In an unusually direct attack on online privacy and free speech, the ruling regime of Kazakhstan appears to have mandated the country's telecommunications operators to intercept citizens' Internet traffic using a government-issued certificate starting on January 1, 2016. The press release announcing the new measure was published last week by Kazakhtelecom JSC, the nation's largest telecommunications company, but appears to have been taken down days later—the link above comes courtesy of the Internet Archive, which never forgets. It is unclear whether the retracted press release indicates that Kazakhstan's ruling regime has abandoned the plan in response to widespread criticism, or is simply planning to carry it out at some later date, once attention has died down.
The measure's apparent authority is the country’s new communications law. EFF’s analysis of the law finds plenty of vague language that could be used to justify this kind of mass surveillance, but nothing that explicitly requires government-issued certificates.
If the country's ruling regime were to successfully implement this plan, it would be able to snoop on, impersonate, and alter the online communications of anyone within their borders—effectively performing a Man in the Middle attack on its entire population. Operating systems and browsers maintain their own list of legitimate root certificates that come bundled with their software. Because of this, it is difficult for ordinary attackers to pull off a Man in the Middle attack successfully on encrypted Internet connections—they have to both be situated in a privileged position within the network (between the user and the remote server), and in possession of a certificate signed by a root for the server being accessed. This plan circumvents that difficulty by forcing citizens to install a root certificate, described in the press release as a "national security certificate" generated by the government to spy on them, and forcing the telecommunications operators to intercept users' connections to serve encrypted connections using this certificate rather than the legitimate one.
The press release explains that users will be provided detailed instructions on how to install the certificate for all devices they own, effectively forcing the Kazakhstan people to enable their own surveillance. It is unclear what would happen to individuals if they refuse, but we assume that at the very least, the encrypted services they use would become unavailable when the ruling regime flipped the switch and started actively intercepting communications.
Freedom House ranks Kazakhstan’s level of press freedom at 85 out of 100, near the bottom of the barrel. EFF is currently representing online newspaper Respublika in its ongoing battle with Kazakhstan's ruling regime, which is trying to use a U.S. court order to censor stories that are critical of President Nursultan Nazabayev’s administration. When it’s not bullying independent newspapers, the Kazakhstan ruling regime has shown a strong interest in intrusive surveillance. Notably, it is a customer of the infamous surveillance malware vendor Hacking Team. EFF expects that this is not the last we’ll hear about Kazakhstan’s plans for widespread Internet censorship and surveillance. We will be monitoring the situation closely.