Since the war in Ukraine started the Kremlin has been striving to take control of the internet and shut down the widely used VPN window on the rest of the world.

Even before the war, the Kremlin launched a brutal crackdown on Russia’s free press, shuttering some outlets, driving others out of business and arresting and jailing a slew of prominent journalists on espionage charges. Being a journalist in Russia has become a dangerous job.

However, a small, but significant proportion of the population trying to keep abreast of the objective news turned to blocked online sources, accessing them via VPN services. Now the Kremlin has turned its attention to shutting down these portals. The Kremlin is closing in on establishing total control of the internet for Russia's residents, as VPNs are being blocked more successfully and preparations for a "sovereign internet" are under way.

VPNs no longer a solution

For the last few years, virtual private networks (VPNs) have been essential for those Russians who want to obtain information from independent sources. The government’s efforts to block independent news outlets accelerated after opposition blogger and anti-corruption activist Alexei Navalny returned to Russia from medical treatment in Germany and was arrested on the border, causing an international outcry in January 2021. Having crossed the line from “repression-lite” as analyst Mark Galeotti dubbed it, to the full-blown version, the gloves came off and the Kremlin started to attack dissenting voices openly. The assault on internet freedoms only went up a level in the wake of last February's invasion of Ukraine, when access to Facebook, Instagram, Twitter and multiple other websites was blocked in Russia.

Initially these blocks were not much of an issue as the websites were easily accessible via a VPN, but now the Russian government has moved on to targeting the VPNs as well. And it is being quite successful in blocking them.

How does a VPN normally work? Generally, VPNs encrypt users' data to mask their online behaviour from anyone who might be snooping. When a user visits a website, their computer connects to the server where that website is hosted. Therefore that website gets access to data about the user and their computer. If a VPN is used, the user's computer is first connected to a private server, which conceals the user's data, making it much more difficult – or, in many cases, impossible – for third parties to track the user's online behaviour.

One specific thing that a VPN does is change the user's computer's IP address – a unique piece of data that tells other computers in what place in the world the user is located. Most VPN services enable users to choose an IP address in a specific country they would like to appear to be browsing the web from.

As a result, users can access websites blocked in specific locations, like, for instance, in Russia, pretending they are actually going online from elsewhere – a very popular feature for bypassing censorship.

Still, Roskomnadzor, the Russian government agency in charge of controlling the internet, has apparently learned to block VPNs by URL and/or IP address. To do that, it needs to determine which server a user connects to and analyse the traffic. VPN services have a limited number of IP addresses that can be used instead of a user's actual IP address, which makes them vulnerable. Once all of the available IP addresses of a specific VPN service have been blocked, it can no longer conceal users' IP addresses.

Some VPN services fight blocking by using various tech tricks, and sometimes it works, but in other cases it doesn't. Since VPN services operate as for-profit companies, it's an issue of profit for them: is it really worth their while to invest in fighting blockings and can those investments be offset by possible profits?

Incidentally, fighting censorship is just one of possible uses for VPN services. Another popular use is connecting a company's offices and/or employees based in various locations into one private network. So VPN services won't necessarily be eager to enter into a cat and mouse game with the Kremlin, as this will interfere with the legitimate business of providing corporate private networks.

In any case, if a provider of VPN services says that internet traffic going through them is "unblockable," that shouldn't be taken at face value. Regardless of the extent to which a VPN service is prepared to fight censorship, their tech capabilities are likely to be limited.

In late May, a popular VPN service, OpenVPN, was blocked in Russia, causing quite a bit of disturbance not only for regular users but also for companies that used the service for communication between their branches in different countries and cities.

Roskomnadzor promised to resolve the issue by making whitelists of companies who will be allowed to use the VPN service for corporate purposes, effectively turning VPN use into a regulated service.

But it is already clear: the Kremlin is getting better at blocking VPN services, and users inside Russia who rely on VPN for accessing banned websites are going to have a harder time getting access to unfiltered information.

Self-hosted VPNs might be an option for fighting website blockings, but despite claims to the contrary, they still require some technical knowledge from the user.

From detecting 'suspicious' traffic to a 'sovereign' internet

The next stage for Russia censors after blocking VPNs by URL or IP addresses is apparently going to be identifying VPN traffic due to users' non-standard behaviour. For instance, if a user often visits the same web site and gets substantial traffic from it, that's a clear sign that they most likely use a VPN service to access various other websites.

In fact, Russian authorities are already working on ways to detect if a user's traffic goes through a VPN. In 2023-2024, an internet traffic monitoring system is expected to be developed, with a price tag of RUB1.2bn (€13mn) that will enable Roskomnadzor to detect "suspicious" traffic – basically, traffic going through a VPN service.

Russian authorities have been throwing around the idea of a "sovereign internet" for a few years now. A law "on the sovereign internet" was enacted back in November 2019, aimed at creating an independent infrastructure of DNS (Domain Name System) servers, which should eventually allow Russia to be independent of DNS servers located in other countries – mostly in Europe and in the US. The need for a "sovereign internet" was then explained by a hypothetical scenario of Russia being cut off from the global internet by "unfriendly countries," as well as by security reasons.

However, the implementation of the "sovereign internet" concept would also allow Russian authorities to voluntarily cut off Russian users from the global internet. In that scenario, instead of blocking web sites they shouldn't have access to, Russian users would be offered only a limited number of "safe" web sites – mostly run by Russian companies – that they would be able to access. Since the enactment of the law on the sovereign internet, Russian telecom operators have been forced to install equipment that will enable them to block users' access to web sites banned by the authorities.

The Russian invasion of Ukraine and Russian authorities' subsequent attempts to control access to information about the military conflict must have accelerated work on the "sovereign internet."

In mid-June 2023, Russian authorities said that a pilot project of a "protected internet" consisting of only "safe" web sites – those which are fully compliant with Russian legislation – is expected to be brought online by the end of the year. One of the new press rules introduced since the start of the war in Ukraine is that granting access to non-state-owned media has effectively become illegal.

Andrey Svintsov, deputy chairman of the information policy, IT and communications at the State Duma, the lower chamber of Russian Parliament, was quoted by the business daily Vedomosti as saying that the alternative internet will be "absolutely transparent" and users wouldn't be able to access it from "anonymous devices."

According to Svintsov, to access the "protected internet," Russians will have to register with their passports, and authorities will be able to easily locate any user. He added that the launch of the "protected internet" won't mean that Russia will voluntarily cut itself off the global web, but users preferring to use the "unprotected internet" will have to be responsible for the safety of their personal data by themselves.

Experts questioned by Vedomosti say that Russia already possesses technical capabilities for the launch of a "protected internet."