Broadband and mobile providers were on Friday subjected to a shock twist after the Government – without consultation – amended the Russian sanctions legislation to require that – “a person who provides an internet access service must take reasonable steps to prevent a user of the service in the [UK] from access … an internet service provided by a designated person.”
On the surface, the wording of this surprisingly broad amendment to The Russia (Sanctions) (EU Exit) Regulations 2019 seems straightforward, and a “designated person” would appear to be anybody that the Secretary of State deems to fall within the scope of this sanction (ie somebody that has been sanctioned by the UK gov). Fair enough, you may think.
NOTE: Hopefully, no explanation is required to understand the many reasons why sanctions are currently being imposed against Russia.
However, an additional explanatory note later confuses this by attempting to clarify that ISPs “must take reasonable steps to prevent users of the service in the [UK] from access websites provided by a designated person. This will likely take the form of URL blocking.” Except, that’s not what the legislation itself says, which is broader and defines an “internet service“have a”service that is made available by means of the internet.”
At this point we’re going to try and avoid a lengthier explanation by doing a simplified summary of the key points of contention with all this. We’d also recommend reading Neil Brown’s excellent blog post on this via law firm decoded.legal for a wider explanation of the problems. But to simplify..
Simple Summary of the Key Problems
➤ How are internet providers expected to be able to tell what “internet services“are even”provided by a designated person“? We’re not sure, but the government might be able to produce a block list of some sort (eg website domains or IP addresses / ranges) to help fill in the blanks. We expect more guidance on this to be published soon.
➤ The question of which internet providers are in-scope of this change is a big one. The sanction doesn’t seem to distinguish between consumers and businesses, instead catching “a person who provides an internet access service“, which could seemingly include everything from big broadband ISPs to personal Wi-Fi hotspots on your Smartphone, possibly even VPN providers or your home broadband router etc. It’s untenably broad.
➤ Not all ISPs have developed or implemented network-level blocking (censorship) tools, particularly smaller providers without the budget needed for such filtering systems. But in having said that, the obligation to take “reasonable steps” (ie it’s not an absolute) means that providers could probably get away with just a basic DNS level block or similar, assuming they’re told what they need to block in the first place.
➤ Any blocks imposed at ISP level can be easily circumvented by those with only a basic bit of IT knowledge (third-party DNS, VPN, Proxy Servers etc.). This is not the ISPs fault, it’s just how the internet was designed.
The UK telecoms regulator, Ofcom, is required to oversee all this and monitor compliance. No doubt ISPs will have A LOT of questions for them. But providers that fail to comply with the new sanction (or a related information gathering request) could face a financial penalty of up to £1m. So, hard luck if you just setup a personal WiFi hotspot on your mobile phone, but whoops.. did you forget to check the latest Russian sanctions list and ensure you’re implementing all the right blocks? It would be funny, if it wasn’t actual legislation.
Adrian Kennard, Boss of ISP Andrews & Arnold (AAISP), said (blog):
“I can’t stress this enough, we have never had any order to block anything or any previous legal requirement to do so, really. It is, in my opinion, not “reasonable” to expect us (for no payment at all, or otherwise) to magically implement such a measure, especially to do so between Laid before Parliament at 5.00 pm on 27th April 2022 and coming into force 29th April 2022, really. Or even (as it will cost a lot) later.
What could we do?
At a push we could block some domains on our DNS servers, but customer do not have to use them, so that would not be effective in meeting the requirement. And weirdly the providers of public DNS, like 220.127.116.11 and 18.104.22.168 are not subject to this order – why?
Indeed, if we had some way to block some routing to some IPs (and remembering we must not “over block” to meet net neutrality laws), customers are allowed to, and often do, use VPNs, so again, it would not actually be effective.
I am not sure we could “reasonably” take any technical measures.
So what do we do?
Well, step one is we ask OFCOM for the list of services, and see what we get. That is it for now. I expect no list, to be honest, which sort of solves the problem.”
Adrian also suggested that ISPs could perhaps become compliant simply by “[asking] customers nicely“not to access such services, which might be enough to be deemed a”reasonable” step. It’s at least no less absurd than expecting anybody who provides an internet service – personal or otherwise – to comply with the new legislation. Assuming, that is, the provider can confidently first identify precisely what services the government actually wants to be blocked.