East Europe News

Google has paid a fine for failing to block access to certain websites banned in Russia.

Roscomnadzor, the Russian government's internet and media censor, said that Google paid a fine of 700,000 rubles ($10,900) related to the company's refusal to fully comply with rules imposed under the country's censorship regime.

Search engines are prohibited under Russian law from displaying banned websites in the results shown to users, and companies like Google are asked to adhere to a regularly updated blacklist maintained by Roscomnadzor.

Google does not fully comply with the blacklist, however, and more than a third of the websites banned in Russia could be found using its search engine, Roscomnadzor said previously.

No doubt Russia is no working on increased fines for future transgressions.

Russia's powerful internal security agency FSB  has enlisted the help of the telecommunications, IT and media censor Roskomnadzor to ask a court to block Mailbox and Scryptmail email providers.

It seems that the services failed to register with the authorities as required by Russian law. Both are marketed as focusing strongly on the privacy segment and offering end-to-end encryption.

News source RBK noted that the process to block the two email providers will in legal terms follow the model applied to the Telegram messaging service -- adding, however, that imperfections in the blocking system are resulting in Telegram's continued availability in Russia.

On the other hand, some experts argued that it will be easier to block an email service than a messenger like Telegram. In any case, Russia is preparing to a new law to come into effect on November 1 that will see the deployment of Deep Packet Inspection equipment, which should result in more efficient blocking of services.

In late July, mobile network providers in Kazakhstan started sending out SMS messages demanding that their clients install a 'national security certificate' on all personal digital devices with internet access. These messages claimed that the certificate would protect citizens from cyberattacks. They also assured users who did not install the application that they would encounter problems accessing certain websites (particularly those with HTTPS encryption.)

This news came one and a half months after Kazakhstan's government blocked access to internet and streaming services on June 9, when the country held presidential elections. The victory of Kassym-Zhomart Tokayev came amid mass protests calling for fair elections. Meanwhile, an internet blackout prevented protesters from coordinating their actions, helping police to arrest them.

These moves led some observers to fear the beginning of a wider crackdown on digital rights in Kazakhstan. So while Tokayev called off the introduction of the controversial national security certificates on August 6, there are grounds to doubt that this will be the government's last attempt to intrude on cyberspace. Fear and suspicion on social media

In the first days [after receiving the SMS messages] we faced lots of panic. People were afraid that they would indeed be deprived of access to certain websites without installing the security certificate, Gulmira Birzhanova, a lawyer at the North Kazakhstan Legal Media Centre told GV:

However, few users rushed to obey the SMS messages. I didn't install [the application]. I don't even know if any of my acquaintances dida.

Nevertheless, the demands to install an unknown security tool caused a wave of distrust and outrage on social media.

Daniil Vartanov, an IT expert from neighbouring Kyrgyzstan, was one of the first people to react to the launch of the certificate and confirmed users' suspicions.

Now they can read and replace everything you look at online. Your personal information can be accessed by anybody in the state security services, ministry of internal affairs, or even the illicitly hired nephew of some top official. This isn't an exaggeration; this is really how bad it is.

On August 1, Kazakhstan's prosecutor general issued a statement reassuring citizens that the national security certificate was aimed to protect internet users from illicit content and cyberattacks, stressing that the state guaranteed their right to privacy.

IT experts proved otherwise. Censored Planet, a project at the University of Michigan which monitors network interference in over 170 countries, warned that the Kazakh authorities had started attempting to intercept encrypted traffic using man in the middle attacks on July 17. At least 37 domains were affected, including social media networks.

Man in the middle or HTTPS interception attacks are attempts to replace genuine online security certificates with fake ones. Normally, a security certificate helps a browser or application (for example, Instagram or Snapchat) to ensure that it connects to the real server. If a state, [internet] provider or illegal intruder tries to intercept traffic, the application will stop working and the browser will display a certificate error. The Kazakh authorities push citizens to install this certificate so that the browser and application continue to work after the interception is spotted, explained Vartanov in an interview to GV in early August.

This was the authorities' third attempt to enforce the use of a national security certificate. The first came in late November 2015, right after certificate-related amendments were made to Kazakhstan's law on communication. The law obliges telecom operators to apply a national security certificate to all encrypted traffic except in cases where the encryption originates from Kazakhstan.

That same month, service providers announced that a national security certificate would come into force by January 2016. The announcement was soon taken down, and the issue remained forgotten for three years.

The second attempt came in March 2019, and was barely noticed by the public until they started to receive the aforementioned SMS messages in July.

After two weeks of turmoil on social media, Tokayev called off the certificate on August 6.

Why did Tokayev put the initiative on hold? Dmitry Doroshenko, an expert with over 15 years of experience in Central Asia's telecommunications sector, believes that concern about the security of online transactions played a major role:

In case of a man in the middle attack, an illegal intruder or state can use any decrypted data at their own discretion. That compromises all participants in any exchange of information. Most players in online markets would not be able to guarantee data privacy and security, said Doroshenko. It's obvious that neither internet giants nor banks or international payment systems are ready to take this blow to their reputation. If information were leaked, users would hold them to account rather than the state, which would not be unable to conduct any objective investigation, the IT specialist told Global Voices.

Citizens of Kazakhstan also appealed to tech giants to intervene and prevent the government from setting a dangerous precedent. On August 21, Mozilla, Google, and Apple agreed to block the Kazakh government's encryption certificate. In its statement, Mozilla noted that the country's authorities had already tried to have a certificate included in Mozilla's trusted root store program in 2015. After it was discovered that they were intending to use the certificate to intercept user data, Mozilla denied the request.

Kazakhstan is hardly the only country where the right to digital privacy is under threat. The British government wants to create a backdoor to access encrypted communications, as do its partners in the US. The Kremlin wants to make social media companies store data on servers located in Russia.

The Prime Minister of New Zealand Jacinda Ardern has contacted Ukraine's Government after Bellingcat investigative journalists revealed that Brenton Tarrent's manifesto was offered for sale in hardcopies via messengers in Ukraine.

New Zealand has made the request through diplomatic channels. News source MFA Ukraine reports on a response from a Ukrainian diplomat saying that Ukraine is concerned by the emerging reports about the distribution of such material in Ukraine:

We are convinced that there must be no place for racism, neo-Nazism and religious hatred in Ukrainian society.

The diplomats also said that they had already approached the Ministry of Internal Affairs and the Security Service of Ukraine with a request to confirm or deny the fact of the distribution of hardcopies of the manifesto translated into Ukrainian.

Google and Mozilla have moved to block the Kazakhstan government from intercepting encrypted internet traffic.

It comes after reports ISPs in the country required people to install a government-issued certificate on all devices and in every browser. Google and Mozilla noted that installing the compromised certificate allows the government to decrypt and read anything a user types or posts.

Google and Mozilla said they would deploy a technical solution to their browsers to block the certificates. Chrome senior engineering director Parisa Tabriz said:

We will never tolerate any attempt, by any organisation - government or otherwise - to compromise Chrome users' data.

We have implemented protections from this specific issue, and will always take action to secure our users around the world.

Saying that Chrome's seems more than happy to allow UK user's browsing history data to be monitored by the state when it could implement an encrypted DNS alternative.

Mozilla senior director of trust and security Marshall Erwin said: People around the world trust Firefox to protect them as they navigate the internet, especially when it comes to keeping them safe from attacks like this that undermine their security.

According to researchers at Censored Planet , who have been tracking the interception system in Kazakhstan, the government have been mainly using the facility to monitor Facebook, Twitter and Google.