ I'll make it ♪ ♪ I'll make it ♪