Since the start of war in Ukraine on February 24, Russian authorities have tried to turn their country’s internet into an island, severing its ties with the global internet. Almost 400 news websites, 138 finance sites, 93 antiwar sites, and three social media platforms have been blocked, according to Top10VPN.com.
As the number of blocked sites grew, huge numbers of Russians turned to VPN companies—which connect users in one country’s censored internet to a server in another country, where there are less restrictions—as bridges out of Moscow’s shrinking internet. After Russia invaded Ukraine, VPN companies say the number of Russian users has spiked. The VPN company Windscribe told WIRED that almost a million people from Russia had signed up since the war started, 20 times the usual rate. Another provider called Psiphon said its number of daily active users in Russia jumped to more than 1.1 million immediately after Instagram was blocked, before settling at 650,000.
But VPN companies have not escaped Russian censorship. “[The internet regulator] Roskomnadzor is reacting very nervously to the rapid growth of the VPN market,” says Mikhail Klimarev, executive director of the Internet Protection Society, a Russian digital rights group. Roskomnadzor made more than 12,800 requests for Google to remove URLs under the country’s 2017 “VPN law” between March 13 and March 25, according to the Lumen database, an archive that documents legal requests for the removal of online content. The database does not detail what the URLs are, and Google did not reply to WIRED’s request for comment.
Life is getting more complicated for VPN companies that cater to Russian users. Around 20 VPN services have already been blocked in the country, and the authorities have plans to block more, according to politician Alexander Khinshtein, chairman of Russia’s Committee on Information Policy, Information Technologies, and Communication in the Duma, the country’s main legislative body. “VPNs get blocked daily. It's not an easy task, but it gets done,” he said on March 15 in a live broadcast on the VK social media platform.
“There has been large-scale disruption of VPN protocols in general over the last two weeks or so,” says Michael Hull, cofounder of Psiphon, adding that his company has always found a way to continue operating. “Typical protocols [technology which VPN companies use to bridge their users to the open internet] such as OpenVPN and other more or less trivial VPN protocols have been completely blocked.” OpenVPN’s CEO, Francis Dinha, says he has seen no indications that the company's protocol is blocked but adds “we have no way of confirming whether this is true at this point.”
Not only are VPN companies struggling with increased attention from the authorities, but sanctions mean Russian users are struggling to pay for their services. Russians “have no way of paying right now for any VPN service, because they can't pay using Visa or MasterCard, they can't use Google Play, they can't use Apple Pay,” says Yegor Sak, founder of Windscribe, referring to all the companies that have withdrawn their financial services from the country in the past few weeks. Sanctions also mean Windscribe has not been able to find a way of paying its Russian hosting companies, Sak adds.
But the war in Ukraine has also reignited a debate within the VPN industry about whether these companies offer a safe way to dodge Russian internet censorship. “The most popular VPNs in Russia are free services,” says Simon Migliano, head of research at Top10VPN.com. “These VPN services are operated by highly opaque entities. It's very difficult for the average consumer to learn anything about the companies with whom they will be entrusting their data, and some of these companies make great efforts to keep it that way.”
Finnish company F-Secure told Germany's Der Spiegel newspaper that it stopped offering its VPN product, Freedome, inside Russia in 2017 to avoid creating a false sense of security for users who wanted to avoid government scrutiny. “We have very consciously taken the decision to not sell our VPN in Russia,” Antero Norkio, F-Secure’s VP of consumer security told WIRED. “The Russian government will not necessarily allow you to provide a proper VPN that is truly safe from the user's perspective. For example, authorities can require access to the VPN service that would subject consumers to state surveillance or block access to web services mandated by the state.”
F-Secure says it only operates in countries where it can follow local laws. But that law-abiding stance is not echoed by all its competitors. Instead VPN companies still working in the country say they operate by quietly ignoring the rules.
Russia has been wrestling with the growing popularity of VPNs for years. In November 2017, the country introduced the so-called VPN law, which tried to force companies to block restricted websites. VPNs are required to prevent users from accessing any URL listed in Roskomnadzor’s Unified Registry of blocked websites, which now includes Facebook and the BBC, according to Harold Li, vice president of ExpressVPN, who says his company does not comply. F-Secure was one company that got spooked, halting sales of its VPN products one month before the law went into effect.
For foreign companies that did not pull out, the VPN law was a boost. They became the anti-regime alternative because they could afford to skip the rules; they had no local staff that would face the consequences. “None of the most prominent services at present are Russian,” says Migliano. Instead the market now features international companies based in countries like the Seychelles and the British Virgin Islands that are happy to dodge the country’s laws to maintain access for Russian users. “Some Russian companies that tried to comply with the law ended up closing,” says Klimarev, of the Internet Protection Society. “No one was buying these services.” Now the group advises Russians users only to buy VPN services from foreign companies.
When the authorities block the foreign VPNs that refuse to comply, those companies find workarounds.
In September 2021, Russia’s internet watchdog Roskomnadzor took aim at six leading VPN companies and restricted them for violating Russian law. The regulator claimed these companies were creating “an environment for unlawful activities, including those related to the spread of drugs and child pornography, extremism, and incitement to suicide.” ExpressVPN, which was one of the companies on the list, says it was targeted because it refused to block access to news sites, secure email services, and political opposition content. “We said at the time, publicly, that's not something we would do. It's antithetical to the reason that we provide a VPN service,” says ExpressVPN’s Li, speaking from Singapore. “As we understand it, [the ban] was a follow-up action to that.”
Right after the company was banned, Li says there were attempts to block ExpressVPN’s traffic. But the company was able to get around these by disguising its VPN traffic to look like regular traffic so it can’t be spotted by the authorities. “We prefer not to talk about it in great detail, but largely, it is just changing how our data packets look,” says Li, although he is bracing for more sophisticated blocking that copy techniques used by other countries where ExpressVPN already operates.
“Blocking IPs and domains or reducing people's ability to access app downloads is something that we could see dial up, as we have seen in many other countries,” Li adds. “There's reason to be worried.”
- 📩 The latest on tech, science, and more: Get our newsletters!
- It’s like GPT-3 but for code—fun, fast, and full of flaws
- You (and the planet) really need a heat pump
- Can an online course help Big Tech find its soul?
- iPod modders give the music player new life
- NFTs don’t work the way you might think they do
- 👁️ Explore AI like never before with our new database
- 🏃🏽♀️ Want the best tools to get healthy? Check out our Gear team’s picks for the best fitness trackers, running gear (including shoes and socks), and best headphones