Russia’s Ministry of Digital Development, Communications and Mass Media proposes to ban the use of encryption protocols. The bill was published in late September and is in the public-discussion stage. The proposed law in its current form raises huge concerns about how to comply and at the same time provide the level of online security that businesses and consumers expect.
Background
The Ministry claims that encryption hides the name of a web page, making it much more difficult to track down resources on the Internet that contain otherwise restricted or prohibited information.
The note to the bill explains that the ban concerns the cryptographic algorithms and encryption methods TLS 1.3, ESNI, DNS over HTTPSm and DNS over TLS. If a website violates the ban it will be blocked within a business day after the violation is discovered.
It would seem that the new bill was created to make it easier for Russia’s Federal Service for Supervision of Communications, Information Technology, and Mass Media (Roskomnadzor) to block resources with prohibited content on the Russian-language internet, Runet. When Roskomnadzor’s blocking system was just beginning to work in Russia, it was assumed that filtering would work just by URL – that is, on the addresses of individual pages on Internet sites. However, the world has switched to HTTPS (a safer version of HTTP), and it is therefore impossible to block individual pages of sites using HTTPS by URL.
Unintended and other consequences
The state’s purpose is clear but seems to overlook online security. Cryptographic protocols ensure the security of the transmission, processing, and storage of information on the Internet. Encryption protocols are used by most large companies to ensure the security and confidentiality of their information. If the bill comes into force, all such websites will become illegal.
Furthermore, since it is impossible to selectively block websites with encryption protocols, precisely because of that encryption, Roskomnadzor would therefore have to block entire subnets of hosting providers. Entire ranges of IP addresses of Amazon Web Services, Digital Ocean, and Cloudflare will be at risk of being blocked. This was the case when Russia tried to block Telegram several years ago.
At the moment, the Ministry is not offering any alternatives for the safe use of the Internet. Currently websites that do not support the encryption protocols are marked as unreliable on all key Internet browsers. It is unclear, for example, how websites that must ensure the security of payment transactions are supposed to operate without encryption. Without these protocols, all personal data, credit card data, and transactions would be visible to third parties.
The Russian Union of Industrialists and Entrepreneurs (RSPP) has also reacted, warning that a ban on protocols will have negative consequences on domestic businesses. While DoH and DoT encryption protocols are gaining popularity around the world, as a result of the new law, domestic Internet companies would be deprived of the advantages that encryption protocols provide, which means that their competitive opportunities and export potential will decline.
Hopefully further time and attention will be focused on these issues with a view to resolving them before the bill is passed into law.
About the author(s)
Anna Botvinkina is a legal intern in Gowling WLG's Moscow office.
Anna provides legal support on various intellectual property and unfair competition matters.