The timeline begins in 2016 with the Yarovaya package, a landmark change in how Russian data access is governed. Named after deputy Irina Yarovaya, the package consisted of two laws enacted to strengthen counterterrorism efforts. These measures set a new standard for information retention and government access that shaped digital policy in the country for years to come.
Since then, companies have faced a mandate to retain user communications and to provide authorities with access when required. Beginning on 1 July 2018, telecom operators were required to deploy operational search technologies within their networks, making it possible to monitor and analyze communications more directly.
As a result, conversations, messages, images, videos, and other data could be stored for six months, while internet traffic was retained for thirty days. The policy also required those who regulate online information to decode user messages when requested by authorities. Encryption keys could be provided to the relevant agencies, under statutory requirements. Public commentary on these measures has included strong opinions from international observers such as Edward Snowden, who criticized the approach as inconsistent with civil liberties and human rights norms.
Information access expansion
In 2014, amendments to the Information Access Law introduced a broader registry of information disseminators in Russia. This expanded category included providers, internet services, technology firms, and financial institutions, all subject to storing certain data about user interactions for six months within the country.
Under these changes, information owners were obliged to supply data to investigating authorities upon request. The regime outlined that operators should retain metadata about sending or downloading communications, while keeping the content itself out of reach from retention, at least in many scenarios. To support these requirements, providers were also instructed to install operational search equipment within their networks.
The registry now covers a wide range of services and platforms. Over the years, new entrants such as major ride-hailing, search, email, and social platforms have been added, reflecting ongoing adjustments to the oversight framework. Regulators periodically update the roster to reflect the evolving digital landscape and the emergence of new services.
Towards universal identification
Industry experts note a trend toward greater visibility of online activity for many users. A commercial director from Security Code described a digital environment where operators can see who connects to networks and what traffic is generated, often correlating it with the Yarovaya framework. This perspective highlights a reality in which online activity can be partially attributed to individual users as they move within and beyond regional borders.
For residents, accessing the internet from home typically involves an agreement with a provider that can link activity to passport data. Using a mobile device with a SIM tied to the same identity further reinforces that link. Some analysts acknowledge that public Wi-Fi remains a potential gap, though even those hotspots may require user verification in many cases.
From a technical viewpoint, tracing who is using the internet and what they do online is feasible through the built network and data practices now in place.
Why VPNs come into play
Officials justify these rules by arguing that information on the internet can be essential for investigations, especially in matters of national security or terrorism prevention. Industry observers note that access to information may be possible with court authorization before a trial or shortly after an action begins, depending on the legal framework and urgency.
Analysts discuss how this approach might lead to centralized data collection across telecoms, large tech firms, and government agencies. The goal is to identify traffic sources, streamline data acquisition, and create a system that can profile users based on their online behavior, including the use of VPNs or other privacy tools.
Experts emphasize that while broad data collection can enable targeted enforcement, it does not automatically reveal every site visited by a VPN user. They caution that anonymity can be preserved only to a limited extent, and that any real privacy gains depend on the specific technical controls in place and how they are applied in practice.
Industry voices also point out that, in practice, the aim is to expedite access to information held by providers and operators. They stress that any changes should balance investigative needs with civil rights and privacy protections, acknowledging that the landscape includes both domestic and international considerations. The conversation continues around how to manage access, ensure accountability, and protect individuals from overreach while maintaining security and transparency across the system.