In late July, mobile network providers in Kazakhstan started sending out SMS messages demanding that their clients install a 'national security certificate' on all personal digital devices with internet access. These messages claimed that the certificate
would protect citizens from cyberattacks. They also assured users who did not install the application that they would encounter problems accessing certain websites (particularly those with HTTPS encryption.)
This news came one and
a half months after Kazakhstan's government blocked access to internet and streaming services on June 9, when the country held presidential elections. The victory of Kassym-Zhomart Tokayev came amid mass protests calling for fair elections. Meanwhile, an
internet blackout prevented protesters from coordinating their actions, helping police to arrest them.
These moves led some observers to fear the beginning of a wider crackdown on digital rights in Kazakhstan. So while Tokayev
called off the introduction of the controversial national security certificates on August 6, there are grounds to doubt that this will be the government's last attempt to intrude on cyberspace. Fear and suspicion on social media
In the first days [after receiving the SMS messages] we faced lots of panic. People were afraid that they would indeed be deprived of access to certain websites without installing the security certificate, Gulmira Birzhanova, a lawyer at the North Kazakhstan Legal Media Centre told GV:
However, few users rushed to obey the SMS messages. I didn't install [the application]. I don't even know if any of my acquaintances dida.
Nevertheless, the demands to install an
unknown security tool caused a wave of distrust and outrage on social media.
Daniil Vartanov, an IT expert from neighbouring Kyrgyzstan, was one of the first people to react to the launch of the certificate and confirmed users'
Now they can read and replace everything you look at online. Your personal information can be accessed by anybody in the state security services, ministry of internal affairs, or even the illicitly hired
nephew of some top official. This isn't an exaggeration; this is really how bad it is.
On August 1, Kazakhstan's prosecutor general issued a statement reassuring citizens that the national security certificate was
aimed to protect internet users from illicit content and cyberattacks, stressing that the state guaranteed their right to privacy.
IT experts proved otherwise. Censored Planet, a project at the University of Michigan which
monitors network interference in over 170 countries, warned that the Kazakh authorities had started attempting to intercept encrypted traffic using man in the middle attacks on July 17. At least 37 domains were affected, including social media networks.
Man in the middle or HTTPS interception attacks are attempts to replace genuine online security certificates with fake ones. Normally, a security certificate helps a browser or application (for example, Instagram or Snapchat) to
ensure that it connects to the real server. If a state, [internet] provider or illegal intruder tries to intercept traffic, the application will stop working and the browser will display a certificate error. The Kazakh authorities push citizens to
install this certificate so that the browser and application continue to work after the interception is spotted, explained Vartanov in an interview to GV in early August.
This was the authorities' third attempt to enforce the use
of a national security certificate. The first came in late November 2015, right after certificate-related amendments were made to Kazakhstan's law on communication. The law obliges telecom operators to apply a national security certificate to all
encrypted traffic except in cases where the encryption originates from Kazakhstan.
That same month, service providers announced that a national security certificate would come into force by January 2016. The announcement was soon
taken down, and the issue remained forgotten for three years.
The second attempt came in March 2019, and was barely noticed by the public until they started to receive the aforementioned SMS messages in July.
After two weeks of turmoil on social media, Tokayev called off the certificate on August 6.
Why did Tokayev put the initiative on hold? Dmitry Doroshenko, an expert with over 15 years of experience in Central
Asia's telecommunications sector, believes that concern about the security of online transactions played a major role:
In case of a man in the middle attack, an illegal intruder or state can use any decrypted data at
their own discretion. That compromises all participants in any exchange of information. Most players in online markets would not be able to guarantee data privacy and security, said Doroshenko. It's obvious that neither internet giants nor banks or
international payment systems are ready to take this blow to their reputation. If information were leaked, users would hold them to account rather than the state, which would not be unable to conduct any objective investigation, the IT specialist told
Citizens of Kazakhstan also appealed to tech giants to intervene and prevent the government from setting a dangerous precedent. On August 21, Mozilla, Google, and Apple agreed to block the Kazakh
government's encryption certificate. In its statement, Mozilla noted that the country's authorities had already tried to have a certificate included in Mozilla's trusted root store program in 2015. After it was discovered that they were intending to use
the certificate to intercept user data, Mozilla denied the request.
Kazakhstan is hardly the only country where the right to digital privacy is under threat. The British government wants to create a backdoor to access encrypted
communications, as do its partners in the US. The Kremlin wants to make social media companies store data on servers located in Russia.