Broadband and mobile providers were in for a shock on Friday after the government – without consultation – amended Russia’s sanctions legislation to – “A person providing an Internet access service must take reasonable steps to prevent a user of the service from doing so [UK] from accessing … an Internet service provided by a specific person.”
On the surface, the wording of this surprisingly broad amendment is too The Russia (Sanctions) (Withdrawal) Regulations 2019 seems easy, and a “Appointed Person‘ seems to be someone who is foreign minister falls within the scope of that sanction (ie someone who has been sanctioned by the UK Government). Fair enough, you might think.
A NOTICE: Hopefully no explanation is needed to understand the many reasons why sanctions are currently being imposed on Russia.
However, an additional Explanations later confuses this by trying to clarify that ISPs “must take reasonable steps to prevent users of the Service from doing so [UK] from access Web pages provided by a named person. This will likely come in the form of URL blocking.‘ Except that’s not what the legislation itself says, which is broader and a ‘internet service” As a “Service provided over the Internet.”
At this point we will try to avoid a lengthy explanation by making a simplified summary of the main points of contention with all of this. We also recommend reading Neil Brown’s excellent blog post on the subject about the law firm decrypted.legal for a fuller explanation of the issues. But to simplify…
Simple summary of the main issues
➤ How should Internet providers be able to recognize what “Internet Services” are the same “provided by a named person“? We’re not sure, but the government may be able to create some sort of blacklist (e.g. website domains or IP addresses/ranges) to fill in the gaps. We assume that further guidance on this will be published shortly.
➤ The question of which ISPs will be affected by this change is a big one. The sanction does not appear to distinguish between consumers and businesses, but captures “a person who provides an Internet access service‘ which could seemingly include anything from major broadband ISPs to personal Wi-Fi hotspots on your smartphone, possibly even VPN providers or your home broadband router, etc. It’s incredibly broad.
➤ Not all ISPs have developed or implemented network-level blocking (censorship) tools, especially smaller providers without the necessary budget for such filtering systems. But apart from taking the commitment”sensible steps‘ (i.e. it’s not an absolute value) means providers could probably get away with just basic DNS-level blocking or something, assuming they’re told what to block in the first place.
➤ All blocks imposed at ISP level can be easily bypassed by people with only basic IT skills (DNS, VPN, third-party proxy servers, etc.). This isn’t the ISP’s fault, it’s just the way the internet was designed.
The UK’s telecoms regulator, Ofcom, has to oversee all of this and monitor compliance. Undoubtedly, ISPs will have MANY questions for them. However, providers who fail to comply with the new sanction (or a related information retrieval request) face a fine of up to £1m. So out of luck if you just set up a personal WiFi hotspot on your cell phone, but oops.. forgot to check the latest Russian sanctions list and make sure you’re implementing all the right blocks? It would be funny if it wasn’t actual legislation.
Adrian Kennard, chief of ISP Andrews & Arnold (AAISP), said (to blog):
“I can’t stress this enough, we’ve never had an order to block anything or a prior legal obligation to do so, really. It is not, in my view, “reasonable” to expect us (in payment or otherwise) to magically implement such a measure, particularly between the time it is presented to Parliament at 5pm on 27 April 2022 and when it comes into force on 29. April 2022, really. Or even (since it costs a lot) later.
What can we do?
At the push of a button we could block some domains on our DNS servers but the customer doesn’t have to use them so that wouldn’t meet the requirement. And oddly, public DNS providers like 22.214.171.124 and 126.96.36.199 are not subject to this order – why?
In fact, if we had a way to block routing to some IPs (and remember we are not allowed to “overblock” to comply with net neutrality laws), customers are allowed to, and often do, use VPNs, so it actually wouldn’t be effective.
I’m not sure we could take “appropriate” technical measures.
So what do we do?
Well, the first step is that we ask OFCOM for the list of services and see what we get. That’s it for now. To be honest, I don’t expect a list that somehow solves the problem.”
Adrian also suggested that perhaps ISPs could become compliant simply by “[asking] customers nice” not accessing such services, which might be enough to qualify as “reasonable” Step. It is at least no less absurd than expecting anyone offering an internet service – personal or otherwise – to comply with the new legislation. Provided that the provider can first identify with certainty which services the state actually wants to block.
UPDATE 12:29 p.m
The following is an excerpt of a related message sent to carriers by DCMS (government), which adds a bit more context.
The exact limitation will depend on the service being provided, with full details set out in the Statutory Instrument and accompanying rationale. Most relevant to your organization are the requirements for fixed and wireless broadband providers to take reasonable steps to prevent UK users of their service from accessing websites provided by a specific person.
This will likely come in the form of URL or DNS blocking. The restrictions apply to people who have been nominated by the UK Government and we expect the nominations to be announced shortly. The Explanatory Memorandum also designates Ofcom as the designated body responsible for monitoring compliance with the measure and will contact you separately.
We know you may need assistance to ensure sanctions are implemented as smoothly and efficiently as possible.