Russia blocked access to ProtonMail, an end-to-end encrypted email service, on January 29, claiming that it was used to send false threats about bombing 830 locations, including schools, hospitals, and shopping centres. The restriction on ProtonMail was to prevent the distribution of false messages that poses a threat to the nation’s citizens, and public order and safety, the country’s Federal Security Service (FSB) said. ProtonVPN, the company’s virtual private network service, has also been blocked, ProtonMail said. This was first reported by Reuters.

Russia’s communications department, the Roskomnadzor, said that ProtonMail refused to give information about the anonymous users, despite its repeated requests. It said that it is expecting “effective interaction with all parties involved”.

On January 23, Russia had blocked access to Netherlands-based StartMail because of similar reasons, and FSB claimed that following StartMail’s ban, anonymous users shifted to ProtonMail, to continue their “criminal activity”. This isn’t the first time that the service has been banned in Russia; in 2019, Russia had reportedly blocked access to ProtonMail due to similar false threats being spread through the platform.

ProtonMail said that it was reaching out to the concerned authorities to get the block lifted as soon as possible, and told Reuters that the block can potentially be ineffective, simply because perpetrators can use other email services, or access ProtonMail using other VPN services.

Russia’s chequered history with demanding data and banning services: It isn’t clear at the moment if Russia has also added ProtonMail to its Register of Information Dissemination Organisations (ORI), which allows authorities to ask for data from the companies on the list without a court order. In June 2019, Russian authorities had added popular dating app Tinder to the list, and had ordered it to hand over messages and photos of its users in Russia.

  • Messaging app Telegram was banned in Russia in 2018, after it refused to comply with a similar direction from Russian authorities.

What is the legality behind demanding such data? Russia’s data retention law, which was a part of a legislative package termed Yarovaya laws, came into force in July 2018. It required telecom providers in the country to store details of people’s communications for the benefit of the Russian intelligence services.

  • Unlike certain European data acquisition and retention laws, including UK’s Investigatory Powers Act, Russia’s law seeks to collect the content of communications, not just the usual metadata about who was contacting whom, and when. Under the new rules, operators have to store customers’ text messages, phone calls and chat activity for six months on Russian servers.
  • Companies added to the ORI must hand over data to Russian police or  intelligence agencies such as the FSB upon request, with or without a court order, to help with investigations into terrorist and national security cases.