The Kremlin is conscripting all sorts of unlikely allies in its campaign to deny accurate news and current affairs material to its citizens. 

By Irina Borogan and Andrei Soldatov

It’s easy to forget that amid Russia’s continuing war of aggression against Ukraine, it is waging a relentless war to block the flow of uncensored information inside its own borders. 

The Russian authorities have not wavered in their offensive on this front, with their latest objective the denial of censorship circumvention tools. Virtual private network (VPN) services are probably the censor’s most feared enemy since they provide users with an invisibility cloak to enable free access to information. 

So the Digital Development Ministry adopted a strategy involving a “whitelist” of services, which by choosing a limited number of acceptable providers seeks effectively to ban everything that is not included.  

The government — as so often — failed to consider the law of unintended consequences. Within a short time, the ministry’s bold efforts were under fire from numerous areas, not least companies that contribute to the war effort. 

The association of IT specialists, investors, and organizations sent an open letter to the ministry asking that officials stop blocking VPN services at random because the companies “use those VPNs to bypass Western sanctions.” 

In response, the minister advised those companies using corporate VPNs to contact his officials so that their VPNs could be added to the whitelist. The ministry had, in other words, introduced a manual system of control and censorship for the digital world. 

The Kremlin’s methods of censorship prevent not only companies but private citizens from using VPNs to access uncensored information. As in a wholly totalitarian state, repression is carried out by organizations that have nothing to do with security or censorship; and the most effective turned out to be Russian banks.  

The biggest banks were instructed to punish customers using credit cards to pay for VPN services, as became clear to a liberally minded, St Petersburg-based IT engineer called Sergei. 

He has opposed the war from day one, and he viewed it as essential to have uncensored information from Russian media in exile. He subscribed to the services of a VPN service called Red Shield, which has been developed by Russian activists abroad.  

But it is a challenge to pay for such subscriptions without using a Russia-issued credit card. This is why Red Shield uses an online service which is used to pay for online games —  

But when our engineer tried to pay his annual subscription, using a card issued by Sberbank, the country’s largest, the payment did not go through. Next came an SMS: “The card transaction was rejected to avoid fraud. Please wait for a call from a number beginning 900. Online transactions are banned until confirmed.” 

The engineer called the bank, but they told him that all his cards were blocked, and if he failed to answer the call, he would have to reissue all his cards. 

In time, a man from a 900 number called and introduced himself as a Sber security officer. He asked what kind of website he was using, and why. Perhaps he could consider other options?  

Irritated, Sergei said that it was none of the bank’s business what he was buying and doing online. The Sber employee said that was a serious mistake, and that it was the engineer’s duty to help the state. 

He also said that if Sergei refused to answer his questions, then all his cards, not just the one he had used, would be blocked: “You will go to the bank, and they will decide why you used this site and whether you should have any accounts at Sberbank.”  

After that, the engineer changed tactics and came up with an excuse. He said that he had his online wallet on to pay for gaming. 

Ok, said the Sber employee, what kind of games?  

Sergei said it was just some online game on the phone.  

But the Sber man didn’t let it go, so the engineer urgently googled some game that was available on the platform.   

Still, not enough, and the Sber man requested the details of the game account on the site. The engineer refused, citing personal data protection. The Sber man accepted the argument but then asked when the engineer opened his account and what kind of transactions he had engaged in.  

Published in CEPA 2023