“Regardless of the ‘failed test’ which just took place thanks in part to the belated ‘informational’ reaction from official state sources, social networks and messenger apps remain not only platforms for free expression but also channels for social consolidation,” – Kazakhstani expert Alexander Galiev exclusively for cabar.asia examines the issues facing government agencies in controlling the internet and social networks.
In November 2015, an announcement was published on the site of the national telecommunications operator, AO Kazakhtelekom, stating for the first time that a Kazakhstani national security certificate was to be introduced and adopted. Although this message later disappeared from Kazakhtelekom’s site, it is still available to read thanks to a saved version page stored in Google’s cache. In particular, it reports that, in accordance with the Kazakhstani Law “On Communications”, the Committee for Communications, Informatization, and Information of the Kazakhstani Ministry of Investment and Development (KSII MIR) will introduce a national security certificate for internet users beginning on 1 January 2016.
According to this law, telecommunications companies are required to transmit traffic that utilizes protocols supporting encryption by means of a security certificate with the exception of traffic encrypted with by cryptographic information protection in Kazakhstan. As conceived by the law’s authors, the national security certificate would provide protection to Kazakhstani users utilizing encryption protocols to access foreign internet resources.
It is not mandatory to install the certificate, but a user may have problems connecting to external resources without it. Considering that user traffic from the Kazakhstani segment of the internet (Kaznet) is significantly offset by the external environment (i.e. the ‘big’ Internet), this is a truly alarming signal. In other words, a user without the national certificate installed may be denied access to sites utilizing the HTTPS encryption protocol (HTTPS is an extension of the HTTP protocol that supports encryption. Data transmitted over HTTPS is encrypted with an SSL or TLS protocol). As the majority of popular services use the HTTPS protocol, it is not difficult to foresee what awaits the intractable Kaznet user.
Naturally, this message has provoked many questions for the government. Some experts see this as a step towards future crackdowns. This looks particularly strange in light of the fact that the UN Human Rights Council recognized “internet anonymity as one of the most important instruments that allows for free expression in the digital age”. The situation is made even more piquant due to Kazakhstan recently being chosen as a non-permanent member of the UN Security Council.
The Ambiguity of the Situation
How relevant is the introduction of a Kazakhstani security certificate? Opinions on this issue are not uniform. On one hand, there is an understanding that the new challenges facing the country, above all terrorism, require a strengthening of the state’s influence over the Kazakhstani segment of the internet. On the other hand, there are doubts regarding the feasibility of this technical approach and methods with which this would be realized. Additionally, there are genuine concerns that, once it exists, it will be very tempting to press “the red button” under false pretenses.
In February 2014, residents of Kazakhstan began to receive SMS messages on their cellphones saying that three banks, Centre Credit, Alliance, and Kaspi, were on the verge of default. The information began to spread rapidly among cellphone users. Although the information was false, it led to a run on the banks in question as depositors ran to withdraw their money in a panic. Incredibly long lines formed outside the banks, which suffered millions of dollars in losses as well as a hit to their reputations.
This incident, which has already become a textbook example, stunned the authorities, showing them how quickly information can spread and to what these uncontrolled lies can lead.
As the penetration rate of the internet, smartphones, messenger apps and social networks rises, these types of incidents began to occur quite often. Lest we forget the land reform protests that swept the country. In many cases, calls to meet and protest in city squares were spread by social networks and messenger apps. The authorities were also very concerned by the increase in criticism on social networks.
Pandora’s Box
For the political authorities of Kazakhstan the internet is like Pandora’s Box. It is practically uncontrolled. Meanwhile groups are formed on social networks that react sharply to various events. Many of these events would never have become notable were it not for the indignation of Facebook users. One of these groups was related to the so-called Maksat Usenov Affair, which gathered 14,000 signatures on a petition addressed to law enforcement agencies over a short period of time.[1] The last case, the so-called land reforms, also ripened on the Kaznet. Although it is not exactly related to the topic under discussion, it is understandable that this form civil activism became a headache for the authorities, The Aktobe events provided further impetus for the issue of state control over the Kaznet, but we are getting ahead of ourselves.
So what exactly is the problem? So what if traffic will be encrypted? Despite the fact that bureaucrats have shown an elegant obverse of the national security certificate (i.e. improving the safety of Kaznet users using international resources as well as promoting its introduction as a means of fighting international terrorism, child pornography, and international crime), the experts are of a different opinion. Many of these experts believe that the state will gain the ability to eavesdrop on traffic.
How would this look in practice? Your traffic that is encrypted by, for example, a Gmail certificate provided by Google will be repackaged with the national security certificate through what is referred to as a man-in-the-middle (MITM) process. It is during this process that there would be an opportunity for eavesdropping. The data received in an MITM is truly impressive: personal correspondence, logins and passwords for various services, etc. In fact, specialists say that users are presented with a fait accompli: either you set the state certificate as trusted or you lose access to all services utilizing TLS-encryption.
Of course, there is a chance that giants like Google’s Android, Microsoft’s Windows, Apple’s MacOS and iOS, and Mozilla’s Firefox will include the national security certificate in the trusted list (trusted CA store). Moreover, Google did provide precedent for this when it included the CNNIC security certificate in its list of trusted certificates,[2] although Google did later remove it. As such, it would be overly optimistic to think that the Kazakhstani certificate will meet with have a happier fate.
The government’s official position regarding the introduction of a national security certificate is clear: “The introduction of the security certificate as issued by the Certification Authority is to be carried out by telecommunications companies to limit the spread of information that has been declared illegal by court order or by Kazakhstani law as well as to suspend or terminate the use of networks and/or means of communication for criminal purposes.”
“The Great Kazakhstani Firewall” and What To Do About It?
Obviously, this situation impacts more than just Kazakhstan. Kazakhstan is the largest internet node in Central Asia with 125,000 registered domains in the national .kz and .қаз zones. The resources are of a relatively high level and, therefore, many people in the region get their information from the Kaznet. Specialists do not exclude the fact that Kyrgyzstan may have problems after the introduction of Kazakhstan’s national security certificate. Moreover, many Kyrgyzstani providers work very closely with Kazakhstani providers, which is a source of concern for internet activists in Kyrgyzstan.
In the end, some specialists say that the state may require data obtained through MITM be archived for a certain amount of time as with the anti-terrorist Yarovaya Laws in Russia. Even though Kazakhstan’s data center infrastructure is relatively developed, the sheer amount of data that the state would require providers to save would plunge the system into a shock
“Panic and run in circles. This is very, very serious and practically unsolvable through technical means. You could try to use a VPN-server from outside the country to avoid interception by the certificate,” complains an anonymous specialist. Nevertheless, if a service were located within the country with the substitute certificate, then nothing would help. One can only learn to accept the wiretapping.[3]
The New Reality
Today, messenger apps are in the limelight. Recent high-profile events have shown that messenger apps are becoming an important channel for disseminating information. It is rational that people trust messenger apps, because practically all of the most popular messenger apps in Kazakhstan, from Telegram to WhatsApp and Viber, utilize end-to-end encryption. Gaining access to these messages is incredibly difficult and, in reality, practically impossible without access to tremendous resources. The fact that internet traffic is slowly but surely moving to these messengers is yet another challenge facing the authorities. Formally, these apps and services could be completely banned or replaced with Kazakhstani messenger apps that allow for wiretapping, but society would react quite strongly to this. The Kazakhstani government is currently not interested in doing this.
Some political scientists say that the crackdown is still underway. The Aktobe events have placed the power of the state in a very difficult position. In fact, the government admitted that it had no information or forewarning regarding preparations of the terrorist act. Moreover, there is no doubt that the terrorists utilized various means of communication to coordinate their activities. It is possible that they used messenger apps.
Painting the Grass Green
The region is currently facing previously unknown challenges of which the most dangerous is perhaps terrorism. In a situation in which the traditional export of Kazakhstani natural resources has significantly decreased and social stratification has increased with the gap between the rich and poor increasing, the state is attempting to use control of communications and information flows for predictive analysis to prevent emergencies, crises, and black swan events. Instead of efforts aimed at truly combating corruption, moving to a meritocracy, creating true social lifts, and reforming the tax code to more heavily tax the richest Kazakhstani citizens, the government is experimenting with controlling the flow of information. It is reminiscent of a situation in which a doctor treats the symptoms as opposed to the disease.
Instead of an Epilogue
If the introduction of a national security certificate does, in fact, occur (and some experts feel that it will), then the country will be added the list of Central Asian states in which information is de-facto vulnerable. This crackdown trend in Central Asia is already taking place and has its own reasons.
For example, according to Freedom House’s assessment of the freedom of the media and internet, Uzbekistan earned 78 out of 100 points placing it in the group of states considered unfree.[4]
In mid-January, the government in Tajikistan adopted a measure creating a Unified Communications Center (UCC) for controlling the incoming and outgoing traffic from internet and international telecommunications services. The UCC is organized as a branch of the state telecommunications provider, Tajiktelekom.[5]
Blocking sites and resources has already been practiced in Kazakhstan (for example the popular opposition resources zonakz.net and ratel.kz were blocked without any explanation for nearly 4 months), but the national security certificate provides the state with a nearly unlimited resource.
Meanwhile, many experts say that blocking social networks and resources in localized parts of the network may have a dampening effect on the quality of content and event the development of e-commerce. Today, this segment is actively developing. In Kazakhstan, for example, it is already worth roughly 230 billion tenge (roughly $676.5 million according to 1 January 2016 exchange rates),[6] and it is projected to grow several times over by 2020.
Before This Article Went to the Presses…
The events that took place in Almaty on 18 July 2016 were yet one more litmus test for social networks and messenger apps. It must be admitted that they did not pass this test. The Kaznet had never seen such a large wave of speculation, obvious fakes and simple unverified information. In particular, reports of an alleged attack on the military base in Kapchagay were disseminated by messenger apps. The Ministry of Defense’s press service refuted these reports.[7] Later, rumors spread of a group 100 armed men moving from the Juldyz district towards the city and of an attack on the police precinct in that district. These reports were later proven to be fake. That being said, the government faced intense criticism first and foremost for its inability to provide up-to-date information to the populace regarding the events of 18 July. According to political scientist Dosyma Satpaeva, the state has once again been defeated by rumors in the informational war.[8]
Kaznet users simultaneously noted the difficulty in accessing popular resources that were reporting on the 18 July events. Some authors were of the opinion that selective blocking was taking place. Some popular portals were truly inaccessible for some time.
Official comments explained this as being due to a system overloaded caused by a massive, simultaneous influx of users to these resources.
What conclusions can be drawn from this “informational imbalance”? This is the key question, whose answer would allow for assumptions on how the state will react. Regardless of the ‘failed test’ which just took place thanks, in part, due to the belated ‘informational’ reaction from official state sources, social networks and messenger apps remain not only platforms for free expression but also channels for social consolidation. For example, immediately after the events of 18 July, citizens began to collect donations for the families of the victims via social networks. Additionally, messenger apps are a channel by which information is disseminated near instantaneously, leaving television and radio far behind (moreover, Mondays nationally are traditionally when radio and television broadcasts are down for maintenance, and only some channels interrupted that maintenance to resume broadcasting that day[9]). Today, social networks are actively used by the government as a means of communicating with citizens. For example, the Almaty akimat[10] uses Instagram for citizen engagement and currently has 90,000 followers. Moreover, social networks are an amazing means of mutual information sharing in the event of natural disasters. The unusual summer rainfall that took place in Almaty in 2016 proved the validity of this postulate.
Unfortunately, some experts and political scientists put forward a pessimistic scenario, believing that Kazakhstani regulatory efforts to place messenger apps and social networks under control, much as has been done with the internet, will soon be noticeable. The government does not want to let this information flow slip through its fingers and will attempt to maintain control over it.
References:
[1] Trubacheva, T. “The petition on the case of Usenov, who hit six pedestrians, is not legally binding (Петиция по делу Усенова, сбившего 6 пешеходов, не имеет юридической силы).” Forbes.kz, 27 January 2014. Accessed 25 July 2016. http://forbes.kz/process/probing/petitsiya_po_delu_usenova_s_prizyivom_k_boykotu_ekspo-2017_ne_imeet_yuridicheskoy_silyi
[2] Fang, F. “China’s Internet Users Hail Google for Banishing Chinese Security Certificates.” theepochtimes.com, 3 April 2015. Accessed 25 July 2016. http://www.theepochtimes.com/n3/1307856-chinas-internet-users-hail-google-for-banishing-chinese-security-certificates/
[3] Gumenyuk, I. “Now your HTTPS will be monitored and you will have to apply a MitM certificate yourself (Теперь ваш HTTPS будет прослушиваться, а сертификат для MitM вы должны поставить сами).” Habrahabr.ru, 21 June 2016. Accessed 25 July 2016. https://habrahabr.ru/post/303736/
[4] Regnum.ru. “Uzbekistan is again recognized as a state with harshly controlled internet and mass media (Узбекистан вновь признан страной с жестко контролируемыми интернетом и СМИ).” 28 October 2015. Accessed 25 July 2016. https://regnum.ru/news/society/2000451.html
[5] Sputniknews-uz.com. “Experts: internet control in Tajikistan carries serious risks (Эксперты: контроль над интернетом в Таджикистане несет большие риски).” 11 February 2016. Accessed 25 July 2016. http://ru.sputniknews-uz.com/analytics/20160211/1747754.html
[6] Computerworld.kz. “Counted, don’t shed tears (Посчитали – не прослезились).” 23 April 2016. Accessed 25 July 2016. http://www.computerworld.kz/articlekz/10138/
[7] Zakon.kz – “Social networks are full of unconfirmed information about what is happening in Almaty (Соцсети полны неподтвержденной информации о происходящем в Алматы).” 18 July 2016. Accessed 25 July 2016. https://www.zakon.kz/4806409-socseti-polny-nepodtverzhdennojj.html
[8] Mikhtaeva, M. “Almaty shootout: yet another informational failure for the authorities (Перестрелка в Алматы: очередной информационный провал власти).” Radiotochka.kz, 20 July 2016. Accessed 25 July 2016. https://radiotochka.kz/26221-perestrelka-v-almaty-ocherednoy-informacionnyy-proval-vlasti.html
[9] Usupova, A. “Kazakhstan’s TV channels go on air unscheduled due to the events in Almaty (Телеканалы Казахстана экстренно выйдут в эфир из-за событий в Алматы).” Tengrinews.kz, 18 July 2016. Accessed 25 July 2016. https://tengrinews.kz/kazakhstan_news/telekanalyi-kazahstana-ekstrenno-vyiydut-efir-iz-za-sobyitiy-298860/
[10] Municipal government
Author: Alexander Galiev, Computerworld.kz Editor (Almaty, Kazakhstan)
The views of the author may not coincide with the position of cabar.asia