Web browsing giants Google, Mozilla, and Apple pushed back last week on the Kazakh government’s attempt to peer into user activity in the country, a move that may restore trust in the U.S.-based applications but still raises concerns regarding the authorities’ reach into internet traffic.
In late July, Kazakhstan’s government urged its residents to install a certificate that would allow state agencies, chiefly the main telecoms company and the security service, to intercept internet traffic. For mobile data, the government asked users to install an app that would bypass encryption (marked as HTTPS in browsers). Beyond traffic, the system would be also able to read passwords, credit card information, and other sensitive private communication.
Once the security breach was detected by monitors and users in Kazakhstan and across the world, messages spread fast urging people to avoid installing the certificate and simply use other services. The move to intercept sensitive information sent through secure channels online is Kazakhstan’s government’s second attempt after diplomatic missions, banks and other private businesses pushed back in 2015.
An investigation on the website issuing the official certificate, the Qaznet Trust Network, found that the owner of the website was a public official, possibly linked to the security service.
Weeks later, the KNB, Kazakhstan’s security service, said it halted the unsecure “security certificate,” calling it a pilot program aimed to protect government agencies from cyberattacks. Technically, the certificate represented a “man in the middle attack,” or MitM in internet jargon. The government was effectively breaching the security of internet users within the country intentionally.
On August 21, Mozilla and Google jointly announced that they would take additional measures to ensure that traffic through their browsers would not be intercepted by Kazakhstan’s authorities. The communication was published online in English, Russian, and Kazakh. The measure represents a strong pushback on Kazakhstan’s snooping intentions.
“Firefox, together with Chrome, will block the use of the Kazakhstan root CA certificate. This means that it will not be trusted by Firefox even if the user has installed it,” another Mozilla communique said. “We believe this is the appropriate response because users in Kazakhstan are not being given a meaningful choice over whether to install the certificate and because this attack undermines the integrity of a critical network security mechanism.”
News outlets said that Apple’s Safari browser followed suit and also took measures to block Kazakhstan’s spying tool. A group of lawyers in Kazakhstan sued mobile operators for having urged the installation of the Qaznet Trust Network certificate on smartphones.
Anti-censorship watchdogs urged users in Kazakhstan to browse the internet through virtual networks (VPNs) and high-security programs such as Tor.
U.S.-based watchdog Freedom House rates Kazakhstan as “not free,” with an Internet Freedom Score of 62/100, faring worse than Azerbaijan and Zimbabwe, and just marginally better than Russia and Turkey.
Kazakhstan has repeatedly tried to censor the web or to control internet activity within the country. And while always justified by security reasons, the fact that these peculiar measures are not deployed in most other countries begs the question of whom Kazakhstan’s authorities identify as the threat to national security.
After a push for the spreading of local culture in the Kazakh language through the WordPress blogging platform about a decade ago, the government blocked access to WordPress and other popular platforms for years, again due to vague security reasons.
After ex-banker Mukhtar Ablyazov was released from prison in France, his live feeds on YouTube and Facebook calling for Kazakhstan’s citizens to unite under the banner of his DVK movement resulted in these social media platforms being blocked every evening.
Kazakhstan’s new president, Kassym-Jomart Tokayev, said he personally ordered the implementation of the pilot program, which was heralded as a success. While few doubt that the order came from the top, many question whether this was a honest attempt to secure government websites from cyberattacks or just a trial of an upcoming crackdown on online freedom.