Search and be fined. New Russian law targets VPN usage and mere access (!) to “extremist” content

The Duma’s Committee on State Building and Legislation has recommended the adoption of changes to the Code of Administrative Offences in a second reading. The draft introduces two new articles—13.52 and 13.53—setting out penalties for the use of circumvention tools and for online searches involving extremist content. The proposals were first reported by Forbes Russia and the digital rights project Net Freedoms (Setevye Svobody).

Article 13.52 establishes penalties for what is described in Russian bureaucratese as “violating the procedure for using hardware and software tools to access information resources and information-telecommunications networks on the territory of the Russian Federation, access to which is restricted.” In effect, this language could cover the use of VPN services that allow users to access content blocked in Russia. Fines would be up to 200,000 roubles ($2,500) for individuals, up to 300,000 roubles ($3,900) for officials and up to 1 million ($12,800) for companies and NGOs.

Article 13.53 introduces separate penalties for “searching for knowingly extremist materials and accessing them, including by using hardware and software tools to access information resources and information-telecommunications networks, access to which is restricted.” This offence would carry fines of between 3,000 and 5,000 roubles (roughly $40–65) for individuals.

Lawyer Stanislav Seleznev of Net Freedoms says that this marks a new legal frontier: Russian legislation has until now not imposed liability simply for accessing banned content. Previous laws focused more on distributing or publishing such material.

How will this be enforced?

According to Seleznev, enforcement may rely on accessing users’ browser histories or search records stored in their Google accounts, or by examining autofill data on seized devices.

“Telecom operators can also help identify users accessing banned materials,” Seleznev told Forbes. “If a user’s internet traffic isn’t protected by specialist encryption tools, operators can easily see which applications are launched and which websites are visited.”

The Net Freedoms lawyer added that Russian search engines and social media platforms are required by law to cooperate with the authorities. This includes collecting, storing and handing over users’ search queries upon request.

Seleznev warned that the amendments could provide legal cover for more frequent stop-and-searches or “device inspections” by police on the street.

A source in the Russian tech industry, speaking to Forbes, pointed to a serious gap in the proposed legal framework: it remains unclear how investigators would prove someone searched for extremist content without physically seizing their device.

Less and less free internet

For over a decade, and with accelerating intensity since the inception of the full-scale invasion of Ukraine, Russia has systematically constructed a legal framework to control the internet. 

The cornerstone of this effort is the 2019 “Sovereign Internet” law, which mandated the installation of state-controlled hardware on all internet service provider networks, giving the state censorship agency, Roskomnadzor, the direct power to filter, slow, and block traffic. This was complemented by the 2021 “Landing Law,” designed to coerce global tech giants like Google and Meta into establishing a physical presence in Russia, subjecting them to local jurisdiction and, even most importantly, pressure. March 2022 saw new legislation banning spread of “fake news” about the military, which effectively outlawed any journalism that contradicts the Kremlin’s official war narrative. Together, these laws form an interlocking system giving the state a variety of options to suppress information spread. 

At the core of this are Deep Packet Inspection (DPI) devices, or TSPUs, forced upon all internet providers in the country, which allow authorities to analyze and manage internet traffic. Recently, for instance, the authorities started throttling traffic to Cloudflare services, capping at a tiny data limit of 16 kilobytes to maintain the veneer of accessibility while breaking many media-heavy websites. DPI is also used against circumvention tools, to identify and block the underlying protocols of popular VPN services, making it harder for citizens to access thousands of blocked websites (like ours).

What’s also concerning is that the vagueness of this legislation could be exploited. Because the new offences focus on access rather than intent, users might face penalties for connections they didn’t knowingly make. DNS spoofing, for instance, is a common technique; a malicious actor could create a public Wi-Fi network and manipulate traffic so that connected devices appear to access banned websites. This could generate misleading digital traces, even without any action by the user.