Authorities have blacklisted thousands of sites for political dissent since Putins re-election in 2012 but activists have subverted the system
Moscows attempt to control the internet inside Russia has come unstuck following a campaign by hackers who have subverted a system of blacklisting sites deemed inappropriate.
Since Vladimir Putins re-election in 2012, authorities have banned thousands of sites some for promoting social ills, others for political dissent by inscribing their particulars on a blacklist and forcing internet service providers (ISPs) to block them.
But in recent weeks, activists seeking to push back against the crackdown have undermined the system by purchasing banned sites and inserting the particulars of perfectly legal web pages into their domain names.
Last month, cash machines belonging to big state banks VTB and Sberbank stopped working. Major news sites and social media services were blocked and even Google became inaccessible.
The Kremlin proved incapable of putting the internet under control by technical means. The only thing that partly works is intimidation of companies and users, said Andrei Soldatov, author of The Red Web, a book about Russias online surveillance.
To make intimidation more effective you need to make the rules more vague and complicated, to make almost everyone guilty by definition, he said.
With the blacklisting system looking vulnerable, the fear is that the authorities will retaliate by introducing an even harsher system of control on what web users can view.
Already they have created a new whitelist of sites that can never be blocked. And last week, parliament passed a law banning the use of virtual private networks (VPNs), used by many to access blocked content. Hundreds of people staged a protest march in Moscow at the weekend to object to online censorship.
The internet cat-and-mouse game started five years ago when the state telecoms watchdog, Roskomnadzor, was given broad powers to censor the Russian web via amendments to a law drafted to protect children from information harming their health and development.
This provided for the creation of a register, or blacklist, of banned sites that internet service providers were required to block. Wikipedia, LiveJournal, Russias largest social network VK and largest search engine Yandex protested the law as a crackdown on the freedom of information.
With its blacklist, Roskomnadzor went after sites containing child pornography and information on narcotics and suicide. But it also bans pages for extremist statements, a slippery term that has been applied to everything from terrorist groups to liberal opposition news sites, and for information about unsanctioned public demonstrations.
In the first two years, more than 50,000 web sites were blocked, some 4,000 of them for extremism. Sites can be blocked based on a court decision or a complaint by government agencies or citizens.
The watchdogs decisions often verge on the political, such as when it blocked the site of Russias most prominent opposition figure, Alexei Navalny, in 2015 for a post that mentioned the possibility of a protest action. Navalny accused the agency of political censorship.
Almost from the start, experts warned the blacklist, which includes sites domain names and IP addresses, was ripe for abuse. At the end of May, owners of banned sites started working out that if they listed the IP address of any other webpage in their DNS [domain name server] information, providers would automatically block that site.
Besides the banks, VK and Yandex were blocked, as were the pro-Kremlin websites NTV and LifeNews. Even Roskomnadzors own site was made inaccessible. In a blog post titled Block your anus, Roskomnadzor! a 14-year-old programmer claimed that he had blocked several popular websites through the loophole.
Some of those wreaking havoc were just trolling the authorities, while others were wielding the vulnerability as a weapon in the war with Roskomnadzor, one of participants told the Meduza website without using his name.
The task of these people, and Im one of them, is to complicate as much as possible the life of all those who try to attack freedom of speech and anonymity online, he said.
IT consultant Vladislav Zdolnikov, who writes about web freedom and opposition politics for nearly 20,000 followers of his channel on the anonymous messaging service Telegram, posted a list of banned domain names that had been vacated by their original owners. Within 15 minutes, they had almost all been purchased.
I was demonstrating the criminal incompetence of Roskomnadzor, which not only ignored the vulnerability, but also didnt delete from the register domains that had freed up, he told the Guardian.
Roskomnadzor accused Zdolnikov and web developer Alexander Litreyev, both of whom are activists at Navalnys anti-corruption foundation, of orchestrating the blocking of innocent sites and asked the interior ministry to open an investigation. The two men have since fled to Kiev.
The agency also issued a new whitelist of several thousand sites that couldnt be blocked under any circumstances, most of them government pages, and expanded it on 11 July.
Many providers have neither the equipment nor the staff to sift through constantly changing IP addresses and make sure blacklisted sites are being blocked and whitelisted sites are not, according to Sarkis Darbinyan, a lawyer for the RosKomSvoboda project that promotes free internet.
More importantly, Roskomnadzors methodology raises concerns about the future of internet freedom in Russia. Darbinyan said internet regulation was moving toward the presumption that everything is forbidden except what is explicitly allowed.
The topic is especially sensitive after Navalny held huge unsanctioned protests in downtown Moscow in March and June, many of whose participants said they had been inspired by his viral YouTube video showing the extravagant real estate holdings of prime minister Dmitry Medvedev.
Already, a package of amendments known as the Yarovaya law, which was passed last year and will come into effect in 2018, has caused huge controversy. The legislation will require telecoms providers to store information about all their users communications, from calls to emails, for six months.
Besides privacy complaints, implementing the technology to store so much information is estimated to cost 4.5 trillion roubles (60bn), costs that telecoms companies will likely pass on to consumers.
Many view new legislation regulating anonymisers and VPNs like Telegram as the next step in the Kremlins gradual crackdown on the web. According to Soldatov, since it is technologically difficult for these services to block sites, they will be easy targets for pressure and intimidation if the law passes as expected.
This law, like the other laws that censor the Internet, will be applied selectively, Zdolnikov predicted, at times when its advantageous to the regime.