In the first half of October 2022, employees of an obscure Russian government department working out of a small business center in northeast Moscow were worried about the weather.
Not Moscow's weather, but rather weather in four regions of Ukraine that President Vladimir Putin a couple weeks earlier had summarily declared were annexed and now part of Russia.
The employees -- IT specialists, analysts -- worked for a relatively unknown entity called the Main Radio Frequency Center, a unit of the federal government agency charged with policing Russia's Internet, Roskomnadzor. They trawled Russian websites, social-media pages, chat rooms, Telegram channels, and more, watching for potentially problematic issues: opposition protests, anti-war demonstrations, insults toward President Vladimir Putin.
In this particular instance, they were worried that on roughly 15 major Russian websites where weather forecasts were shown, the Ukrainian regions that were purportedly just annexed -- were still labeled as Ukrainian.
Employees of the center compiled a list of websites and contact information for the sites. By November 6, 10 out of 15 sites had changed the designations of the Ukrainian territories to indicate they were Russian.
Since Russia's invasion of Ukraine on February 24, 2022, the Kremlin has hypercharged its long-running effort to censor news and information published on Russian online resources. Days after the onslaught began, Putin signed legislation criminalizing the deliberate dissemination of anything the government deems to be false information about the war or the Russian military.
As a result, since the invasion, more than 11,800 news items, posts, and other online materials containing "reports of massive losses of [Russian] armed forces in manpower and equipment, mass surrender, as well as attacks on civilian facilities, infrastructure, and the killing of civilians" have been removed from Russia's leading search engines, Yandex and Mail.ru. And Roskomnazdor has blocked websites of at least 95 Russian-language media organizations.
The linchpin of that effort is the Main Radio Frequency Center (GRFC), which more than a year before the invasion set up an internal messaging system called the "Operational Interactive Office."
The system linked the center's monitoring with Russia's leading security and law enforcement agencies: the Prosecutor-General's Office, the Federal Security Service, the Federal Protective Service, the National Guard, and the Interior Ministry.
A new investigation by RFE/RL's Russian Investigative Unit, also known as Systema, shows how exactly the GRFC -- and Russia's Internet censors -- monitor electronic communications, and how government agencies restrict what Russians are reading or watching.
The investigation is based on a massive trove of internal correspondence -- more than 2 terabytes of data -- that was obtained in November 2022 by a group identifying itself as a Belarusian hacker organization called Cyberpartisans. The materials were shared with RFE/RL and a consortium of media outlets that includes Russian news sites The Insider and iStories, the German newspaper Sueddeutsche Zeitung, and others.
The leaked GRFC documents -- more than 700,000 letters and 2 million internal documents -- provide a detailed look at the mechanics of how Russia's Internet is monitored -- and censored.
"What amazes me is the belief [of the authorities] that the more systems they make, the greater the number of blocks will be. Every document I have seen is a potential criminal case against Roskomnadzor and everyone involved in the preparation of these documents," Philip Kulin, an independent IT specialist who runs a Telegram channel called Escher II, told RFE/RL.
"Because this is real surveillance of people," he said. Roskomnadzor "is a civilian body. Who sanctioned its ability to do surveillance, for the collection of personal data?"
Old Censorship, New Methods
Moscow's efforts at censorship are nothing new.
In the Soviet Union, the Communist Party created a sprawling censorship apparatus that tried to block out news from outside the Iron Curtain, jamming foreign TV and radio broadcasts.
Mikhail Gorbachev's glasnost policies in the 1980s cracked open the window to outside news and information and allowed more space for conflicting views at home. After the Soviet collapse, Russia's media environment became a raucous free-for-all, with newspapers, broadcasters -- and later, websites and e-mail newsletters -- enjoying wide latitude to report and criticize.
After Putin formally assumed the presidency in 2000, one of his first notable acts was to exert greater control over national TV broadcasters -- the main source for news for the vast majority of Russians. That included NTV, which broadcast highly critical reports on the First Chechen War of the 1990s.
In the early 2010s, the Kremlin began putting punitive labels -- "foreign agent" or "undesirable organization" -- on nongovernmental organizations and civil society groups, and later media outlets, sharply curtailing media freedom, scaring off advertisers, and forcing some reporting organizations to shut down.
Still later, it built out a sophisticated system to vacuum up information from Russian Internet providers to be stored, filtered, and reviewed by government entities -- a system known by its acronym SORM. It ordered major Internet companies like Google and Facebook to locate some of their servers on Russian territory. And it curtailed ownership of major online resources, like social-media giant VK, Internet portal Mail.ru, and, much later, Yandex.
Initially set up under Roskomnadzor in 2000, to monitor and control radio frequencies, the GRFC had its remit expanded as government efforts to control the Internet widened.
The agency, which publicly acknowledged the hack in November, declined to answer detailed questions from RFE/RL about its monitoring and censorship operations. Roskomnadzor did not respond to questions from RFE/RL.
The internal messaging and chat system called the Operational Interactive Office appears to have grown out of concern among law enforcement authorities trying to keep tabs on localized public protests that broke out in several places in Russia in 2019. Among them were demonstrations in the far north over garbage dumps being built in sensitive environments and protests against the construction of a church in a cherished park in Yekaterinburg.
An initial, beta version was rolled out in December of that year, and then updated two years later, to add further technical changes, including a mobile-phone version and the ability to send private messages, and upload videos, audio, and photographs.
According to RFE/RL's review of the materials, employees of the agency monitor a multitude of online resources, then, using the internal messaging system, flag content for other government agencies to issue warnings, or even propose administrative penalties and warnings.
As of November 2022, according to the document leak, there were several thematic chats in operation in the Operational Interactive Office -- "protest moods," terrorism, foreign intervention, and extremism, among others.
In the "Protest Moods" group, for example, the employees of the GRFC daily publish detailed reports "on the presence of protest moods in social networks," based on 3,500 local and national accounts on VK and another popular social network, Odnoklassniki, as well as YouTube and channels on Telegram.
The chat rooms include participants not just from the GRFC, but employees of other agencies as well.
As of mid-November, there were 60 participants in the "Protest Moods" group, including 15 Interior Ministry employees, nine prosecutor employees, and one from the Federal Protective Service, Russia's equivalent of the U.S. Secret Service.
The documentation also shows how the GRFC was used to suppress or censor information or incriminating news about powerful business leaders and oligarchs.
Using a centralized register called the Unified Automated Information System, GRFC responded to requests from business leaders to take down critical reporting. In one example, an aide to Mikhail Sirotkin, the head of the corporate cost-management department of state-owned natural-gas giant Gazprom, in February 2020 sent a request to Roskomnadzor to block more than 150 hyperlinks to articles about Sirotkin.
Prior to 2018, Roskomnadzor, which has the formal legal authority to order information deleted, temporarily blocked access to a website called Russiangate after it published an investigation into the undeclared real estate assets of Aleksandr Bortnikov, the head of the main domestic intelligence agency, the Federal Security Service. That same year, billionaire Alisher Usmanov filed a lawsuit demanding that Roskomnadzor block articles about his connection with a notorious criminal mob boss.
'Yandex U Special Task'
According to the leaked GRFC documents, Roskomnadzor blocked 89,000 web pages in the third quarter of 2022 alone. Most of the violations are related to the distribution of information about illegal drugs or content about suicide, gambling, or child pornography
The center employs a clinical psychologist who works with the employees charged with monitoring and flagging the content, who have reported problems of "emotional and professional burnout," "anxiety," and a "loss of joy," according to the documents.
Employees of the center also flag problematic content directly for engineers at Yandex, which is Russia's largest search engine and dominates other area of Russia's Internet commerce such as taxi services, food deliveries, and online shopping.
Yandex has been roiled by internal dissent and its own accusations of censorship related to the war in Ukraine. Several top executives have resigned, and the company sold off its homepage news portal, and said it would focus more on non-news-related ventures.
According to the leaked files, GRFC employees have set up several Excel worksheets titled "Yandex U Special Task" containing between 30 and 200 links to materials or posts in social networks on themes such as "Putin's mobilization," "guys from Russia surrender," and "what are Russian guys dying for in Ukraine." GRFC employees collected links that match those keywords, and then sent them to Yandex to be deleted.
In a statement to RFE/RL, Yandex denied involvement in the GRFC censorship efforts.
“Yandex is not involved in GRFC projects of searching or removing links, and also did not receive any lists of links,” company spokeswoman Polina Pestova said in an e-mail.
“Yandex itself does not remove anything from the search results. A specific link may be excluded from search results if it is included in Roskomnadzor’s register of prohibited websites or by a court decision. Links to such websites are removed automatically as soon as they appear in this register,” she said.
Bots And Artificial Intelligence
In late 2021, to help increase their monitoring abilities, GRFC employees began to employ third-party "bots" -- software applications programmed to do automated tasks like, for example, sending automated messages, or responding to complaints, or executing stock trades.
GRFC also paid 57 million rubles (about $800,000) in August 2022 to develop a system of artificial intelligence called Oculus to monitor social networks, websites, and even instant-messaging services for photographs, videos, and text containing prohibited information.
According to the leaked documents, GRFC created a "graphic entity classifier" to train the Oculus system to find insults against Putin and match them up to images or videos.
The classifier included "offensive images of the president" and "comparison of the president to negative characters."
Among terms found in the classifier: "Putin in the form of a crab," "Putin in the form of a moth," as well as comparisons of Putin with Adolf Hitler and a vampire.
The GRFC is also tackling another problem, the leaked documents suggested: accessing and monitoring closed chat rooms and closed messaging services, for example on Facebook or VK, which can only be entered by creating a user profile and then asking a group administrator for permission to join.
To clear this hurdle, the center in the summer of 2022 began building "bot farms" that would imitate real human accounts on various social-media networks and secure access to closed chat rooms.
The GRFC has also sought Roskomnadzor's authorization to buy up a large number of unused phone numbers that would be used then to help automate and verify the bot-created social-media profiles, according to the leaked documents.