Is Kazakhstan snooping agenda that serious?

A digital security certificate devised by authorities in Kazakhstan to generate detailed logs of what people are doing online is the talk of the internet. But it may never get off the ground.  

This past week, tech websites and media watchdogs have been sounding the alarm over Qaznet, an initiative that the government says is intended to protect personal data and limit access to banned content.

Critics, however, describe the proposed gateway as a sly attempt to enable universal snooping and prying state agents access to that same personal data. 

So what exactly is Qaznet?

That question was on many people’s lips last week, when mobile internet users in the capital, Nur-Sultan (formerly Astana), began to report that they were being redirected to a website from which they were told they could download the security certificate. 

There is considerable misunderstanding about quite how mandatory this actually is. Tech websites talked about all Kazakhs being “forced” to download the certificate, but the ultimatum is not so clear-cut.

One major mobile service provider, Kcell, limited itself to describing the certificate as “a necessity” on its website.

Qaznet is “an effective tool for protecting the country’s information space from hackers, internet fraudsters and other types of cyber threats,” the provider said.

The certificate has been cast as a panacea to two genuinely recurrent problems for Kazakhstan – the theft of personal data and of bank funds.

Providers have said that users who fail to install the certificate may experience “technical limitations” in accessing “certain internet resources.”

With providers in the role of would-be enforcers, the government is playing the good cop.

Speaking to journalists on July 24, Digital Development Minister Askar Zhumagaliyev compared the root certificate to “parental control” and stressed that downloading Qaznet was the user’s choice.

He would certainly download the certificate, he said, “because I worry about my children.”

Zhumagaliyev did not say whether or not Qaznet would eventually become compulsory.  

Kazakhstan's battle to control user traffic is not new. 

At the end of 2016, there was a similar wave of online furore when state-owned Kazakhtelecom said it had been obliged by law to make access dependent on users attaching their devices to a certificate. 

The Register, a British tech-focused website, fumed at the crudeness of the surveillance attempt.

The certificate would “trick web browsers and other apps into trusting the telco's systems that masquerade as legit websites, such as Google.com or Facebook.com,” the website said.

“Rather than connect directly to those sites, browsers will really be talking to malicious man-in-the-middle servers,” The Register cautioned.

In the event though, that effort fell flat.  

As did, seemingly, a separate provider-led drive to get all citizens to register their SIM cards and devices together at the end of last year. (This too was characterized as a crime-busting initiative).

Users received repeated SMS messages that their “connections could be limited” if they did not obey the summons to register by sending in their ID details.

Plenty of customers complied, but those that did not found that they were able to continue using their SIM cards without interruption anyway. By the following spring, the threatening SMS messages had tailed off.

Motivating people to download Qaznet without cutting access as punishment for not doing so is only part of the problem. 

If companies like Google that run major browsers reject the certificate, Kazakh users that use it will lose access to those browsers.

This would be an unpopular move in a place which has, like the rest of the world, embraced the online world with such fervor.

MIT Technology Review, another tech website, reported that one well-known browser developer, Mozilla, is already considering that step.  

A final consideration is the security of Qaznet itself, given that any hack would potentially give a third party access to millions of users’ personal data. 

So far, little is known about the certificate’s developer.

Independent news outlet Vlast.kz found that the website from which users are being invited to download the certificate was registered just a month ago, to a government address and an individual called Askar Dyussekayev.

When journalists asked Zhumagaliyev, the minister, about these details, he admitted he did not know too much.

“You should ask the owners of the website,” he was quoted as saying by Forbes.kz.