The Domino Effect of Internet Blocking in Romania

The Council of the European Union’s decision, which came out on 1 March, to block access to the media outlets Russia Today (RT) and Sputnik, looking to stop the spread of disinformation, set forth a domino effect in Romania for internet blocking.

By Asociația pentru tehnologie și internet (ApTI) (guest author) · April 6, 2022

The Romanian National Directorate for Cybersecurity (DNSC), the civil cybersecurity authority formerly known as CERT Romania, took on its own initiative to carry out the implementation, despite no specific legal basis to allow them to do so. On 3 March, DNSC published a list containing domains that belonged not only to the online versions of RT and Sputnik, but also to endpoints that were used by the respective mobile applications. The list also contained a chapter with 72 IP addresses “that are used to deploy cyber attacks and malware that may also impact Romania in the context of the Ukrainian-Russian crisis”. These IPs were marked as “sources of DDoS attacks”, “unauthorised access” or “port scanning”.

When first published the list contained explicit mention of the fact that these IPs were assigned to entities from all over the world.  The list got larger and larger, with the latest version now listing 37 domains and 311 IP addresses. The Directorate never explicitly asked Internet Service Providers (ISPs) to block these IPs and domains. Instead, the list was sent to the Telecom Authority (ANCOM), which forwarded it to the ISPs without any specific instructions. The ISPs started blocking IPs and domain names. A common blocking methodology does not seem to be in place.

What struck a chord with the Romanian citizens was the inclusion, on these block lists, of domains that had no relation to RT and Sputnik. One of the first blocked websites to stand out, labelled as “fake news”, was a news portal ( whose wrongdoing is publishing articles criticising the current Romanian Ministry of Defence. This was labelled as “an error” by the Government spokesman, but the DNSC did not comment on it. Only a few days later, other 3 domain names became the public enemies of the Romanian cybersecurity Directorate – a 17 years old book blog and a couple of e-commerce sites. These 3 websites were marked as “sources of DDoS” attacks on European institutions.

There is no sign of anyone trying to contact the website owners up to the time of EDRi member ApTI writing about the incident. The administrator of the book blog found out that his website was part of the block list issued by the state authority only when a journalist tried to get his point of view on the matter. The administrator stated he had not heard about this authority before.

After an uproar erupted in the civil society and several news articles later, the DNSC publicly stated that it does not have the authority to decide which domains ought to be blocked, nor to carry out the blocking itself. The– authority underlined that they do not make any decisions on the content, they just publish the list.
One of the latest domino pieces that made the loudest thud was certain ISPs blocking an IP address belonging directly to Google Firebase. This was prompted by the fact that the cybersecurity Directorate block list contained Firebase subdomains that belonged to the mobile apps of RT and Sputnik. This led to Romanian citizens not being able to use functionality that relied on Firebase while they were on the networks of the providers who blocked the Firebase IP. Even though the Firebase blocking has since been reverted, no transparency or dialogue made its way into the methodology employed by the DNSC.

Every five days, the DNSC publishes new IPs to block, claiming they are related to cybersecurity attacks on the internet. Recently, the list that the DNSC put out contained one Tor exit node.
ApTI decries the usage of censorship techniques such as IP or domain-based blocking and suggests that the first step in such cases should always be contacting either the owner or the hosting provider of these domains. The DNSC never replied to the open and closed letters ApTI sent.

Blocking domains on accounts of disinformation first gained the attention of the Romanian mainstream media in 2020, when the Ministry of Internal Affairs cracked down on online websites spreading falsehoods about Covid-19. Both journalists and activists commended the opaque nature of these mandates. There has been no information about the members of the “censorship committee” that decided which domains should be censored, and how this should be carried out. The effort was halted after a few months when part of the Covid-19 restrictions was lifted. In 2022, a similar opaque methodology is carried out by the DNSC.

(Contribution by: EDRi member ApTI – Romania)