In late July, mobile network providers in Kazakhstan started sending out SMS messages demanding that their clients install a “national security certificate” on all personal digital devices with internet access. These messages claimed that the certificate would protect citizens from cyberattacks. They also assured users who did not install the application that they would encounter problems accessing certain websites (particularly those with HTTPS encryption.)
This news came one and a half months after Kazakhstan’s government blocked access to internet and streaming services on June 9, when the country held presidential elections. The victory of Kassym-Zhomart Tokayev, the intended successor to Elbasy (“Leader of the Nation” in Kazakh) Nursultan Nazarbayev, came amid mass protests calling for fair elections. Meanwhile, an internet blackout prevented protesters from coordinating their actions, helping police to arrest them.
These moves led some observers to fear the beginning of a wider crackdown on digital rights in Kazakhstan. So while Tokayev called off the introduction of the controversial “national security certificates” on August 6, there are grounds to doubt that this will be the government’s last attempt to intrude on cyberspace.
Fear and suspicion on social media
“In the first days [after receiving the SMS messages] we faced lots of panic. People were afraid that they would indeed be deprived of access to certain websites without installing the security certificate,” Gulmira Birzhanova, a lawyer at the North Kazakhstan Legal Media Centre, an NGO based in the capital Nur-Sultan, told GV.
However, few users rushed to obey the SMS messages. “I didn’t install [the application]. I don’t even know if any of my acquaintances did,” added Birzhanova.
Nevertheless, the demands to install an unknown security tool caused a wave of distrust and outrage on social media. Yelena Shvetsova, a civic activist and executive director of Erkindik Kanaty (an NGO whose name translates as “Wings of Freedom”) described the measure as a government attempt to access personal information. “I am sure that interception of our correspondence and total access to our phones will follow. And then arrests and prosecutions!” she wrote on Facebook.
Irina Sevostyanova, a journalist based in Nur-Sultan, called the national security certificate a “big brother,” and wondered if would limit access to Virtual Private Networks (VPNs), tools that allow users to circumvent censorship and to browse the web privately. Daniil Vartanov, an IT expert from neighbouring Kyrgyzstan, was one of the first people to react to the launch of the certificate and confirmed users’ suspicions.
“Now they can read and replace everything you look at online […] Your personal information can be accessed by anybody in the state security services, ministry of internal affairs, or even the illicitly hired nephew of some top official. This isn’t an exaggeration; this is really how bad it is,” wrote Vartanov on Facebook.
Man in the Middle
On August 1, Kazakhstan’s prosecutor general issued a statement reassuring citizens that the national security certificate was aimed to protect internet users from illicit content and cyberattacks, stressing that the state guaranteed their right to privacy.
IT experts proved otherwise. Censored Planet, a project at the University of Michigan which monitors network interference in over 170 countries, warned that the Kazakh authorities had started attempting to intercept encrypted traffic using “man in the middle” attacks on July 17. At least 37 domains were affected, including social media networks.
“Man in the middle” or HTTPS interception attacks are attempts to replace genuine online security certificates with fake ones.
“Normally, a security certificate helps a browser or application (for example, Instagram or Snapchat) to ensure that it connects to the real server. If a state, [internet] provider or illegal intruder tries to intercept traffic, the application will stop working and the browser will display a certificate error. The Kazakh authorities push citizens to install this certificate so that the browser and application continue to work after the interception is spotted,” explained Vartanov in an interview to GV in early August.
History repeats itself
This was the authorities’ third attempt to enforce the use of a national security certificate. The first came in late November 2015, right after certificate-related amendments were made to Kazakhstan’s law on communication. The law obliges telecom operators to apply a national security certificate to all encrypted traffic except in cases where the encryption originates from Kazakhstan.
“The law doesn’t oblige users to install the certificate; [internet service] providers are the ones responsible for it. Failure to do so may lead to a fine of approximately 250,000 tenge [about $645],” explained Birzhanova.
That same month, service providers announced that a national security certificate would come into force by January 2016. The announcement was soon taken down, and the issue remained forgotten for three years. The second attempt came in March 2019, and was barely noticed by the public until they started to receive the aforementioned SMS messages in July.
After two weeks of turmoil on social media, Tokayev called off the certificate on August 6.
On my order, the KNB [state security service] conducted a test of the security certificate as part of the “Cybershield” programme. It demonstrated the security of the information space of the Republic of Kazakhstan and the possibility of using the certificate only [against] cases of intrusion from without. It presents no inconvenience to internet users. Thanks to the KNB.
— Qasym-Jomart Toqayev (@TokayevKZ) August 6, 2019
Nothing personal, just business
Why did Tokayev put the initiative on hold?
Dmitry Doroshenko, an expert with over 15 years of experience in Central Asia’s telecommunications sector, believes that concern about the security of online transactions played a major role.
“In case of a man in the middle attack, an illegal intruder or state can use any decrypted data at their own discretion. That compromises all participants in any exchange of information. Most players in online markets would not be able to guarantee data privacy and security,” said Doroshenko. “It’s obvious that neither internet giants nor banks or international payment systems are ready to take this blow to their reputation. If information were leaked, users would hold them to account rather than the state, which would not be unable to conduct any objective investigation,” the IT specialist told Global Voices.
It is also worth remembering that a scandal concerning leaked data has made the issue of privacy particularly sensitive in Kazakhstan in recent months. During June’s presidential elections, the personal details of 11 million Kazakh citizens became publicly available. On August 9, an investigation found employees of the central electoral committee responsible for the accident.
Citizens of Kazakhstan also appealed to tech giants to intervene and prevent the government from setting a dangerous precedent. On August 21, Mozilla, Google, and Apple agreed to block the Kazakh government’s encryption certificate. In its statement, Mozilla noted that the country’s authorities had already tried to have a certificate included in Mozilla’s trusted root store program in 2015. “After it was discovered that they were intending to use the certificate to intercept user data, Mozilla denied the request,” explained the company.
The companies’ separate statements each included promises to develop unique technical solutions allowing each browser to better protect users’ privacy.
“No-one has ever tried what Kazakhstan is trying to achieve nationwide. The only example, on a smaller scale, would be the Chinese authorities’ installation of spyware on the mobile phones of tourists travelling to Xinjiang,” remarked a Russian IT expert who asked to remain anonymous.
Indeed, Kazakhstan is hardly the only country where the right to digital privacy is under threat. The British government wants to create a backdoor to access encrypted communications, as do its partners in the US. The Kremlin wants to make social media companies store data on servers located in Russia.
Some journalists and experts compare Kazakhstan’s national security certificate to the “Great Firewall” of neighbouring China.
Vartanov dismissed this comparison, saying that Kazakhstan simply does not have the resources to launch Chinese-style “internet sovereignty.” “The Chinese internet market has enough capacity to have its own clones of Facebook or Twitter, while Kazakhstan’s does not,” he explained. Another important difference is that Kazakhstan is attempting to make internet users themselves responsible for giving up protection from government intrusion.
Many questions remain unanswered since Tokayev’s announcement about the certificate. How many people have installed it? Once installed, did they manage to delete it? Will the law on communication be changed to free service providers from the responsibility of making users install it? And why did Tokayev call the national security certificate a “test”?
“I don't understand why the government didn’t say it was a test from the beginning. I think they either decided to wait for better timing to launch the certificate, or they are solving technical problems that arose during the test,” concluded Birzhanova, who is certain that Kazakhstan’s authorities will try again.