Kazakhstan’s new online safety tool raises privacy concerns

The Kazakhstan government has started instructing Internet service providers (ISPs) to force users to install a new security certificate. 

The government-issued certificate will allow government agencies to decrypt users’ HTTPS internet traffic, examine its content and then re-encrypt it with their certificate before being sent to its destination. 

Since Wednesday 17, 2019, Kazakh internet users have been redirected to web pages that contain instructions on how to install the new certificate, whilst some new users received text messages requesting them to do so. 

Officials from the Ministry of Digital Development, Innovation and Aerospace stated that the new measure was “aimed at enhancing the protection of citizens, government bodies and private companies from hacker attacks, Internet fraudsters and other types of cyber threats”. 

The new certificate not only raises privacy issues but security issues, as anyone who gains control of the certificate will be able to view the encrypted personal information from Kazakh internet users. 

Kcell JSC, a Kazakh-based provider, said in an advisory:

“The security certificate will help protect the information systems and data, as well as to detect hacker and cyber-attacks of the Internet fraudsters on the country’s information space, private and banking sector before they can cause damage.

“The security certificate is a set of digital characters used to transfer traffic that contains protocols supporting encryption. Thus, it will allow local Internet users to be protected from hacker attacks and viewing illegal content.”

Ablaikhan Ospanov, the Vice-minister of Digital Development, stated that the certificate was optional, however many critics remain unconvinced. 

Paul Bischoff from Comparitech emphasised that the move was about surveillance and not security. Bischoff encouraged Mozilla and other browsers to ban the certificate. 

“This ia man-in-the-middle attack at nation-state scale.”

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.