European companies warn about consequences of VPN restriction in Russia
European companies are concerned about the future limitations of VPN services in Russia, as they use them to protect commercial information. At the same time, such networks allow visiting sites banned in Russia.
The Association of European Businesses (AEB), which includes Air France, Citibank, Volvo Cars and several hundred other European companies, expressed concern over the adoption and entry into force of amendments to the Russian law On Information, Information Technologies and Information Security, limiting the work of anonymizers, for example, private virtual networks - VPN. AEB CEO Frank Schauff sent a letter to Minister of Communications Nikolay Nikiforov and Head of Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) Alexander Zharov (a copy of the document is at RBC’s disposal).
"Anonymizers use technologies such as private virtual networks (VPNs), proxy servers, etc. However, these technologies are also used by the overwhelming majority of international companies in Russia as one of the measures of information security (for protecting data transmission channels) while doing business. Therefore, in the case of its broad interpretation, the law may be applicable to internal IT systems and processes operating on the basis of VPN and proxy technologies and used exclusively for intra-production purposes, not involving, in particular, obtaining information that is banned in the territory of Russia," the letter of Schauff stated.
Representatives of Roskomnadzor and the Ministry of Communications have confirmed the receipt of this letter to RBC. "We are interacting with Roskomnadzor on this topic. We will give clarification to AEB in the near future," representative of the Ministry of Communications Anna Akhmadieva said to RBC.
The new version of the law On Information contains a proviso that the restrictions do not apply to anonymizers, provided that "the circle of users of such software and hardware is defined by their owners and the use of such software and hardware is carried out for technological purposes to ensure the activities of the person who uses them." In this regard, in its letter, the AEB notes that European companies need clarification as to whether they can still use the VPN to provide their own needs and interact with partners and counterparties and whether they should notify Russian state regulators about it.
Chairman of the AEB Committee on IT and Telecommunications Edgars Puzo confirmed to RBC that the organization had indeed asked the regulator to clarify the position regarding VPN and anonymizers. "As far as I know, there has not been an answer with explanations from Roskomnadzor and the Ministry of Communications. In this situation, we always advise European companies to try to comply with the requirements of local legislation," he said.
Personal or official?
Interviewed by RBC experts, including Internet Ombudsman Dmitry Marinichev, believe that the proviso effectively extricates corporate VPNs from its effect. "However, the question remains how the regulators will separate the VPN, which is used for corporate purposes, and the VPN, which is used to bypass the blockings," said Marinichev.
Leonid Evdokimov, the developer of Tor Project, a nonprofit organization that created the anonymous Tor network, agrees with him. He says that it is impossible to distinguish the corporate VPN for employees from the public one used to bypass the blockings. "Therefore, the registry of VPNs that do not comply with this law will always be one step behind the existing infrastructure. Perhaps, of course, another scenario is possible: the blocking of all VPN-like protocols and the introduction of a list of good, but it seems that such an asymmetric answer is not yet discussed. And black lists are practically useless," Evdokimov said.
He also notes that, in general, it is "simply impossible" to filter out any VPN providers on the list of banned sites. "The problem is not to filter traffic, but to distinguish Russian users from non-Russian - there is no one hundred percent working technical solution. If we require VPN providers to filter traffic by Roskomnadzor lists for all users, and not only for Russian users, this will create a very dangerous precedent. Then any country in the world can demand from any business to filter something," Evdokimov said.
The same VPN can be used both for corporate needs and for personal ones, therefore, employees of companies using VPN in their work can easily use it to circumvent the blocking of websites, lawyer of Roskomvoboda Sarkis Darbinyan summarizes. "VPN is very popular as a way to protect corporate IT resources, and all more or less large companies use it. This means that a large number of people in the country have access to corporate VPNs. I think for the time being it will not bother the authorities. The Federal Security Service and Roskomnadzor will have a dig at blocking the most popular public VPNs for ordinary users. However, there are tools like OpenVPN, which allow the user to deploy their VPN, and Roskomnadzor will not be able to track this, since most telecom operators do not yet have the proper equipment," Darbinyan concludes.
The prosecutors want the former Russian Federation Council member to go to prison for 14 years instead of 9 and pay a 500-million-ruble ($8.8 million) fine instead of 70 million rubles ($1.2 million).