A new sanction affecting Internet access providers in the UK

Screenshot of the sanctions text, linked below

Updated 2022-04-30 with information on filtering the UK sanctions list

Updated 2022-05-01 with a statement from DCMS

There is a new sanction, which affects Internet access providers who provide connectivity to people in the UK. It is an amendment to The Russia (Sanctions) (EU Exit) Regulations 2019.

There are other sanctions which apply to app store providers and social media providers. These are out of scope of this post.

The sanction comes into effect today, 29th April 2022.

It was only laid before Parliament two days ago, and so there has been virtually no time to prepare, or even discuss, this measure.

As the Explanatory Memorandum notes, “No consultation has been carried out on this instrument.”

What a way to ruin the weekends of people running ISPs…

The sanction: try to prevent access to Internet services of sanctioned people

The sanction which ISPs must apply to users in the UK is:

A person who provides an internet access service must take reasonable steps to prevent a user of the service in the United Kingdom from accessing, by means of that service, an internet service provided by a designated person.

An “internet service” is:

a service that is made available by means of the internet.

The plain English interpretation of this is that, if you provide an Internet access service to people in the UK, you must take reasonable steps to stop them from using a service provided by a “designated person”.

I understand that official guidance may follow.

Who is a “designated person” and how do you tell what Internet services they provide?

A “designated person” is a person designated by the Secretary of State - in other words, someone the Secretary of State says falls within the scope of this sanction.

The UK Sanctions List provides details of the people designated under the Regulations, and details of the sanctions in respect of which they have been designated.

Note that the ODT (Word-like) version of the sanctions list runs to 997 pages, but not all entries relate to sanctions under these specific regulations.

For manual checking, you will probably want to use the ODS (Excel-like) version, and then filter column “Q” to show only sanctions imposed under he Russia (Sanctions) (EU Exit) Regulations 2019.

For automatic checking (see below), the XML version is probably better, and you can filter on RegimeName.

Either way, this should give a complete list of persons designated under those Regulations.

The Explanatory Memorandum says:

Internet access services, including fixed and wireless broadband providers, must take reasonable steps to prevent users of the service in the United Kingdom from accessing websites provided by a designated person. This will likely take the form of URL blocking.

Clearly, the Internet is not the web, and “a service that is made available by means of the internet” extends beyond merely websites.

You can also filter the UK Sanctions List by the sanctions imposed (in the XML version, SanctionsImposed).

For example:

Screenshot of a portion of the UK sanctions list, showing “Regime Name: The Russia (Sanctions) (EU Exit) Regulations 2019 Sanctions Imposed: Asset freeze|Travel Ban”

At the moment, the majority of the persons designated under The Russia (Sanctions) (EU Exit) Regulations 2019 have either or both “Asset freeze” or “Travel ban” as the sanction type. Some have “Prohibition on correspondent banking and sterling clearing” or “Transport sanctions”.

I do not know how “Internet services” will appear on the list. It might be declared specifically, or it might be listed as “Trade sanctions”.

According to a statement from DCMS (below), no-one is a designated person for this sanction yet.

The XML version of the list has a useful section of “SanctionsImposedIndicators”:

<SanctionsImposedIndicators>
<AssetFreeze>true</AssetFreeze>
<ArmsEmbargo>false</ArmsEmbargo>
<TargetedArmsEmbargo>false</TargetedArmsEmbargo>
<CharteringOfShips>false</CharteringOfShips>
<ClosureOfRepresentativeOffices>false</ClosureOfRepresentativeOffices>
<CrewServicingOfShipsAndAircraft>false</CrewServicingOfShipsAndAircraft>
<Deflag>false</Deflag>
<PreventionOfBusinessArrangements>false</PreventionOfBusinessArrangements>
<ProhibitionOfPortEntry>false</ProhibitionOfPortEntry>
<TravelBan>true</TravelBan>
<PreventionOfCharteringOfShips>false</PreventionOfCharteringOfShips>
<PreventionOfCharteringOfShipsAndAircraft>false</PreventionOfCharteringOfShipsAndAircraft>
<TechnicalAssistanceRelatedToAircraft>false</TechnicalAssistanceRelatedToAircraft>
</SanctionsImposedIndicators>

I wonder if, in time, there will be a SanctionsImposedIndicator for InternetServices or the like.

At the moment, all I can suggest is checking the sanctions list regularly - perhaps automatically - and checking for the sanction type.

I note the text relating to some designated persons specifically references “websites”.

For example:

[x] has publicly admitted his involvement in the events of 2014 that led to the illegal annexation of Crimea and Sevastopol, which he publicly defended, including on his personal website and in an interview published on 21 February 2016 on nation-new.ru website.

The UK sanctions list does not disclose the URL of “his personal website”, and it does not appear that the website listed - nation-new.ru - is provided by the designated person.

There is also a section where specific websites are identified:

<Websites>
<Website>http://www.addounia.tv</Website>
</Websites>

So I wonder if a script which automatically gets the sanctions list, filters by Regime Type (set to The Russia (Sanctions) (EU Exit) Regulations 2019) and then either or both:

might be sensible.

See below in terms of what might be reasonable for an ISP to do with that.

Which ISPs are in scope?

Here’s another fun challenging one.

The sanction bites on “a person who provides an internet access service”.

An internet access service is:

a service that provides access to virtually all (or just some) of the end points of the internet.

Now, “person” is broad. It covers natural persons - people - as well as legal persons, such as companies.

The sanction doesn’t distinguish between consumers and businesses: it affects providers to each.

It would also seem to include coffee shops, hotels, airports, trains, and so on, if they provide Wi-Fi or other Internet access services.

Schools and other educational networks? Yes, probably.

But does it go further? Does a parent provide an internet access service to the children who live with them, for example? If you run an open access point, so that passers by can access the Internet? Probably. Someone who shares their connection with their neighbours? Maybe. I’d have thought that the likelihood of enforcement in each of these cases was pretty low, but the drafting of the measure is expansive.

What about VPN providers? Do they provide an Internet access service? I think so, yes. Sure, one might require an Internet access service to be capable of connecting to the VPN provider’s infrastructure, but I don’t think that that disqualifies a VPN provider from meeting the definition in its own right.

Taking reasonable steps to prevent access

For Internet access providers with DNS or URL blocking capability, using this is likely to be the expected route. However, without a list of URLs or IPs to be ingested into filters, merely having filters is of little use.

For Internet access providers without DNS or URL blocking capability, this is even trickier.

The obligation is to take “reasonable steps”. It is not an absolute obligation, and no liability attracts to an ISP if, despite taking reasonable steps, a user successfully accesses a service provided by a designated person.

If I were an ISP without a filtering system, I would probably:

This should include consideration of whether I could deploy a filtering system, and the cost and complexity of doing that. Now, clearly, that is something which would require considerable thinking and planning, and could well be really expensive (see here as to what some ISPs have said about the costs of their filtering tools), and it may be that implementing them is far beyond “reasonable steps”.

An ISP might, I suppose, switch customers en masse to a third party DNS service, if that third party DNS service says it can block traffic of this nature. That’s not something I’d likely rush to do, and the privacy implications of that could be pretty horrific, but it might need to be an option for consideration?

If nothing else, keeping documentation of what you have considered but eliminated, and why you’ve done so, is likely to help towards a claim that you’ve done what you reasonably can.

Penalties for non-compliance

Ofcom can impose a monetary penalty - capped at £1,000,000 - if it determines that an ISP has failed to comply with the sanction (or an information gathering request, below).

Ofcom information gathering powers and criminal sanctions

The new rules empower Ofcom to ask ISPs for information which it:

may reasonably require for the purpose of monitoring compliance with or detecting evasion of [the sanction].

If you get such a request, you must provide the information requested (including specified documents) in the way Ofcom requests it, and within the period which Ofcom specifies or if no period is specified, within a reasonable time.

(In my experience, even if Ofcom specifies a time period, it is usually pretty sensible in extending that period if faced with a reasonable request.)

In addition to the potential of a monetary penalty, it is a criminal offence to:

Get in touch if you need help

Normally, I’d add some sort of call to action here, to encourage you to get in touch if you need a hand. But, frankly, I’m not sure how much use I can be on this right now. I’m happy to talk things through / help with brainstorming, I guess, but in terms of clear, practical legal guidance beyond the kind of things I’ve identified above, right now, I’m out of ideas.

Statement from DCMS:

The exact restriction will depend on the service provided, with full details outlined in the Statutory Instrument and accompanying Explanatory Memorandum. Most pertinent to your organisation are the requirements for fixed and wireless broadband providers, who must take reasonable steps to prevent users of their service in the United Kingdom from accessing websites provided by a designated person.

This will likely take the form of URL or DNS blocking. The restrictions will apply to persons designated by the UK Government and we expect the designations to be announced imminently. The Explanatory Memorandum also sets Ofcom as the specified body responsible for overseeing compliance with the measure, who will contact you separately.

We appreciate that you may require support in order to ensure the sanction measures are implemented as smoothly and efficiently as possible.