In what appears to be a bold attack on net freedom, the government of Kazakhstan will reportedly attempt to spy on all encrypted internet traffic going in or out of the country by introducing a “national internet safety certificate” in January 2016.
“The national security certificate will secure protection of Kazakhstan users when using coded access protocols to foreign internet resources,” read a press release published by the country's primarily state-backed internet service provider Kazakhtelecom at the beginning of this week. In other words, the certificate is targeting citizens’ access to encrypted services that rely on traffic being routed outside of Kazakhstan.
The announcement was published by Kazakhtelecom on Monday. Then overnight on Wednesday, the page mysteriously vanished, with the URL now redirecting to the main Kazakhtelecom landing page. An archived version is available on the Wayback Machine.]
"Kazakhstan is making a brazen attempt to increase its ability to control security over the internet"
Although there aren't many specifics available at the moment, the “national internet safety certificate” would likely refer to a digital certificate used in the encryption of webpages and installed on a user's device.
Typically, these certificates are issued by trusted authorities, to ensure that internet users’ activity isn’t being listened in on. But if a local authority providing the certificate has malicious intent, it may be possible for them to snoop on encrypted browsing sessions.
“All internet users will have to install the certificate, issued from the online portal of national operator Kazakhtelecom, on their end-user devices,” claims a report from Telecompaper, a news site for the telecoms industry. “According to the law, operators will have to use a safety certificate for transferring traffic under protocols supporting encryption, except for traffic encrypted in Kazakshtan.”
The Kazakhtelecom release said that this would apply to iOS and Android phones, as well as personal computers that use Windows or Mac OS. Linux was not included.
"By trying to introduce infrastructure that disables encryption on foreign communications through a masquerading certificate, Kazakhstan is making a brazen attempt to increase its ability to control security over the internet in the country,” Matthew Rice, an advocacy officer at Privacy International, told Motherboard in an email. “This will make the collection and storage of communications much easier by removing the encryption on the data. It is a concern from a security perspective and for the technological naivety of the proposal.”
Kazakhtelecom did not respond to a request for comment.
Questions remain about how exactly this system, if carried through, would be implemented
Kazakhstan is not new to internet surveillance. According to the OpenNet Initiative, censorship of certain internet traffic takes place in the country, and a recent Privacy Intentional investigation found that monitoring centers with “mass surveillance capabilities” have been sold to the country by US and Israeli companies.
Plenty of questions remain about how exactly this system, if carried through, would be implemented, and what its effect would be. Rice said that the system might cause significant problems for the country’s citizens beyond surveillance.
“The fact that modern browsers and services like Google and Twitter have a list of authorised certificates to connect to their services, which this certificate is unlikely to find itself on, means users of most of the most popular services on the internet are going to experience a significant degradation in the usability in Kazakhstan,” he suggested. “If it were for monitoring purposes, this would mean little useful intelligence would be gathered from people not being able to connect to Google, Twitter, etc."
The now-missing Kazakhtelecom release said more details of the program would be released in December.