DECEMBER 7, 2022
Aurélien Bergot/NY Times–
After Moscow erected a digital barricade in March, blocking access to independent news sites and social media platforms to hide information about its unfolding invasion of Ukraine, many Russians looked for a workaround. One reliable route they found came from a small Swiss company based nearly 2,000 miles away.
The company, Proton, provides free software that masks a person’s identity and location online. That gives a user in Russia access to the open web by making it appear that the person is logging in from the Netherlands, Japan or the United States. A couple of weeks after the internet blockade, about 850,000 people inside Russia used Proton each day, up from fewer than 25,000.
– Aurélien Bergot/NY Times
That is, until the end of March, when the Russian government found a way to block Proton, too.
Targeting Proton was the opening salvo of a continuing back-and-forth battle, pitting a team of about 25 engineers against a country embarking on one of the most aggressive censorship campaigns in recent memory.
Working from a Geneva office where the company keeps its name off the building directory, Proton has spent nine pressure-packed months repeatedly tweaking its technology to avoid Russian blocks, only to be countered again by government censors in Moscow. Some employees took Proton off their social media profiles out of concern that they would be targeted personally.
The high-stakes chess match mirrors what is playing out with growing frequency in countries facing coups, wars and authoritarian rule, where restricting the internet is a tool of repression. The blocks drive citizens to look for workarounds. Engineers at companies like Proton think up new ways for those people to secretly reach the open web. And governments, in turn, seek out new technical tricks to plug leaks.
The digital censorship battle is reaching “an inflection point,” said Grant Baker, a research analyst for technology and democracy at Freedom House, which recently reported that internet censorship globally had reached a new high in 2022. While Russia has spent years working on a more closely controlled, sovereign internet, the controls imposed after the war are “a stark contrast” to anything Moscow had ever done before, Mr. Baker said.
Companies rarely discuss being targeted by an authoritarian government out of fear of escalating the conflict. But Andy Yen, Proton’s founder and chief executive, said that after a period of trying to keep its “head down,” Proton wanted to raise awareness about the increasing sophistication of governments, in Russia and elsewhere, to block citizens from reaching the open web and the need for technologists, companies and governments to push back.
Proton’s account provides a rare inside look at what it’s like to be entangled in Russia’s censorship net as President Vladimir V. Putin tries to suppress information about the war and mounting battlefield losses in Ukraine.
Dozens of VPN services have been blocked inside Russia, but Proton, perhaps best known for its encrypted email service, seemed to receive extra attention from the authorities. In June, Russia’s internet regulator labeled the company a “threat.”
“We’re gearing up for a long fight,” Mr. Yen said in an interview at the company’s office. “Everybody hopes this will have a happy ending, but it’s not guaranteed. We don’t see the light at the end of the tunnel, in fact, but you keep going because if we don’t do it, then maybe nobody else will.”
Proton, which makes money by selling $10-a-month subscriptions for extra features, was founded in 2014 by a team of young engineers from the European Organization for Nuclear Research, known as CERN, the institute outside Geneva where the worldwide web was created. Their main project was working on the Large Hadron Collider, the world’s largest particle accelerator, a $5 billion instrument built to unlock some of the world’s biggest scientific mysteries.
After the disclosures of mass digital surveillance that were made by Edward Snowden, the former U.S. intelligence contractor, Mr. Yen and a few colleagues created an email service that encrypts messages so they cannot be intercepted, simplifying use of a technology that had been too complicated for many people. It became popular with activists, journalists and privacy-conscious consumers.
Mr. Yen, who grew up in Taiwan, said the threat of Chinese aggression looming over the island’s democracy had shaped his worldview. Privacy and fighting censorship were core to Proton’s mission from the start, he said, and the company seemed to almost relish confronting authoritarianism.
In 2017, after several governments, including Turkey and Russia, temporarily blocked access to the email service, Proton created its virtual private network, or VPN, a technology used to sidestep internet restrictions.
The technology behind a VPN traces back to the 1990s. It is a relatively basic tool used most commonly by people trying to pirate movies or watch a sports broadcast available only in another country. Yet in recent years the systems, which are easy to use and often difficult to detect, have become a vital tool for circumventing internet restrictions.
The Kremlin spent years building the legal foundation and technological abilities to control the internet more closely. Yet even as Russia blocked certain websites and interrupted access to Twitter last year, few thought it would outright block major social media platforms and independent news websites. While television has always been heavily censored, the internet had been less restricted.
The crackdown in March interrupted communications and commerce for many otherwise apolitical Russians, said Natalia Krapiva, tech-legal counsel at Access Now, a group focused on online speech-related issues. VPN use was already high among tech-savvy Russians, she said, but the blocks and news of harsh punishment for online protest led even more casual internet users to seek ways around the restrictions.
Demand for VPNs surged in Russia, with downloads in March jumping 2,692 percent from February, said Simon Migliano, head of research for the review site Top10VPN.com. Proton was a popular choice, he said, hovering among the 10 most popular products despite being slower than some other choices.
Since then, VPNs have become a way of life for many. Roskomsvoboda, a Russian civil society group focused on internet freedom, estimates that a quarter of the Russian population is using one.
“To simply read independent news or to post a picture, you had to open your VPN,” said Viktoriia Safonova, 25, who now delivers food by bike in Sweden after she fled Russia in July. Both she and her husband were racked by anxiety after the invasion. Finding independent news and information was difficult. Workarounds often weren’t reliable.
“If the one you’re using gets blocked, you have to find another VPN,” Ms. Safonova said.
She recalled the paranoia that set in as new internet restrictions and surveillance took effect. She and her husband, Artem Nesterenko, worried about whether they could criticize the war online, even on international social networks. He recalled how the police had come to check on their building after he scrawled “No to war” in the elevator. He feared being arrested for things he posted online.
As people turned to VPN services to avoid the blocks, Proton struggled to keep up. Over a weekend in March, engineers scrambled to buy and configure more than 20 new servers to avert a crash of its entire network.
At the same time in Moscow, censors were at work trying to patch holes in the government’s internet controls.
The first block that took down Proton, at the end of March, was a technically basic interruption that company engineers quickly overcame, but they figured more powerful attempts loomed.
The battle took on a “Spy vs. Spy” dynamic in Proton’s headquarters. Mr. Yen said a network of people within the government, telecommunications firms and civil society groups had helped Proton operate in Russia, providing access to local networks and sharing intelligence about how the censorship system worked. But those contacts began to go dark as the Kremlin’s crackdown on dissent intensified.
At the start of June, censors struck again.
The service, which had more than 1.4 million daily users inside Russia at this point, collapsed as employees were going about their day. Complaints from Russian users poured into Proton’s customer service email. The company concluded that the government had deployed more sophisticated software that could filter through all internet traffic to identify when a person was trying to connect to Proton’s VPN service. Russia had used similar technology to block Twitter and other social media sites.
Around this time, the company noticed a suspicious spike in negative reviews of its service in the Apple and Google app stores, reducing its search ranking.
“They had clearly studied us,” said Antonio Cesarano, a senior engineer working on the VPN project.
Some at Proton questioned whether they should continue the fight with Russia. It was costing millions of dollars and slowing down development of other products. But after Proton faced criticism in 2021, when the French police obtained the IP address of a climate activist using its email service, backing down from Russia could have added another bruise to the company’s reputation.
Over about two weeks in June, Proton created yet another workaround that bounced internet traffic to servers in different geographical areas faster than censors could track. It was a technically complex move that would take considerable resources for Russia to counter.
The fix worked — for about six weeks.
Mr. Yen was interrupted during a staff meeting in mid-July with news that Russian censors had come up with an even more elaborate block. A corporate chart from the time shows use dropping off a cliff. Russian engineers had identified what is known as an authentication “handshake,” the vital moment when Proton’s VPN connection gets established before reaching the wider web. Blocking the link made Proton’s service essentially unusable.
“We had no idea what was happening and how they were doing it,” Mr. Cesarano said.
By August, after working around the clock for days to find a fix, Proton acknowledged defeat and pulled its app from Russia. The company has spent the months since then developing a new architecture that makes its VPN service harder to identify because it looks more like a regular website to censorship software scanning a country’s internet traffic. Proton has been successfully testing the system in Iran, where Proton has seen a sharp increase in VPN use during recent political demonstrations.
In Russia, Proton has reintroduced its apps using the new system. Mr. Yen acknowledged that it probably wasn’t a long-term fix. He has confidence in the new technology, but figures Russian engineers will eventually figure out a new way to push back, and the game will continue.
Courtesy/Source: NY Times