On the surface, it's all about protecting Russian kids from internet pedophiles. In reality, the Kremlin's new "Single Register" of banned websites, which goes into effect today, will wind up blocking all kinds of online political speech. And, thanks to the spread of new internet-monitoring technologies, the Register could well become a tool for spying on millions of Russians.

Signed into law by Vladimir Putin on July 28, the internet-filtering measure contains a single, innocuous-sounding paragraph that allows those compiling the Register to draw on court decisions relating to the banning of websites. The problem is, the courts have ruled to block more than child pornographers' sites. The judges have also agreed to online bans on political extremists and opponents of the Putin regime.

>The new system allows ISPs not only to filter traffic, but to monitor it on a nationwide scale.

The principle of internet censorship is not a new one to the Russian authorities. For five years, regional prosecutors have been busy implementing regional court decisions requiring providers to block access to banned sites. To date this has not been done systematically: Sites blocked in one region remained accessible in others. The Register removes this problem.

The new system is modeled on the one that is used to block extremist and terrorist bank accounts. The Roskomnadzor (the Agency for the Supervision of Information Technology, Communications and Mass Media) gathers not only court decisions to outlaw sites or pages, but also data submitted by three government agencies: the Interior Ministry, the Federal Antidrug Agency and the Federal Service for the Supervision of Consumer Rights and Public Welfare. The Agency is in charge of compiling and updating the Register, and also of instructing the host providers to remove the URLs. If no action by the provider follows, the internet service providers (ISPs) should block access to the site in 24 hours. The host providers must also ensure they are not in breach of current law by checking their content against the database of outlawed sites and URLs published in a special password-protected online version of the Register open only to webhosters and ISPs.

Most importantly, however, the new Roskomnadzor system introduces DPI (deep packet inspection) on a nationwide scale. Although DPI is not mentioned in the law, the Ministry of Communications – along with the biggest internet corporations active in Russia – concluded in August that the only way to implement the law was through deep packet inspection.

"At the end of August, under the chairmanship of Communications minister Nikolai Nikiforov, a working group was held, drawing representatives of Google, SUP Media (the owner of the Livejournal social network), and of all the other big hitters. They discussed how to ensure that the [filtering] mechanism – they used the concrete example of YouTube – how to block a specific video, without blocking YouTube as a whole. And they reached the conclusion that pleased them all," Ilya Ponomarev, a member of the State Duma and an ardent supporter of the law, told us.

Are we are talking about DPI technology? we asked.

"Yes, precisely."

Most digital inspection tools only look at the "headers" on a packet of data –- where it's going, and where it came from. DPI allows network providers to peer into the digital packets composing a message or transmission over a network. "You open the envelope, not just read the address on a letter," said an engineer dealing with DPI. It allows ISPs not only to monitor the traffic, but to filter it, suppressing particular services or content. DPI has also elicited concern from leading privacy groups over how this highly intrusive technology will be used by governments.

"No Western democracy has yet implemented a dragnet black-box DPI surveillance system due to the crushing effect it would have on free speech and privacy," said Eric King, head of research at Privacy International. "DPI allows the state to peer into everyone's internet traffic and read, copy or even modify e-mails and webpages: We now know that such techniques were deployed in pre-revolutionary Tunisia. It can also compromise critical circumvention tools, tools that help citizens evade authoritarian internet controls in countries like Iran and China."

"There are basically two functions in DPI – filtering and SORM," added IBM East Europe Business Development Director Boris Poddubny, referring to the Russian government surveillance system for monitoring both internet traffic and phone calls. "There may be devices to copy traffic. DPI helps analyze it. And there will be a detailed log: what is downloaded by whom, and who looked for what on the internet."

The Moscow headquarters of Russia's Federal Security Service, the successor to the KGB. Photo: Andrei Soldatov

Off-Guard ———

September of 2012 saw several prosecutors request that access to the "Innocence of Muslims" video be blocked in various different Russian regions. On Sept. 27, the three largest mobile and internet service providers – MTS, VimpelCom and Megafon – restricted access to the inflammatory movie trailer. VimpelCom blocked access to websites that posted the video, which made YouTube as a whole inaccessible in Chechnya, Dagestan, Kabardino-Balkaria, Ingushetia, Karachay-Cherkessia, North Ossetia and the Stavropol Region. But MTS and Megafon succeeded in blocking access just to the video itself thanks to DPI.

It seems the Russian authorities have been busy testing the ground in applying the most advanced internet-censorship technologies, an idea that has obsessed the Kremlin for the last two years.

After the Arab Spring, the Kremlin gave serious thought to developing facilities for averting "enemy activity" on the Russian internet. The problem had, at various levels, been a hot topic since summer 2011. The Collective Security Treaty Organization (the Moscow-led regional defence alliance consisted of Russia, Belarus, Armenia, Kazakhstan, Kyrgyzstan and Tajikistan), member states' heads of state, prosecutors general and the security services all addressed it. The growth of political activism in their countries and the role of social networking sites in mobilizing protesters only increased the paranoia.

Russia's security services started developing a strategy for the blogosphere and social networking sites, but had not managed to develop anything concrete before the December 2011 protests that were prompted by Vladimir Putin’s campaign to return to the presidency. The services were used to dealing with threats of a more traditional nature, and were confused when faced with a protest organization with no center – but that instead worked through social networking sites.

>'This allows the state to peer into everyone's internet traffic and read, copy or even modify e-mails and webpages.'

According to our sources in the secret services, on a technical level they were powerless to deal with social networks, especially any that were based outside of the country, such as Facebook and Twitter ("What can we do if [the pro-Chechen] Kavkazcenter opens a page on Facebook?" was their most desperate question).

Not surprisingly, the best the St. Petersburg Federal Security Service (FSB) department could do on the eve of the major protest rally in Bolotnaya Square on Dec. 10 was to send a fax to Pavel Durov, the creator of the St. Petersburg-based VKontakte social network, requiring him to close down protest groups. Durov refused. The next day, he was summoned to the St. Petersburg prosecutor’s office to explain himself. Durov did not attend, the story came out, and that was the end of the matter.

On March 27, 2012, this failure was indirectly recognized by the First Deputy Director of the FSB, Sergei Smirnov. At a meeting of the Regional Anti-Terrorist Structure within the Shanghai Cooperation Organization – an international group founded in 2001 by China, Russia and Central Asian states – Smirnov said: "New technologies are used by Western secret services to create and maintain a level of continual tension in society with serious intentions extending even to regime change…. Our elections, especially the presidential election and the situation in the preceding period, revealed the potential of the blogosphere." Smirnov stated that it was essential to develop ways of reacting adequately to the use of such technologies and confessed openly that "this has not yet happened."

The solution appears to have been found in the summer, when the State Duma approved the amendments, effectively raising the internet-filtering system to a nationwide level, thanks to DPI technologies.

Maybe because government officials had, for so many years, claimed that Russia could not adopt the Chinese and Central Asian approach to internet censorship, the solution took the national media, the expert community and the opposition completely by surprise.

In fact, the ground had been carefully prepared over a period of years, since DPI technology had first entered Russia in the mid-2000s for purely commercial reasons.

Here is the Lear Jet factory in Wichita, Kansas in 1964. Serial number 012 would go on to be Clay Lacy's first demonstrator aircraft (N1965L seen in most of these photos). This particular airplane was used to give many rides and popularize the Lear Jet brand. Photo: Clay Lacy Aviation (R to L): Duma member Ilya Ponomarev, IBM's Boris Poddubny, RGRCom CEO Roman Ferster, and Inline Telecom Solutions' Alexander Shkalikov are all intimately involved in expanding Russia's deep packet inspection efforts.

Suppression ———–

"We got our first client in 2004, it was Transtelecom. But it was its security department, so DPI was intended for its internal network," said Roman Ferster, CEO of RGRCom company, the main distributor of Allot DPI technologies in Russia.

Ferster – short, stocky and energetic, with a slight Israeli accent – founded RGRcom in 2003 to sell telecom technologies made by Israeli corporations in Russia. Allot, which focuses exclusively on manufacturing DPI solutions, suited his business perfectly. His small team of just over 20 people is Allot’s exclusive partner in Russia. They helped install Allot devices in the Tatarstan region, in the Far East, in VimpelCom’s ISP network in Moscow, in the Ural regional operator’s network, and so on.

Ferster's company also offers Russia technology that can solve the technical problem of blocking a single video clip instead of YouTube as a whole.

Allot initially targeted corporate networks and small regional ISPs, not the big long-distance providers and mobile operators. DPI did not really arrive in Russia until the end of the 2000s, and now many of the biggest DPI technology vendors have a presence in Russia: Canada's Sandvine, Israel's Allot, America's Cisco and Procera, and China's Huawei. By the summer of 2012, all three national mobile operators in Russia already had DPI at their disposal: Procera was installed in VimpelCom, while Huawei’s DPI solutions are in use in Megafon, and MTS bought CISCO DPI technology.

"The first bell rang in Russia when we got torrents. Because the torrents occupy all available bandwidth," Ferster's chief engineer Vasya Naumenko recalled. "When it began, operators came to think how to solve it. And it turned out that there is no other option except DPI. No switch, no router, not even Cisco, can solve the problem. This is the level of applications, and in any case it's necessary to open the packets and see what's inside."

"Mobile operators faced with that when they presented the mobile internet. As soon as they began to distribute USB-modems, it became a problem," confirmed IBM's Poddubny.

Poddubny shared his thoughts in a Starbucks at the center of the most fashionable part of Moscow City, at the foot of the tower "City of Capitals" on the Moscow river bank, next to the IBM headquarters. It's a striking contrast to RGRcom's offices: a few rooms on the seventh floor in a modest business center in the outskirts of Moscow. "We saw that customers started being interested in DPI two-three years ago. This interest arose for one simple reason: peer-to-peer protocols. There are a lot of people who download audio and video files in large quantities. According to some studies, this accounts for over 80% of traffic."

>'There will be a detailed log: what is downloaded by whom, and who looked for what on the internet.'

It appears that the only decision the mobile operators found was traffic shaping. This euphemism means that, thanks to DPI technology, mobile operators acquired a tool they could use to suppress particular services – in most cases torrents, peer-to-peer protocols and Skype, which poses a threat to the VoIP solutions made by the mobile operators themselves.

The ISPs turned out to be more hesitant in adopting DPI technologies. All the engineers we have interviewed, who deal with DPI in Russia, told us that most ISPs do not understand why they need to install this technology.

"The key difference in approaches is the tariff system. Mobile operators have lots of tariffs while ISPs enjoy a very strange position: it’s not clear how they intend to make money because they have turned themselves into the pipeline," said Alexander Shkalikov, a Systems Engineer at Inline Telecom Solutions, the company that started to sell Sandvine in Russia in 2007 and is its main partner in the country. Inline Telecom has just installed DPI devices on the network of the national long distance operator Rostelecom in the Far East Region. "As a result, every region from Kamchatka to Yakutia got the Sandvine DPI," said Shkalikov.

The introduction of the law requiring DPI to be in place has done nothing to change the internet service providers' attitude, Shkalikov said. "Right now the ISPs want to shift the problem of the traffic control to someone else's doorstep. They don't want to buy DPI themselves, because it costs over $100,000 and small operators simply cannot afford it."

That said, small ISPs seem to have already found a cheap solution, Shkalikov explained. "There is a big market of used CISCO DPI solutions, you can buy them for truly laughable sums. Something like $2,000 (in the US – in Russia the real figure is $7,000, bearing in mind that a new device costs over $100,000). And software can be stolen. CISCO is less functional than Sandvine, but it might at least satisfy the state regulator."

The governments in many countries with questionable democracy and human rights records are fully aware of how to turn commercial advantages of DPI into the tool of suppressing dissent activity online. The secret services in Uzbekistan, for example, compel local providers to use DPI to change the URLs of discussion groups in social networks.

Technically, it poses no problem, Alexander Shkalikov of Inline Telecom confirmed. DPI allows for identification of those trying to access a site or page even if it’s blocked. "It’s possible to identify not only the IP, but logins, and that’s easier for the internet service provider. We advise our clients to configure DPI to work with logins. As a result they can have statistics about who is who. For example, some ISPs are interested in identifying who the spammers in their network are."

In September 2012 it became clear, that DPI’s identification capabilities could be combined neatly with the Russian nationwide system of legal interception, the foundations of which were laid in Soviet times.

Moscow's Central Telegraph Building, which houses the Ministry of Communications. Photo: Wikimedia

Crossed Lines ————-

In the mid 1980s a KGB research institute developed the technical foundations of what was later to be known as SORM – a nationwide of automated and remote legal interception on all kinds of communications.

Full implementation of the project only happened in 1992, when the Ministry of Communications signed-off on the first SORM-related document, forcing telecom operators to allow the secret services to intercept phone conversations and mail. The public first became aware of SORM in 1998 when the FSB, Ministry of Communications, and supervisory agencies developed new regulations for installing interception devices on servers run by ISPs. In the first decade of the millennium, SORM equipment was installed by all ISPs and operators of mobile and landline networks.

>If you know an opposition leader is a customer of a known operator, you can copy all of his traffic.'

Meanwhile, there is a principal difference between SORM and today's DPI push. The SORM devices are manned by the agents of the secret services, while DPI technology is at the disposal of the ISPs and mobile operators. However, the line might be crossed very soon – which would suit the companies and the Ministry of Communications just fine.

On September 27, Russia's largest information security conference featured a panel on "SORM in the Environment of Convergence." The talk was intended for professionals, and the room in the international exhibition center Krokus Expo in the north of Moscow was filled with the chiefs of SORM departments at mobile operators and the Moscow city phone network, as well as representatives from surveillance equipment manufacturers. The most honored guest was Alexander Pershov, deputy director of the Department of State Policy at the Ministry of Communications.

DPI quickly emerged as one of the hottest topics of the discussion. Many in the room seemed certain that the only way to guarantee legal interception in the new era of cloud computing and communications is DPI technology. It was a conclusion that the representative of Huawei in Russia was only happy to support.

The idea of connecting SORM with operators' DPI seemed not to bother anybody in the room. Alexander Pershov, long-serving official with the Ministry of Communications, outlined the Ministry’s general way of thinking: "The requirements for building networks need to be coordinated with the FSB to ensure that everything is done properly in terms of SORM."

Technically it poses no problem, we were told by engineers dealing with DPI.

"Allot is perfectly compatible with SORM, and we know it," Roman Ferster confirmed. "There is a very simple solution," Alexander Shkalikov said. "We did it. [With] DPI, [we] can simply mirror traffic, not redirect it. This is very convenient because DPI [helps] you copy not all traffic but only a certain protocol or traffic of certain customers. For example, if you know that [Alexei] Navalny, one of the most famous opposition leaders, is a customer of a known operator, you may get all Navalny traffic to be copied through the DPI to the external system. It's real. And it even shows you which sites he has been to."

The surveillance technology that works for tracking Navalny can work for millions of Russians. And the switch gets flipped on today.

A joint investigation by Agentura.Ru, CitizenLab and Privacy International.