© CABAR - Central Asian Bureau for Analytical Reporting
Please make active links to the source, when using materials from this website

Kazakhstan: Google and Mozilla will block national security certificate

Developers of Google and Mozilla Firefox plan to implement protections from  Kazakhstan’s governmental security certificate so as  not to compromise users’ personal data.

Follow us on LinkedIn 

According to the Google and Mozilla Firefox statement, the national security certificate of Kazakhstan allows to spy on data and passwords of 18 million citizens of the country.

“We will never tolerate any attempt, by any organisation – government or otherwise – to compromise Chrome users’ data. We have implemented protections from this specific issue, and will always take action to secure our users around the world,” said Parisa Tabriz, Senior Engineering Director on Google, to VICE.

On July 17-18, the users of mobile operators in Kazakhstan started getting messages about the need to install the national security certificate. Its installation, according to the message, “aimed at enhancing the protection of Kazakhstan users from hacker attacks and watching illegal content.”

The acknowledged HTTPS security certificates encrypt data exchanged between a website and a user and don’t allow their interception. Installation of the Qaznet national certificate allowed security services to decipher, wiretap or substitute the traffic of the citizens of Kazakhstan – browsing history, logins, passwords, bank data, etc.

The expert community, including international organisations, has expressed concerns about the legitimacy of this government’s measure. It has also caused violent outrage of internet users and negative statements by the international community, including Google and Mozilla.

Two weeks later, the certificate was cancelled and all the events were called “a test.”

Single cyberspace and independent internet

The situation with the certificate is the continuation of the national policy of gradual strengthening of digital space control, which was launched in 2010.

According to the 2011 report of the Freedom House on the internet freedom in the country, the Kazakh authorities have engaged in some online censorship, though it is selective, sporadic, and inconsistent.

“Nevertheless, there are indications that government censorship may expand in the coming years, including possibly via filtering at the backbone network level,” the report reads.

The first serious amendment to the Kazakh legislation was made in 2011, when the government decided to have all domain names in the .kz area to be hosted on servers that are physically located within the country. In response to this requirement, Google decided to redirect all visitors of google.kz to google.com – this change meant that search results were no more applicable to Kazakhstan.

Later on, the law was amended and this norm concerned only websites registered after 2011.

According to experts, 20 world countries, including Kazakhstan, impose artificial restrictions on content and ban the use of foreign services. And these countries have strong interrelations and export of censorship technologies.

Sarkis Darbinyan. Photo: svpressa.ru

According to Sarkis Darbinyan, a lawyer in cyber rights (Russia), it all started in 2012 after the signature of the renewed telecommunication regulations, which led to the split in the International Telecommunication Union.

At the Dubai conference, 89 member countries signed the new version of the telecommunication regulations which were updated last in 1988.

55 countries, including the United States, Canada, United Kingdom, Australia, New Zealand, Sweden, Denmark, Poland and others, refused to sign the regulations as they contained a few regulations that allowed state control over the network.

In particular, article 5B reads:

“Member States should endeavour to take necessary measures to prevent the propagation of unsolicited bulk electronic communications and minimize its impact on international telecommunication services.”

The advocates for the new version claimed it meant only spam. However, those countries that refused to sign the document insisted that repressive regimes may interpret it in a wider sense and use it to justify censorship.

The regulations came into effect on January 1, 2015. At the same year, Kazakhstan made its first attempt to embed national certificate, and two years later the law prescribed that all users have to be de-anonymized and all SIM cards and phones have to be registered.

Along one path

“Russia and Kazakhstan follow one path and the things that happen there come almost simultaneously in both countries. For example, an attempt to de-anonymize all users. We can say both countries followed the same path in the last five to seven years, but Kazakhstan followed it a bit earlier. We also raise the issues related to national cryptography and SSL certificates, but Kazakhstan has already implemented them,” Darbinyan said.

According to him, the authorities of these countries adopt identical laws, and we can expect even more cooperation in this area in the framework of EAEU.

Also, experts say about the similar cooperation between Kazakhstan and China. 

Back in 2015, when the first attempt to embed the national certificate was made, the expert of The New York Times Nicole Pelprot said this initiative looked like a “budget version” of the Chinese model.

According to her, the low budget Kazakh option has the potential of opening doors to even bigger threats. Hacking of the national certificate and release of fake copies under the government’s name will provide criminals with access to all national traffic

In October 2017, president Xi Jinping publicly outlined his plan to turn China into a “cyber superpower” at the session of the Communist Party of China. He suggested a governance model in the country, including internet control, as “a new option for other countries and nations that want to speed up their development while preserving their independence.”

One month later, a two-week “Workshop on cyberspace management for officials of member countries to One Belt One Road Initiative”, including Kazakhstan, was held in China. The officials visited agencies responsible for “big data public-opinion management system”, including monitoring of negative public opinion and a “positive energy public-opinion guidance system.”

Moreover, a Chinese Huawei is the dominative supplier of telecommunication equipment in Kazakhstan.

Is digital independence possible?

Unlike Russia, which is at the beginning of construction of independent internet, and China, which has already built the system, Kazakhstan, on the one hand, has its own system of traffic tracking, and, on the other hand, lacks opportunities to introduce independent internet system that can exist autonomously without connection to the rest of the world.

According to article 26 of the communication law, providers must direct all traffic to the telecommunication network central management system of Kazakhstan.

Arman Abdrasilov. Photo: kapital.kz

According to Arman Abdrasilov, director of the Centre for Analysis and Investigation of Cyber Attacks, the single point of traffic exchange in Kazakhstan is built on the basis of the state technical service, that is, now traffic flows directly between national providers, without leaving the country. According to him, this gives the provider the opportunity to save money, make communication cheaper, but at the same time it makes content blocking easier.

Moreover, representatives of the Ministry of Digital Development, defence and aerospace industries reported that an intermediate system is used for traffic exchange, which allows them to intervene in the data stream and read it. This is why centralisation of all flows is needed. Security certificate is a part of the intermediate system. It is necessary for convenient traffic management, as it allows you to receive it in unencrypted form.

According to Abdrasilov, although the installation of the certificate has been suspended, it has already been implemented in all state bodies and will probably be mandatory for citizens only in the event of, for example, a civil war or conflicts.

According to the Cybershield of Kazakhstan concept, the share of use of domestic security certificates in 2019 in .rz and .kaz domain areas will amount to 40 per cent, in 2020 – 60 per cent, in 2021 – 80 per cent, and in 2022 – 100 per cent.

But, according to expert Viktor Pyagai from the international university of information technologies, there are no conditions for independent internet in Kazakhstan and many services use foreign servers.

“Kaznet cannot provide enough resources to a modern man. Even if there are local alternatives to the largest services such as Instagram, YouTube, Coursera, etc., people won’t use them because the majority is looking for international content and wants to meet people from other countries,” Pyagai said.

By the way, Kazakhstan has made many attempts to develop its own streaming services and social media, but they are not very popular.

According to the expert, further restriction of content and censorship may lead to significant social tensions and to economic consequences.

“All systems of international bank payments belong to other countries, while big businesses use them for their activities. After all, if people have some spare time they used to spend on the internet, they will use it to go outside,” Pyagai said.

Main photo: www.elbacity.press

This article was prepared as part of the Giving Voice, Driving Change – from the Borderland to the Steppes Project implemented with the financial support of the Foreign Ministry of Norway. The opinions expressed in the article do not reflect the position of the editorial or donor.

If you have found a spelling error, please, notify us by selecting that text and pressing Ctrl+Enter.

Spelling error report

The following text will be sent to our editors: