But the war in Ukraine has also reignited a debate within the VPN industry about whether these companies offer a safe way to dodge Russian internet censorship. “The most popular VPNs in Russia are free services,” says Simon Migliano, head of research at Top10VPN.com. “These VPN services are operated by highly opaque entities. It’s very difficult for the average consumer to learn anything about the companies with whom they will be entrusting their data, and some of these companies make great efforts to keep it that way.”
Finnish company F-Secure told Germany’s Der Spiegel newspaper that it stopped offering its VPN product, Freedome, inside Russia in 2017 to avoid creating a false sense of security for users who wanted to avoid government scrutiny. “We have very consciously taken the decision to not sell our VPN in Russia,” Antero Norkio, F-Secure’s VP of consumer security told WIRED. “The Russian government will not necessarily allow you to provide a proper VPN that is truly safe from the user’s perspective. For example, authorities can require access to the VPN service that would subject consumers to state surveillance or block access to web services mandated by the state.”
F-Secure says it only operates in countries where it can follow local laws. But that law-abiding stance is not echoed by all its competitors. Instead VPN companies still working in the country say they operate by quietly ignoring the rules.
Russia has been wrestling with the growing popularity of VPNs for years. In November 2017, the country introduced the so-called VPN law, which tried to force companies to block restricted websites. VPNs are required to prevent users from accessing any URL listed in Roskomnadzor’s Unified Registry of blocked websites, which now includes Facebook and the BBC, according to Harold Li, vice president of ExpressVPN, who says his company does not comply. F-Secure was one company that got spooked, halting sales of its VPN products one month before the law went into effect.
For foreign companies that did not pull out, the VPN law was a boost. They became the anti-regime alternative because they could afford to skip the rules; they had no local staff that would face the consequences. “None of the most prominent services at present are Russian,” says Migliano. Instead the market now features international companies based in countries like the Seychelles and the British Virgin Islands that are happy to dodge the country’s laws to maintain access for Russian users. “Some Russian companies that tried to comply with the law ended up closing,” says Klimarev, of the Internet Protection Society. “No one was buying these services.” Now the group advises Russians users only to buy VPN services from foreign companies.
When the authorities block the foreign VPNs that refuse to comply, those companies find workarounds.
In September 2021, Russia’s internet watchdog Roskomnadzor took aim at six leading VPN companies and restricted them for violating Russian law. The regulator claimed these companies were creating “an environment for unlawful activities, including those related to the spread of drugs and child pornography, extremism, and incitement to suicide.” ExpressVPN, which was one of the companies on the list, says it was targeted because it refused to block access to news sites, secure email services, and political opposition content. “We said at the time, publicly, that’s not something we would do. It’s antithetical to the reason that we provide a VPN service,” says ExpressVPN’s Li, speaking from Singapore. “As we understand it, [the ban] was a follow-up action to that.”
Right after the company was banned, Li says there were attempts to block ExpressVPN’s traffic. But the company was able to get around these by disguising its VPN traffic to look like regular traffic so it can’t be spotted by the authorities. “We prefer not to talk about it in great detail, but largely, it is just changing how our data packets look,” says Li, although he is bracing for more sophisticated blocking that copy techniques used by other countries where ExpressVPN already operates.
“Blocking IPs and domains or reducing people’s ability to access app downloads is something that we could see dial up, as we have seen in many other countries,” Li adds. “There’s reason to be worried.”
More Great WIRED Stories