I grew up in the New York metropolitan area, so my view of soccer is that it's kind of like hockey, except without the armor and big sticks. Even so, soccer (or as those outside the US call it, football) is of huge interest to worldwide audiences. Soccer's Super Bowl is the World Cup.
World Cup 2018 takes place in Moscow starting on June 14. If you're attending, you probably have all sorts of cybersecurity questions -- especially if you want to use your computer, phone, or tablet to access internet services.
Can VPN use in Russia land you in jail?
Over the past year, we've been reporting that VPN use is banned in Russia. We covered it in ZDNet and on our sister site, TechRepublic. I also discussed the VPN ban in my VPN Guide and in my CNET VPN service provider directory.
World Cup 2018: When it starts, how to watch and more (CNET)
That leads to the big question I've been looking at for the past two months: if you travel to Russia and you use a VPN, will you risk arrest? This is a non-specious question. We've reported that travelers to the UAE risk jail time and up to half a million dollar fine for use of a VPN in that country. So, what about Russia?
The TL;DR answer
This was harder to piece together than I expected when I first went down this rabbit hole. I have an answer, but it comes with caveats.
Let's start with the TL;DR version: you can probably safely use a VPN while in Russia. The law covers operating a VPN service, not using one. Notice the word "probably." That's because the sourcing of this answer, while credible, isn't from either a US or Russian government official and there is no official version of the law available in English.
The quest for verification
Researching American law in the United States is easy. I speak the language and I know the sources and tools. I've done it often enough. But researching law in a country whose legal structure is foreign to me, in a language I don't speak, proved challenging to say the least.
I started with the various assertions of illegality found in press coverage, including the articles we ran here and on TechRepublic. Most of them cited other western, English-language sources -- essentially everyone was citing everyone else, but none seemed to have any details of the actual Russian law.
This is the internet echo chamber at its worst. It's easy to quote other sources. It's hard to dig in and find a primary source. We quoted, for example, a Reuters report. That Reuters report had very little detail. In fact, Reuters was quoting a Russian news organization who were, themselves, quoting a source at the Duma (Russia's Congress) -- and that turned out to be a two-word citation.
I don't know about you, but I wouldn't want to base my freedom when traveling to Russia on a source that flimsy. Whispering down the lane doesn't make me feel secure.
Leading up to World Cup, IT companies face even more cyberattacks. Here's how to protect your business (TechRepublic)
I did reach out to various VPN providers and got non-comittal answers that amounted to, "Oh, don't worry your little head about it. You'll be fine."
Given that I've gotten no less than 20 promotional pitches about how to violate various local laws and terms of service to watch the World Cup using VPN services through geographic IP shifting, I figured their opinions were a bit tainted by their commercial desires.
I wanted a more definitive answer.
Trying to get more official information, I reached out to both the United States Department of State and the Ministry of Foreign Affairs of the Russian Federation.
While I didn't expect the Russian foreign ministry to respond (and they did not), I was disappointed that State didn't provide any guidance at all. Yes, I know North Korea is taking most of their attention, but the agency has been offering travel advisories for decades, so I expected to get some information on VPN use.
Plus, speaking personally, I've been woken up in the middle of the night on a number of occasions by someone at State wanting some information or another. The least I hoped for in return was an answer on VPN use in Russia. But those late-night wakers were from previous administrations and I don't know anyone in the current Foggy Bottom beyond the standard press contact. Such is life.
Also: Take home along: How a VPN can help travelers connect wherever they go
That said, State does offer travel advisories for Russia. In fact, right now State recommends "Reconsider travel." This is the second highest level of warning, just below "Do not travel" and above "Exercise increased caution."
Basically, if you were to ask the Department of State about whether you should visit Russia, their answer would be an emphatic "probably a bad idea." State recommends that because of terrorism and harassment, you stay home. If you're considering going to the North Caucasus or Crimea, just don't.
The rest of this article, therefore, applies to those of you who are ignoring that advice. Good luck with that.
In any case, while there was no mention of VPN use in the travel advisory, the country information page on the State Department website does provide these cautions:
You must have advance approval to bring in satellite telephones.
Global Positioning System (GPS) and other radio electronic devices, and their use, are subject to special rules and regulations in Russia. Contact the Russian Customs Service for required permissions.
That's it for online advice while in Russia, although there is one place in Safety and Security on the Russia page where the State Department does caution against Russian online dating site scams. Consider yourself forewarned.
After digging around over the course of weeks, I did eventually find one document that had promise.
It was Federal Law No. 276-FZ of July 29, 2017 "On Amendments to the Federal Law, On Information, Information Technologies and Information Protection," which I found on Russia's official internet portal for legal information on their State system of legal information.
Unfortunately, while Google Translate successfully translated the page's title and the title of the law itself, the actual PDF of the legal document proved to be beyond Google's capability.
I spent a few weeks shopping that 18-page document around, trying to find someone able (and willing) to translate it. I struck out.
As it turns out, that document was only an amendment to the full Russian Federation law, "On Information, Information Technologies, and Protection of Information." So even if I had gotten it translated, I wouldn't have had the whole picture.
Bring in the lawyers
To get a better picture of Russian law in this area, I turned to two lawyers, one in New York and one in Moscow. I wanted to independently consult two separate attorneys and see if I got similar advice. As it turned out, I did.
Benjamin Dynkin is a New York cybersecurity attorney and TEDx speaker. He described the structure of cybersecurity governance in Russia. According to Dynkin, the Russan Roskomnadzor (the Federal Service for Supervision of Communications, Information Technology and Mass Media), manages censorship and control of the internet. In terms of VPNs, he says:
The structure of law centers on the regulation, or more aptly ban, of providers of VPNs and internet anonymizers. This ban is achieved by the Roskomnadzor creating a database of VPNs and other providers, and blocking those sites, as well as websites offering guidance on how to circumvent government blocking of content.
By telling me this, Dynkin separately confirmed the more in-depth answer I got from Moscow, that you won't be breaking Russian law if you use a VPN. For the Moscow legal perspective, let's meet Alexander Baranchikov.
Baranchikov is an intellectual property attorney who works out of Maly Cherkassky Lane in Moscow, less than 500 feet from the Lubyanka Building, famously headquarters of the Soviet KGB and the home of the terrifying Lubyanka prison. Today, Lubyanka houses part of the FSB, the Federal Security Service of the Russian Federation.
Baranchikov translated the salient portion of the Russian VPN law. As he put it, brace yourself:
Information-telecommunication networks, information resources (a website in the 'Internet' network and (or) a page of a website in the 'Internet' network, information system, program for electronic computing machines) by the means of which an access is obtained to information resources, information-telecommunication networks, the access to which is restricted on the territory of the Russian Federation in accordance with the present Federal Law (and hereinafter also - the owner of the hardware-software facilities for the access to the information resources, information-telecommunication networks, the access to which is restricted).
In other words, says Baranchikov, this "basically means any providers of VPNs, proxies, as well as any other technologies that allow evading the blockings" are subject to Russian cyber security law. He emphasized the word "providers," to distinguish this from VPN users, like visitors to the World Cup.
He provides further detail on what kind of communication is being blocked:
The blockings, for your general understanding, are technically implemented by all the Russian ISPs and coordinated by Roskomnadzor. So, any technology that allows [you] to hide a particular source of traffic from an ISP (where you establish an encrypted connection between yourself and a server which then connects to the source) and lets you access the websites and other resources that are blocked in Russia (such as LinkedIn, Telegram, etc.).
For those of you considering travel to Russia and using VPNS, Baranchikov assures you that you won't run afoul of the law. He says, "It [Russian law] says nothing about the use of VPN/proxy at all. The law is all about providing VPN/proxy services to users. Again, the use of VPN/proxy is not regulated by the Russian law in any way at this point; there are no restrictions whatsoever for the users."
Also: Why even the best free VPNs are not a risk worth taking
I asked him if visitors are required to use certain, pre-approved VPN services while in Russia. He told me, "No, this is not the case. Any VPN service works equally well in Russia, and the existing regulations do not distinguish between particular services or particular implementations of the VPN technology."
I also wanted to know what would happen if you were in Russia and used a personally set up server or corporate VPN. Baranchikov told me:
If someone (a Russian citizen or a foreign visitor, it does not matter) has set up her own private VPN-tunnel between her device and her server (in or outside of Russia, VPS/VDS or dedicated server, it does not matter), she is also exempt from the quoted law. "Providing VPN services" means offering the service to general public. Thus, a particular person or a company can have their own VPN-tunnel without the need to comply with the described regulations.
Additional travel tips from Moscow
Baranchikov offered some additional tips for those of you visiting Moscow during the World Cup. He told me that ISPs, mobile carriers, content platforms, and social networks in Russia are obliged by the government to store, for up to three years any and all metadata on their users -- to which the Russian authorities have direct and unrestricted access.
He says this means that Russian agencies will know what websites you visited while in Russia, how long has you spent there, and what amount of traffic has been sent in both directions. He also told me this information will be stored at least until mid-2021.
Also: Inside the early days of North Korea's cyberwar factory
Baranchikov strongly recommends using a foreign VPN. He says that government monitors and the Russian providers will have no way of knowing where you go on the internet.
Here's another scary fact. If you're using your phone in Russia to make voice or text calls, it's possible they'll be tapped and stored. According to Baranchikov, as of July 1, 2018 (which is right in the middle of World Cup 2018) Russian mobile carriers are required to store all voice data and text messages of their users for at least six months.
Don't think that just because you use Verizon or AT&T, you're safe. Remember that, in order to connect to American carriers, you're probably going to have to use roaming services of the Russian providers.
The best VPN services: Our 10 favorite vendors for protecting your privacy
Essentially, Baranchikov says, beginning next month, every phone located physically in Russia (or outside of Russia in case you are a subscriber of a Russian carrier) will be wiretapped. Worse, the recordings will be stored for at least half a year (and I'm betting, given how cheap storage is, it'll be stored indefinitely).
Keep in mind that using a VPN won't prevent voice call interception, unless you use something like Skype, over a VPN.
He recommends avoiding phone calls and SMS, at least for exchanging sensitive information. Instead, he recommends using secure messaging services like Signal, although you are taking a chance with that -- as with any tool that encrypts data that can't be watched by the Russian government. I'd add that you might want to be cautious about iMessage. Even though iMessage is encrypted, Apple does say it complies with local laws, so it is possible your iMessage messages could be intercepted by Russian wiretaps.
Based on the guidance of the two lawyers, who independently confirmed each other, it's quite likely you will not be violating Russian law if you use a VPN service while in Russia.
Further, because it's entirely likely that Russian state security will be monitoring your communications, you are definitely advised to use a VPN. If you're curious about which VPN service to choose, feel free to look at the VPN directory I put together for ZDNet sister site CNET.
Finally, I'll let you in on a little secret. If I were going to Russia, I wouldn't just use a VPN. I'd set up an environment entirely isolated from my normal computing environment. Hey, there's an idea for my next article. Stay tuned. And stay safe.
RELATED AND PREVIOUS COVERAGE
How to use a VPN to protect your internet privacy
A virtual private network can go a long way to make sure that neither your ISP, nor anyone else, can snoop on what you do on the internet.
Take home along: How a VPN can help travelers connect wherever they go
It can be difficult to access your home Internet services and resources when you travel out of the country. Here are six ways a virtual private network can help.
Several privacy-busting bugs found in popular VPN services
The bugs can leak real-world IP addresses, which in some cases can identify individual users and determine a user's location.
Why a proxy server can't protect you like a VPN can
VPNs provide a lot more protection than proxy servers, even for those who just want to hide their IP addresses. Here's why you should use a VPN instead.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.