This essay is part of a series from Carnegie’s Digital Democracy Network, a diverse group of thinkers and activists engaged in work on technology and politics. The series is produced by Carnegie’s Democracy, Conflict, and Governance Program. The full set of essays is scheduled for publication in summer 2026.

Following the 2021 coup in Myanmar, the military junta compelled telecommunications operators and internet service providers (ISPs) in the country to implement information controls, including installing surveillance and interception technology on their networks, providing user data to police and military officials, and enforcing SIM card registration for mobile phone users.¹ The junta’s tactics contributed to Telenor,² a Norwegian telecom company, and Ooredoo,³ a Qatari telecom company, exiting the Myanmar market in 2022, having sold their local operations to military-affiliated entities. Specifically, Telenor Myanmar was sold to a Lebanese firm with links to Myanmar’s military, and the company subsequently changed its name to ATOM Myanmar.⁴ At the same time, Ooredoo Myanmar was purchased by a firm with ties to military-linked figures and rebranded as U9 Myanmar.⁵ The military-dominated telecommunications sector in Myanmar has enabled and institutionalized state-sponsored digital repression through frequent internet shutdowns (with at least eighty-five shutdown incidents in 2024),⁶ and the use of tools, such as “surveillance drones, iPhone cracking devices and hacking software” to suppress anti-junta resistance and civil disobedience.⁷ In January 2025, Myanmar’s digital repression apparatus was bolstered by the enactment of a controversial cybersecurity law, which gives the government increased ability to block websites and surveil internet users.⁸

Myanmar has adopted a similar approach to that of Russia and China, where draconian internet laws and regulations have enabled state coercion of ISPs and facilitated extensive information controls. Russia, for example, passed a “sovereign internet” law in 2019 that established a National Domain Name System (DNS) maintained by Roskomnadzor, Russia’s internet regulator. DNS functions as the internet’s address book, translating a URL into a numerical IP address. Therefore, state control over the National DNS allows the government to block access to certain websites entirely or to redirect users to government-sanctioned sites.⁹ The government required all ISPs operating in Russia to use the National DNS as of January 2021.¹⁰ The “sovereign internet” law has thus enabled the government to block thousands of websites, including sites that “host material critical of the authorities or of the [Ukraine] invasion, as well as international news sites, civil society websites, and Ukrainian news sites.”¹¹

The existing literature on digital repression has examined information controls at the application and content levels, including content filtering or blocking and government requests to social media platforms to remove content.¹² However, researchers have under-studied how ISPs that build and/or operate the underlying infrastructure implement controls. Given their role as gatekeepers of internet access, understanding ISP practices and government oversight of them is essential to comprehending how information controls function in practice. This article addresses this gap by analyzing the role of ISPs in information controls and examines the mechanisms by which state-directed digital repression operates within the network infrastructure.

State Control Over ISPs: Its Establishment and Evolution

In jurisdictions where only state-owned providers exist, internet access is highly vulnerable to state-directed monitoring and manipulation. For example, in China, the government built internet infrastructure through extensive, coordinated state planning, combined with efforts to ensure continued government control. The majority of China’s physical internet infrastructure, in both urban and rural regions, is built and maintained by state-owned enterprises—namely, China Telecom, China Unicom, and China Mobile—which provide services such as broadband, fixed-line connections, and mobile data.¹³ Intensive state intervention, coupled with the application of significant barriers to foreign entities’ operations in the country, has allowed these state-owned providers to dominate China’s internet market.¹⁴ Additionally, China has developed and maintained a nationwide internet censorship system that filters internet traffic entering and leaving the country’s networks.¹⁵ Colloquially known as the Great Firewall, this censorship system was launched in 1998 by the Ministry of Public Security, only four years after the country established a fully functional connection to the global internet.¹⁶ 

More recently, in 2024, China lifted foreign investment restrictions on companies providing telecommunications services, including internet access.¹⁷ However, newly formed ISPs are still required to use the existing network infrastructure controlled by state-owned providers and obtain an operating permit from the Ministry of Industry and Information Technology (MIIT), one of several Chinese institutions that enforce online and offline censorship.¹⁸ As part of the permitting process, MIIT verifies that ISPs have complied with its content-censorship rules, given that all ISPs operating in China, regardless of ownership, must implement content blocking and filtering.¹⁹ Due to these stringent censorship requirements, there is widespread content filtering in the country, including against “criticism of individuals, policies, or events that are considered integral to the one-party system,” resulting in a “highly controlled, monitored, and manipulated version” of the Chinese internet.²⁰ The case of China shows that state dominance over network infrastructure, dating back to the early establishment of the internet, facilitates ongoing internet controls and large-scale monitoring of internet users.

State dominance over network infrastructure, dating back to the early establishment of the internet, facilitates ongoing internet controls and large-scale monitoring of internet users.

In other jurisdictions where private ISPs have coexisted with state-owned ISPs, government control of network infrastructure typically evolved gradually. This type of evolution is apparent in Russia, where its internet infrastructure, built in the Soviet era, was developed by private organizations and research institutions with limited state involvement. Russia connected to the global internet for the first time in 1990 via a computer network operated by RELCOM (Reliable Communications), which was developed by a group of computer programmers at the Kurchatov Institute.²¹ By the mid-1990s, numerous commercial ISPs existed in Russia, such as FidoNet, GlasNet, IASnet, and Sovam Teleport, all established by private organizations.²² Until the early 2000s, the Russian internet (or “RuNet” for short) received minimal state oversight compared with traditional media, likely due to low internet penetration rates—that is, in 2008, only 14 percent of the population had internet access.²³ RuNet’s user base subsequently expanded during the 2011–2012 mass protests over suspicions of electoral fraud, an issue largely ignored by traditional Russian media but actively discussed online by independent journalists and bloggers.²⁴ This rise in online political discussion in the 2010s led researchers to refer to the internet as Russia’s “alternative public sphere.”²⁵ 

Before 2012, RuNet was governed primarily through general legal frameworks and existing laws on mass media, communications, and information protection, rather than internet-specific legislation or China-style direct internet filtering. After 2012, however, Russia passed multiple stringent laws that enhanced the state’s ability to restrict and censor online speech, described by analysts as a government-led “‘blitzkrieg’ against online free expression.”²⁶ For example, Federal Law No. 139-FZ of 2012 and Federal Law No. 398-FZ of 2013 granted Roskomnadzor the mandate to prohibit websites and to require ISPs to comply with its blocking directives. 

By 2015, Freedom House had rated Russia as “Not Free,” due to significant steps to “increase control over the online sphere, particularly in advance of the Sochi Olympic Games.”²⁷ In the ensuing years, Russia has intensified its authoritarian regulation of the internet, employing a range of legal instruments and technical interference with internet infrastructure.²⁸ For example, Russia requires ISPs to install surveillance systems known as SORM (System for Operative Investigative Activities), which consists of hardware and software installed at the operator’s expense but directly controlled by the Federal Security Service of the Russian Federation (FSB), the country’s principal domestic intelligence and security agency. First introduced in 1995 for wiretapping and phone surveillance, SORM was later adapted to the internet in 1998 (SORM-2) and expanded in 2014 (SORM-3) to include the collection of metadata and multimedia files. The government significantly expanded SORM’s functionality following the passage in 2016 of the so-called Yarovaya Law (in fact, a set of two Russian federal bills, 374-FZ and 375-FZ), which requires ISPs and telecom providers to store the content of all user communications for up to six months and metadata for up to three years. A 2018 amendment revised some of these requirements following criticism from ISPs, such as requiring storage of the content of all communications (for example, voice calls, data, images, and text messages) for only thirty days, though metadata retention remained at three years and storage capacity was to be increased by 15 percent annually.²⁹ Russia’s efforts to control the internet also extend beyond its borders, notably in Ukrainian territories it has occupied following its 2022 invasion. In Kherson, for example, Russia imposed an internet shutdown and subsequently restored connectivity via its state-owned provider, Rostelecom, to integrate the territory into Russia’s internet infrastructure.³⁰ Additionally, as of January 2023, ISPs on temporarily occupied territories must install SORM for the purposes of “lawful interception and the storage of their clients’ metadata.”³¹

China and Russia’s experiences reveal how initial arrangements of network infrastructure—state dominance in China’s internet versus private-sector development in Russia’s internet—have contributed to distinct patterns of technical control and mechanisms that persist today. For example, although both countries are similarly classified by Freedom House as “Not Free,” Russia does not have a state-operated nation-wide censorship system, whereas China has its “Great Firewall.” This contrast demonstrates the significance of historical infrastructural choices and challenge assumptions about the uniform application of state-directed information controls. Understanding a country’s internet infrastructure development is thus crucial to comprehending how states exercise control over online spaces, as this architecture shapes the feasibility, methods, and effectiveness of digital repression.

Infrastructure Controls and Internet Freedom

As part of their digital repression toolkit, states can restrict the flow of information online by imposing limits on the access and transit providers that carry internet traffic.³² Access providers deliver internet services directly to consumers and businesses—major U.S. examples include Comcast (Xfinity), AT&T, and Verizon. In contrast, transit providers like Cogent and Lumen supply the underlying internet infrastructure to other networks rather than serving home users directly.³³ As transit providers connect multiple access providers, state control over them results in a more efficient mechanism for surveilling, filtering, or manipulating internet traffic. Moreover, because most internet users are unaware of how transit providers operate or are regulated, states can compel transit providers to engage in surveillance and censorship of internet users with less risk of public backlash. 

Given the significance of transit providers, autocratic regimes such as China, Uzbekistan, and the United Arab Emirates (UAE) have configured and regulated their internet to ensure that only state-owned ISPs function as transit providers within their jurisdictions.³⁴ State-owned providers from autocratic regimes have also operated in other authoritarian settings. For example, the UAE’s state-owned providers also deliver internet services in Gabon, Mauritania, and Morocco.³⁵ This authoritarian infrastructure nexus facilitates digital repression and cross-border information controls.

Stringent state oversight of the ISP industry is also evident in Myanmar, resulting in civil society groups’ concerns about extensive ties and cooperation between ISPs and the government. Before their exits from Myanmar, for example, both Ooredoo and Telenor had faced criticism about their compliance with human rights-violating policies. Following the 2021 coup, Ooredoo Myanmar stated that it “regretfully complied” with government directives to limit mobile and wireless broadband access.³⁶ Furthermore, rights activists argued that Telenor Myanmar’s cooperation with the junta led to the arrest or executions of student leaders and pro-democracy activists.³⁷ Consequently, in December 2024, Justice For Myanmar and ICJ Norway filed a complaint with the Norwegian police against Telenor Group, which is majority-owned by the Norwegian government, and the management of its Myanmar operations. In this complaint, they alleged that Telenor’s Myanmar subsidiary had violated Norwegian sanctions by “sharing sensitive network traffic data with the junta and transferring so-called lawful interception equipment to a Myanmar military-linked company.”³⁸

Myanmar’s ISPs, now with military-linked ownership, have acquired surveillance and filtering technology that further reinforced transnational authoritarianism in the country.

Additionally, Myanmar’s ISPs, now with military-linked ownership, have acquired surveillance and filtering technology that further reinforced transnational authoritarianism in the country. In May 2024, Justice For Myanmar found that the junta had acquired “a new web surveillance and censorship system to increase its control of the internet,” including deep packet inspection (DPI) tools for monitoring and filtering content for use by its ISPs.³⁹ In May 2025, joint investigations by Finance Uncovered and Myanmar Now concluded that Frontiir, a Yangon-based ISP, had installed Geedge equipment capable of tracking users’ online activity, blocking websites, and preventing the use of virtual private networks (VPNs) to circumvent online censorship.⁴⁰ (Frontiir, an ISP that received $40 million in development funding from the governments of the United Kingdom, Norway, and Denmark in exchange for equity shares, denied these allegations.)⁴¹

Authoritarian governments worldwide are increasingly leveraging their control of network operators, enactment of stringent regulations, and international sales of surveillance and filtering technologies to augment their digital repression capabilities. The result is an intensifying challenge to the protection of fundamental human rights and to the stability of the open, interconnected global internet. These developments highlight the urgent need for international cooperation to strengthen democratic governance frameworks, counterbalance transnational authoritarian digital influence, and preserve internet freedom. Central to this effort is the implementation of the UN Guiding Principles on Business and Human Rights, which establish that companies have a responsibility to respect human rights and conduct due diligence to ensure that their tools and services are not complicit in digital repression.

What can activists and democratic governments do to counter these trends? At a minimum, when companies based in liberal democracies, like Telenor in Norway, sell their subsidiaries in authoritarian countries, they should screen potential buyers for links to human rights abusers and sanctioned entities. They should also publish transparency reports on how such exits or sales meet international human rights standards (for example, by embedding the UN Guiding Principles on Business and Human rights in the terms of purchase). When it comes to probing the locations and operations of authoritarian state providers, civil society groups and researchers are well-placed to carry out investigations to expose surveillance risks and facilitate informed advocacy. But these activities require significant resources—support that democratic governments can help provide. Finally, democracies can fund digital literacy and security programs for internet users residing in jurisdictions with networks operated by authoritarian-linked ISPs. Without coordinated action, authoritarian governments and their allies will continue to exploit regulatory gaps and establish enhanced cooperation to export surveillance and censorship capabilities and entrench digital repression worldwide