In late July, mobile network providers in Kazakhstan started sending out SMS messages demanding that their clients install a 'national security certificate' on all personal digital devices with internet access. These messages claimed that the certificate
would protect citizens from cyberattacks. They also assured users who did not install the application that they would encounter problems accessing certain websites (particularly those with HTTPS encryption.)
This news came one and
a half months after Kazakhstan's government blocked access to internet and streaming services on June 9, when the country held presidential elections. The victory of Kassym-Zhomart Tokayev came amid mass protests calling for fair elections. Meanwhile, an
internet blackout prevented protesters from coordinating their actions, helping police to arrest them.
These moves led some observers to fear the beginning of a wider crackdown on digital rights in Kazakhstan. So while Tokayev
called off the introduction of the controversial national security certificates on August 6, there are grounds to doubt that this will be the government's last attempt to intrude on cyberspace. Fear and suspicion on social media
In the first days [after receiving the SMS messages] we faced lots of panic. People were afraid that they would indeed be deprived of access to certain websites without installing the security certificate, Gulmira Birzhanova, a lawyer at the North Kazakhstan Legal Media Centre told GV:
However, few users rushed to obey the SMS messages. I didn't install [the application]. I don't even know if any of my acquaintances dida.
Nevertheless, the demands to install an
unknown security tool caused a wave of distrust and outrage on social media.
Daniil Vartanov, an IT expert from neighbouring Kyrgyzstan, was one of the first people to react to the launch of the certificate and confirmed users'
Now they can read and replace everything you look at online. Your personal information can be accessed by anybody in the state security services, ministry of internal affairs, or even the illicitly hired
nephew of some top official. This isn't an exaggeration; this is really how bad it is.
On August 1, Kazakhstan's prosecutor general issued a statement reassuring citizens that the national security certificate was
aimed to protect internet users from illicit content and cyberattacks, stressing that the state guaranteed their right to privacy.
IT experts proved otherwise. Censored Planet, a project at the University of Michigan which
monitors network interference in over 170 countries, warned that the Kazakh authorities had started attempting to intercept encrypted traffic using man in the middle attacks on July 17. At least 37 domains were affected, including social media networks.
Man in the middle or HTTPS interception attacks are attempts to replace genuine online security certificates with fake ones. Normally, a security certificate helps a browser or application (for example, Instagram or Snapchat) to
ensure that it connects to the real server. If a state, [internet] provider or illegal intruder tries to intercept traffic, the application will stop working and the browser will display a certificate error. The Kazakh authorities push citizens to
install this certificate so that the browser and application continue to work after the interception is spotted, explained Vartanov in an interview to GV in early August.
This was the authorities' third attempt to enforce the use
of a national security certificate. The first came in late November 2015, right after certificate-related amendments were made to Kazakhstan's law on communication. The law obliges telecom operators to apply a national security certificate to all
encrypted traffic except in cases where the encryption originates from Kazakhstan.
That same month, service providers announced that a national security certificate would come into force by January 2016. The announcement was soon
taken down, and the issue remained forgotten for three years.
The second attempt came in March 2019, and was barely noticed by the public until they started to receive the aforementioned SMS messages in July.
After two weeks of turmoil on social media, Tokayev called off the certificate on August 6.
Why did Tokayev put the initiative on hold? Dmitry Doroshenko, an expert with over 15 years of experience in Central
Asia's telecommunications sector, believes that concern about the security of online transactions played a major role:
In case of a man in the middle attack, an illegal intruder or state can use any decrypted data at
their own discretion. That compromises all participants in any exchange of information. Most players in online markets would not be able to guarantee data privacy and security, said Doroshenko. It's obvious that neither internet giants nor banks or
international payment systems are ready to take this blow to their reputation. If information were leaked, users would hold them to account rather than the state, which would not be unable to conduct any objective investigation, the IT specialist told
Citizens of Kazakhstan also appealed to tech giants to intervene and prevent the government from setting a dangerous precedent. On August 21, Mozilla, Google, and Apple agreed to block the Kazakh
government's encryption certificate. In its statement, Mozilla noted that the country's authorities had already tried to have a certificate included in Mozilla's trusted root store program in 2015. After it was discovered that they were intending to use
the certificate to intercept user data, Mozilla denied the request.
Kazakhstan is hardly the only country where the right to digital privacy is under threat. The British government wants to create a backdoor to access encrypted
communications, as do its partners in the US. The Kremlin wants to make social media companies store data on servers located in Russia.
Google and Mozilla have moved to block the Kazakhstan government from intercepting encrypted internet traffic.
It comes after reports ISPs in the country required people to install a government-issued certificate on all devices and in every
browser. Google and Mozilla noted that installing the compromised certificate allows the government to decrypt and read anything a user types or posts.
Google and Mozilla said they would deploy a technical solution to their browsers to block the
certificates. Chrome senior engineering director Parisa Tabriz said:
We will never tolerate any attempt, by any organisation - government or otherwise - to compromise Chrome users' data.
have implemented protections from this specific issue, and will always take action to secure our users around the world.
Saying that Chrome's seems more than happy to allow UK user's browsing history data to be monitored by the state
when it could implement an encrypted DNS alternative.
Mozilla senior director of trust and security Marshall Erwin said: People around the world trust Firefox to protect them as they navigate the internet, especially when it comes to keeping them
safe from attacks like this that undermine their security.
According to researchers at Censored Planet , who have been tracking the interception system in Kazakhstan, the government have been mainly using the facility to monitor Facebook, Twitter
A browser that bypasses internet censors has become the most popular way to access the Internet in Kazakhstan, a Central Asian state where sites critical of the government are often blocked.
The Norwegian developed Opera browser made by Opera
Software has increased its market share sharply in the ex-Soviet state since it began to allow downloads of compressed web pages via a server outside the country, a feature designed to speed browsing.
The Opera browser is now the most popular in
the country with a market share of 32%, beating out rival products from Google, Microsoft and Apple, according to statistics for March from Web analytics firm StatCounter.
The new version of Opera introduced last year, Opera 10, allows users to
view otherwise inaccessible Web pages using its Opera Turbo feature designed to speed up browsing over slow connections.
Kazakhstan introduced a law last year allowing local courts to block access to Web sites whose content has been deemed illegal,
a step that human rights groups say amounts to censorship.
Some of the most popular blogging websites such as Livejournal.com and Google-run Blogger.com are now inaccessible to most of Kazakhstan's 3.2 million Internet users.
Kazakhstan has created a new centre dedicated to censoring blacklisted websites ranging from pornography to those deemed to promote political extremism, an official announced.
The Central Asian country has been criticised for restricting freedom
of expression even as it seeks to woo foreign investment.
The new service, called the centre for computer incidents, is similar to Internet watchdogs that exist throughout the world, the head of Kazakhstan's state communications agency,
Kuanyshbek Esekeyev, told parliament. Esekeyev said the authorities had many questions regarding 'religious and political extremism on the Internet.
He said the centre's function would be to monitor websites which have a pornographic or
extreme character . At the current time work is being carried out with an entire blacklist of sites which have a destructive character for society.
Kazakh President Nursultan Nazarbayev has signed into law new controls on the Internet that the Organization for Security and Cooperation in Europe (OSCE) has called repressive.
The OSCE had earlier urged Nazarbayev to veto the bill. The
legislation will allow local courts to block websites, including foreign ones, and to class blogs and chatrooms as media.
But Kazakhstan pressed ahead with the new law, with local rights activists confirming the legislation had been endorsed by
the powerful president.
Several websites, including the popular blogging service LiveJournal.com, are already inaccessible to most Kazakh Internet users. There are already were signs of increasing self-censorship by local websites where
moderators were quickly removing comments that could be deemed offensive.
Kazakhstan’s lower house of parliament, the Mazhilis, passed April 29 a controversial law changing the way Internet regulation is governed in the Kazakhstan domain.
With the expansion of the reach of Internet pages, the number of crimes
committed using Internet sources is growing, Zhanna Kurmangaliyeva, executive secretary at the Culture and Information Ministry, told EurasiaNet, citing the dissemination of pornography and libelous material as examples.
Critics say the law
will unduly restrict freedom of expression, equating blogs, forums and chatrooms to media outlets, making site owners responsible for content, and allowing websites to be closed without a court ruling.
The For a Free Internet! campaign
expressed disappointment at the vote. We’re asking all Kazakh Internet users not use the sources that the Information Technology and Communications Agency [which drafted the law] has been recently promoting, and delete all their personal pages in
social networks and blogs, Yevgeniya Plakhina, a campaign organizer, told EurasiaNet.
The bill has still to complete its passage through both houses of parliament and must be signed by President Nursultan Nazarbayev before it becomes law.