“The government agency and its technical specialists cannot win this game, even if they escalate the conflict.” Russian developers wrote a letter to Mishustin (not Putin) saying that blocking the Internet was useless. Full text

The association of software product developers “Domestic Soft” wrote a letter to the Russian authorities, in which it proposed creating a “joint body to develop a balanced blocking policy – together with professional specialists from the IT community.” A letter addressed to Prime Minister Mikhail Mishustin and Head of the Presidential Administration Anton Vaino (but not personally to Vladimir Putin) appeared on the organization’s website. According to the ARPP, authorities must recognize prevention policies and technical methods for implementing them as “unsuccessful” and review them. The software developers suggest easing the blocking “so that residents can notice this effect in their daily activities.” Medusa publishes Organization letter completely.

Dear Mikhail Vladimirovich! Dear Anton Eduardovich!

The Association of Software Product Developers (ARPP) “Local Software” wants to express its position on limiting the use of VPN protocols and VPN services in Russia.

As of April 1, the Ministry of Digital Development, Communications and Telecommunications of the Russian Federation has imposed restrictions on the use of VPNs for Russian citizens and companies. By order of the ministry, starting April 15, internet platforms and service providers are required to identify users who use VPNs to bypass restrictions and limit their access to the platforms. This was done by a simple order from the Ministry, without adopting a decision or regulation, and without discussion with the public and its IT industry.

Initially, the state declared a well-founded and justified desire to increase control and influence over what is happening in Russia’s information space. But as a technical solution to carry out this mission, the complete blocking of unwanted digital platforms, such as Facebook, Twitter and Instagram, was chosen, in addition to slowing down YouTube and Telegram. This is due to the abundance of offensive content on these platforms, the inability to block individual pages and videos of these platforms, as well as the refusal of their owners to cooperate with the Russian regulator and comply with the laws of the Russian Federation.

Are you angry about the ban? We understand! No one should tell you what to read or where to network. We are doing our best to help people in Russia maintain access to free internet. But we need your help. Dear readers, not in Russia, We ask that you make a small monthly donation. We know there are hundreds of other people who can do this. Dear readers in Russia, You also have the opportunity to support us. Together we will overcome this.

As the number of blocked Internet resources increases, the reliability of these bans decreases, and the number of users using VPN services to bypass the ban is rapidly growing. Bypass services have evolved, become easier to use, and have become more widespread.

The ministry’s next decision during the escalation of the struggle was to close the bypass services themselves. However, with the introduction of blocking services and VPN protocols, the functionality of the Internet in Russia was disrupted, because blocking did not take into account the technological and social realities of how the Internet and its Russian sector work. Which are:

1. There is no foolproof way to distinguish between a VPN and “regular” encrypted Internet traffic.
2. There is no technical way to differentiate between “legitimate” corporate VPNs and VPNs designed to bypass blocks.
3. Any user or company can now connect or create their own VPN server. The blocking policy has made VPN technology widely known and accessible to millions of unqualified users.
4. The bans will stimulate opponents of the Russian Federation (in particular, the United States) to accelerate the development of sophisticated block bypass technologies, as well as to disguise the traffic of various applications as VPN traffic in order to issue false device blocking alarms (TSPU).
5. Since it is impossible to reliably distinguish between “legitimate” and “anti-block” VPN traffic, VPN blocking already causes and will increasingly cause false positives in the future, which means crashes and bringing the Russian part of the Internet into an inoperable state.
6. At the same time, VPN blocking does not solve the problem of blocking blocked resources, because in addition to VPN, there are other ways to bypass blocking (proxies, special equipment settings, etc.).

<…> Measures taken by the Russian Ministry of Digital Development to combat blocking bypass led to the fact that in the Russian Federation, systemic problems in the operation of the Internet have been observed since the beginning of April.

In addition, attempts to block VPNs cause serious problems in the work of Russian software developers, namely:

1. Problems with accessing open source libraries located on foreign resources. Programmers use VPNs to work on open source code in Western repositories to avoid revealing their Russian IP address. 99% of modern software uses open source code, the vast majority of which is located in countries unfriendly to the Russian Federation. Without it, software development is now impossible, and VPN blocking makes this access difficult, interfering with import substitution.
2. DPI systems, like any recognition systems, inevitably create false positives and block something that was not identified. Thus, on April 14, one of the largest Linux repositories, Debian, was blocked for several hours, and before that the Rust repository was blocked. Such failures put local developers out of business.
3. Many local IT companies employ the labor of foreign developers working from abroad. VPN limitations made using it difficult.
4. Companies exporting their software products have had serious problems communicating with their foreign partners, as this is traditionally done either through blocked instant messengers or via a VPN.

Another consideration must be added to what has been said. For the past 30 years, local developers have been learning foreign programming languages ​​and IT products and tools. Most programming terms, development information, and programming libraries are in English, making programmers dependent on the global IT community. They do not feel tied to their country and can easily find work anywhere in the world. Deteriorating political and working conditions may prompt them to take such steps. The fall 2022 mobilization has already led to an outflow of tens of thousands of value developers; Some of them were difficult to return.

Access restrictions make developers reluctant and eager to circumvent these restrictions. Currently, hundreds of programming forums in Russia are discussing how to overcome difficulties in accessing familiar platforms and the necessary repositories and services. Programmers treat blocking as a technical problem, and look for technical ways to solve this problem.

This means that the ban causes active technological resistance from the popular community of programmers and IT specialists, the total number of which in Russia reaches 1.2 million people, whose total competencies significantly exceed everything that can be organized and used in government departments.

The government entity and its technical specialists cannot win this game, even if they escalate the conflict by coming up with more measures and penalties for individuals and companies that would intensify this confrontation.

In particular, as far as we know, further escalation of blocking in the form of VPN whitelists for use by companies is being discussed. This will also be an ineffective measure: even if companies manage to enforce “whitelists,” grass-roots developers will use other, more sophisticated ways to bypass the blocking, instead of those prescribed by their bosses (in particular, so as not to be blocked by Western services and libraries, which will immediately become aware of such a “whitelisting”). Besides, forcing IT companies to go abroad with a fixed set of whitewashed services means helping implement anti-Russian foreign sanctions.

The final important consideration is that the problem of blocking access is no longer a purely technical problem (which it was not to begin with), but has become a markedly political problem, causing massive dissatisfaction with the authorities both in the IT community and among the general population, which is directly visible in ratings and opinion polls.

What to do?

1. The blocking policy, as well as the technical methods of the blocking, must be recognized as unsuccessful and reviewed.
2. This should be done publicly by announcing a review of the lockdown policy, while at the same time easing the lockdown so that residents can notice this impact in their daily activities.
3. It is necessary to establish a joint body to develop a balanced blocking policy, in cooperation with professional specialists from the IT community. The IT community knows how to combat negative Internet phenomena (viruses, attacks, scammers, phishing, spam) very effectively, and these competencies can and should be used.
4. The Association of Software Product Developers “Domestic Software” is ready to allocate its best technical specialists from different companies to such a conciliation body, until the problem reaches the next level of escalation, layoffs and another wave of departures abroad in the IT environment begin. We are ready to think and propose balanced measures for the sovereignty of the information space of the Russian Federation without destroying the Runet infrastructure.