Kazakhstan: Authorities finishing testing of web traffic spy tool


NUR-SULTAN (TCA) — Kazakhstan’s security service said it will finish testing an encryption-busting root certificate on August 7 that critics say allow it to spy on user activity on the Internet, RFE/RL’s Kazakh Service reported.

Kazakhstan’s National Security Committee (KNB) insists that “testing” of the Qaznet Trust Certificate in the nation’s capital Nur-Sultan has “created a system to prevent cyberthreats,” according to an August 6 statement.

The KNB said it intends to use the system in the future “in the event of a threat to national security in the form of cyber and information attacks.”

Citizens of the country would then receive “prior notice”.

The KNB also vowed to post on its website “instructions for removing the security certificate from personal devices.”

Since July, Internet users across Kazakhstan have been receiving messages from telecom operators asking them to install the “security certificate” called Qaznet on their smartphones, computers, and other devices connected to the Internet.

Users who refused to install the root certificate reported difficulties with access, in particular to social networks and instant messengers.

Tech websites and human rights defenders have been sounding the alarm over Qaznet, which the government said was intended to limit access to banned content, combat cyberattacks, and protect personal data.

Critics described the initiative as an attempt by authorities to spy on the web communications of citizens, access their personal data, increase censorship and essentially control the Internet.

According to a report published on July 23 by Censored Planet, a project at the University of Michigan, users “should not install” the root certificates because “it opens them up to having their otherwise secure communication intercepted or modified without their knowledge.”

The interception targeted connections to 37 domains, according to the research, which was carried out between July 17-20, including Facebook, Twitter, and YouTube as well as e-mail and messaging tools and Google services including Docs, Hangouts, and News.

Internet service providers “telling users to install the Kazakhstan root certificate claim that it can help protect against fraudsters, hacking attempts, and illegal content. However, this list of domains suggests that the actual intention is instead to surveil users on social networking and communication sites.”

According to Shavkat Sabirov, president of the Internet Association of Kazakhstan, root certificates are not foolproof and their use could backfire.

He said on a global level, “it is already recognized that this is an unsuccessful and even a terrible attempt to work in a safe mode” because if the certificate is stolen or hacked, “the attackers will get absolutely all the information about users data.”

Sergey Kwan