DPI system to filter traffic is uncovered

At the end of 2018, Russian legislators introduced the bill that got the “sovereign RUnet” title because of its attempt to insulate the Russian segment of the Internet from external threats. Among other provisions, the bill requires all Russian network operators to install special technical measures to counter threats. The document did not specify what kind of “technical measures” operators should use, but it was obvious that lawmakers had a deep packet inspection (DPI) system in mind.

The first reading of the bill in the State Duma (there are three in total) was held in the mid-February. Though it was criticized for its poor financial justification (firstly it declared it won’t spend money from the federal budget, but later it turned out to require 30 billion rubles) and its ambiguous wording regarding cyber-threats, the deputies overwhelmingly voted in favor of it and required revisions for the second reading. The second reading was expected to be held in the end of March, but so far there has been no move by legislators. In the meantime, however, Russian media sources uncovered some preparatory measures undertaken by the state communications watchdog Roskomnadzor.

Russian media have reported that the “Big 4” telecom operators in the country were asked to test a new DPI system on their networks on a regional scale. Roskomnadzor wanted companies to test DPI to prepare for the implementation of the sovereign RUnet bill. Citing sources in the telecom industry, the Russian media RBC claims that as a part of the test, Roskomnadzor wants to find out whether the DPI system can filter content from its register of prohibited resources, especially Telegram messenger. Another aim is to test traffic prioritization so that access speeds to certain services such as YouTube can be reduced.

Shifting the cost of data retention

Thus, the debate on net neutrality goes to the practical side in Russia, instead of legal discussions. In the beginning of 2018, the Media-Communication Union, which united the largest telecom operators and media holding companies in Russia, lobbied for the abolition of net neutrality in the “Infocommunication Code,” a new project proposed by Media-Communication Union which should replace existing laws in the field of IT and communications. The head of Rostelecom (the largest state-owned operator) justified such a measure by noting that the proposed law would allow it to shift part of the costs of storing content for 6 months onto foreign Internet companies such as Google and Facebook, and away from Russian telecom operators. Russia’s data retention law, known as the “Yarovaya package,” requires all service providers to store the content of voice calls, data, images and text messages for 6 months, and the metadata of communications for 3 years.[1] The proposed Infocommunication Code would require Google and Facebook to pay operators to cover the costs for their content storage. If they decline, operators would be able to reduce the speed of access for subscribers to the services of these companies. The Russian Association of Electronic Communications, which represents more than 150 firms in the digital economy, have pushed back. They believe that the abolition of net neutrality will harm competition and lead to monopolization of the Russian market by several big players. The Association also opposes the DPI system that Roskomnadzor is pushing for, as it can be used for traffic prioritization.[2]

Who Benefits and Who Pays?

And now it has become known who will provide the DPI system for the nation-wide testing. The Russian company RDP.RU was selected by Roskomnadzor, FSB and the Ministry of Communications after a closed competition with other DPI companies back in August 2018. The co-owner of the RDP.RU acknowledged that his company showed the best results in the tests, and he is not surprised that his product will be tested on a larger scale. Russian news source Vedomosti, citing an unnamed government official, explained that after the adoption of the bill on the sovereign RUnet, providers will be obliged to install the equipment from RDP.RU. People in the government believe that DPI will allow it to block individual sites and services without harming other resources. However, during the August 2018 tests it was acknowledged that it is impossible to block the specific protocols used by Telegram and other messengers, because it led to disruption of banking applications and related services. Now, after only half of a year it is unlikely that RDP.RU enhanced its DPI significantly.

In general, the reaction of the Russian technical community to Roskomnadzor’s DPI requirement is skeptical. While DPI can solve particular tasks on smaller networks, it is nearly impossible to filter all traffic on a nation-wide scale. Such an equipment would have high costs and slow down the traffic significantly. Another problem of DPI is its inability to distinguish the traffic packets with 100% accuracy. Resources may mask their packets with signatures of a “legitimate” resource, as well as go through VPNs. The most common belief is that deployment of the DPI system is just another case of Roskomnadzor’s need to spend all of its budget allocation by a certain date. A small group of companies with close connections to the government will gain sky-high revenues for developing and vending DPI equipment under these circumstances. Notably, Rostelecom’s own venture fund owns 15% of RDP.RU. According to the current draft of the bill Roskomnadzor will provide the equipment on a gratis basis. The updated official description of the Federal project “Information security” of the national program “Digital economy” has a new section with a list of projects that cost 50 billion rubles (US$ 765 million) in total. Most of them relate to the implementation of measures to monitor and control the RUnet. The purchase of equipment intended to ensure the security of the “Russian segment” of the Internet is estimated at 20.8 billion rubles (US$ 318 million). Is this the expenditure for the DPI system that is now being tested by Roskomnadzor?

So, even if the RPD.RU equipment passes the test on larger operators’ networks, and an eventual law on sovereign RUnet will oblige them to install the DPI equipment, the question of who will eventually pay for it all remains open. There are no guarantees that the bill’s second and third readings will still provide free equipment for the network operators.

VPNs are under pressure

To further prepare for DPI deployment, Roskomnadzor has started to pressure the VPN owners. Notably, the law banning the use of VPN services and anonymizers to access information prohibited in Russia came into force in 2017. Providers, search engines, and owners of anonymizers must connect to the FGIS (the federal state information system operated by Roskomnadzor that contains the register of prohibited resources in Russia) and “ensure compliance with the ban to provide the opportunity to use on the territory of the Russian Federation programs and other technical means to gain access to prohibited sites.” If anonymizers, including VPN owners, refuse to connect to FGIS, Roskomnadzor have the right to block them.  Interestingly, Roskomnadzor can send the demand notice to  VPN services to connect to FGIS only after a request from law-enforcement agencies, and during recent years there was no such notice. It was hard to comply with the law, though: Roskomnadzor didn’t specify how it will distinguish VPNs for commercial and private use, and it had no technical ability to check whether anonymizers provide access to banned resources or not. But the situation changed, Google was fined for refusing to connect to the FGIS by the end of 2018. And now it is the turn of VPN services.

On 28 March 2019 Roskomnadzor sent to owners of ten VPN services requirements to connect to FGIS. TorGuard was first to refuse, and published the notice it received. Instead, it removed its servers from Russia, and ended all collaboration with data centers there.  Roskomsvoboda maintained the list of VPN services who already reacted to the move of Roskomnadzor: VyprVPN, OpenVPN, ProtonVPN, VPN Unlimited all refused to connect to FGIS, TorGuard and NordVPN will also remove their servers from Russia. Other owners like Private Internet Access, Trust.Zone Windscribe, Ivacy VPN, TgVPN decided to declare in advance their commitment to protect the security and privacy of their customers and refused to collaborate with Roskomnadzor in future should they also receive the notice.

However, so far only one service claimed it will comply with the law – Kaspersky Secure Connection. “The functions of Kaspersky Lab security solutions distributed in the territory of the Russian Federation fully comply with and will comply with the regulatory acts of the Russian Federation, as well as meet the requirements of regulators that do not affect the main purpose of the secure connection application – ensuring confidentiality and protection from data interception, for example, when using open Wi-Fi networks when making online payments in cafes, airports or hotels,” commented the press service of Kaspersky lab.

It is unclear how the situation will evolve – whether additional VPN services will get the notice from Roskomnadzor and whether it will successfully block the violators. One thing is clear: if the service agrees to connect to FGIS, it breaks the logic of its functioning – VPN will have to track the user activity and cut the access to banned resources. But the recent activity of Roskomnadzor signals about the efforts that the watchdog undertakes in the eve of the next round of the sovereign RUnet bill discussions. It prepares the ground for technical solutions that have to be specified in the text of the bill.

 

[1] Yarovaya Package was a set of amendments to anti-terrorist laws. In addition to requiring all service providers to store the content of voice calls, data, images and text messages for 6 months, and the metadata of communications for 3 years, it requires messengers and social networks that use encrypted communication to permit the FSB to access and read their encrypted messages on request. Telegram messenger refused to “hand over the encryption keys” and thus was put in the Roskomnadzor blacklist for noncompliance since April 2018.

[2] Incidentally, the bill on sovereign Internet doesn’t contain any provisions that would abolish the net neutrality principle for the sake of national security.