In the sphere of internet regulation, the current Ukrainian government has been more active in the past months than all former Ukrainian governments together in the past 20 years. At the beginning of May, the law establishing the first ever Ukrainian secondary liability regime for third-party copyright infringement came into force. Later that same month, the President of Ukraine approved a decree ordering ISPs to block access to a number of popular Russian online services based on cybersecurity considerations. The decree received a lot of public attention both in Ukraine and in Russia. Its legitimacy is now being considered by the Constitutional Court of Ukraine.

NPU Recommendations to ISPs for complying with obligations to block access

On June 2, 2017, the National Police of Ukraine (NPU) issued practical recommendations on the technical aspects of compliance with the decree, explaining how ISPs should block access to the list of URLs identified in the decree. According to the NPU, the following methods could be used:

a) blocking IP addresses

b) blocking via DNS

c) blocking sites by URL

The NPU notes that the most efficient way of complying with the decree is to block the IP addresses associated with the prohibited URLs. The NPU recommends using “ping” or “dig” commands to recover the list of IP addresses associated with these URLs and blacklist them at the respective routing equipment. The list of blacklisted IP addresses should be refreshed daily. The NPU also warned that it would prosecute ISPs in case of non-compliance with the decree.

The ISPs have argued that this approach of blocking IP addresses won’t work. According to the ISPs, since in a cloud hosting service all sites share an IP address, there is a risk of disabling access to various sites after one of the prohibited websites moves to a cloud.

Draft law providing additional powers to the NPU

The NPU also drafted a law providing additional powers to the NPU and the State Security Service of Ukraine during investigations of online crimes, including credit card data theft, fraud, theft of personal data, espionage, copyright infringement and distribution of child pornography.

The leaked draft law (a link can be found here) proposes the introduction of new intermediary injunctions directed towards ISPs. These injunctions would be granted by the court during criminal investigations and would require ISPs to:

a)     record and store computer data, including traffic data, in electronic form for up to 90 days; and/or

b)     block access to certain identified online information for up to 90 days.

To ensure effective enforcement of these new intermediary injunctions, the NPU plans to obligate ISPs to:

  • keep records of all provided telecommunication services for the last three years
  • block access to indicated information services, URLs and domain names, and/or record and store information in electronic form
  •  limit customers’ access to online resources involved in illegal commercial or other activities
  • install, at their own cost, software and hardware to enable wiretapping, blocking access to sites, and recording and storing information

This draft law has already received some negative feedback from the ISP association and we expect a heated debate when it is presented for public discussion.

Please contact us if you would like to discuss the likely impact of these developments on your business or have any specific needs for assistance.

Contributor: Oleksiy Stolyarenko