But the war in Ukraine has also reignited debate within the VPN industry over whether these companies provide a secure way to circumvent Russian internet censorship. “The most popular VPNs in Russia are free services,” said Simon Migliano, head of research at Top10VPN.com. “These VPN services are run by very opaque entities. It is very difficult for the average consumer to know about the companies they will be entrusting their data with, and some of these companies are doing everything they can to keep it that way.”
Finnish company F-Secure told Germany’s of the mirror newspaper that it stopped offering its VPN product Freedome in Russia in 2017 to avoid a false sense of security for users who wanted to avoid government scrutiny. “We made a very conscious decision not to sell our VPN in Russia,” Antero Norkio, F-Secure’s VP of Consumer Security, told WIRED. “The Russian government will not necessarily allow you to provide a good VPN that is really secure from the user’s perspective. For example, authorities can demand access to the VPN service that would subject consumers to state oversight or block access to state-mandated web services.”
F-Secure says it only operates in countries where it can follow local laws. But that law-abiding attitude is not shared by all its competitors. Instead, VPN companies still operating in the country say they are quietly ignoring the rules.
Russia has struggled for years with the growing popularity of VPNs. In November 2017, the country passed the so-called VPN law, which sought to force companies to block restricted websites. According to Harold Li, vice president of ExpressVPN, VPNs are required to prevent users from accessing a URL listed in Roskomnadzor’s Unified Registry or blocked websites, which now include Facebook and the BBC. F-Secure was a scare company that stopped selling its VPN products a month before the law went into effect.
For foreign companies that did not withdraw, the VPN law was a boost. They became the anti-regime alternative because they could afford to skip the rules; they had no local staff to bear the consequences. “None of the most prominent services at the moment is Russian,” said Migliano. Instead, the market now offers international companies based in countries like the Seychelles and British Virgin Islands, eager to evade the country’s laws in order to maintain access for Russian users. “Some Russian companies that tried to comply with the law were eventually closed,” said Klimarev of the Internet Protection Society. “Nobody bought these services.” Now the group of Russian users advises alone to buy VPN services from foreign companies.
When the authorities block the foreign VPNs that refuse to comply, those companies find workarounds.
In September 2021, Russian internet watchdog Roskomnadzor targeted six leading VPN companies and imposed restrictions for violating Russian law. The regulator alleged that these companies “created an environment for unlawful activity, including activities related to the distribution of drugs and child pornography, extremism and incitement to suicide.” ExpressVPN, one of the companies on the list, says it was targeted because it refused to block access to news sites, secure email services and content from political opposition. “We said publicly at the time that we wouldn’t do that. It’s at odds with the reason we provide a VPN service,” said ExpressVPN’s Li, speaking from Singapore. “As we understand it, [the ban] was a follow-up to that.”
Immediately after the company was banned, Li says attempts were made to block ExpressVPN’s traffic. But the company was able to get around this by disguising its VPN traffic to look like normal traffic so it can’t be spotted by authorities. “We’d rather not talk about it in detail, but for the most part it just changes how our data packets look,” Li says, though he’s bracing for more advanced blocking techniques used by other countries where ExpressVPN already operates.
“Blocking IPs and domains or reducing people’s ability to access app downloads is something we could see dialing in, as we’ve seen in many other countries,” adds Li. “There is reason to be concerned.”
More great WIRED stories
