Internet access has increased significantly over the past decade. According to the most recent official data, 88.2 percent of the population used the internet in 2020, a 4 percent increase over 2019. In April 2021, the state statistics agency reported a 4.1 percent rise in the number of fixed-line internet subscriptions relative to 2020, with 92.4 percent of households being connected to the internet; 90.6 percent were connected via broadband in 2020, compared to 90.3 percent in 2019. Additionally, the country had a 128 percent mobile penetration rate.1

The government’s Digital Kazakhstan program has already met its goal of increasing the internet penetration rate to 82.3 percent by 2022.2 While the country’s mobile networks continue to expand, the 2021 edition of the Economist Intelligence Unit’s Inclusive Internet Index reported that fourth-generation (4G) mobile services were available to only 73.7 percent of the population.3 Several mobile service providers piloted fifth-generation services during the coverage period. In March 2021, a vice minister responsible for digital development reported that the first 5G network may be launched in Nur-Sultan in 2021, but there were no updates by the end of the coverage period.4

According to February 2021 testing data from Ookla, the average download speed of a fixed-line connection in Kazakhstan was 53.06 megabits per second (Mbps), an increase compared to 2020, while the average mobile download speed was 19.94 Mbps, which is slightly lower than the previous year.5 Connection speeds in Kazakhstan compare favorably to those of other Central Asian countries.

Most people access the internet from their mobile devices at home and at work, and in various public places in cities where high-speed internet is often available free of charge via Wi-Fi hotspots at cafés and libraries. Free Wi-Fi access is provided in public transport and open spaces in many cities, including Almaty6 and Pavlodar.7

Both mobile and fixed-line internet connections remain relatively affordable, though some studies have shown that they are less affordable than in recent years. According to the 2021 edition of the Inclusive Internet Index, a monthly fixed-line broadband subscription cost around 0.88 percent of gross national income (GNI) per capita.8 Per 2020 data from the International Telecommunication Union (ITU), a monthly mobile data subscription offering 1.5 GB of data cost 0.36 percent of GNI per capita.9 The 2021 Inclusive Internet Index, meanwhile, placed Kazakhstan in 68th place in terms of overall affordability, a decline from 65th in 2020.10 On the other hand, an early 2021 study from UK-based Cable ranked Kazakhstan 6th in the list of countries with the least expensive mobile-internet plans, when measuring the average price of 1 GB of data.11

An overall economic downturn associated with the COVID-19 pandemic12 negatively affected affordability, even though service providers had not raised prices by the end of the coverage period. The government also distributed cash payments to compensate citizens for lost income. However, citizens had to apply for these payments online, creating difficulties for those without digital skills or reliable internet access.13

Many operators provide free, unbilled access to popular social media platforms and messaging apps as part of prepaid plans. In addition, amid the COVID-19 pandemic, all major mobile service providers offered free, unbilled access to online educational resources,14 and in some cases they allowed their subscribers to access internet resources even if subscribers could not pay their account balances.15

Internet access is more limited in rural areas, where about 42 percent of the population resides as of 2020.16 As part of the Digital Kazakhstan program, the government pledged in late 2018 to invest 60 billion tenge ($160 million) in fixed-line internet connections for villages, benefiting 2.4 million rural residents over three years. This work, performed via public-private partnership schemes, is under way to connect one-third of all villages via fiber-optic technology and the rest via WiMax (Worldwide Interoperability for Microwave Access) base stations.17 Prices for the connections in villages are expected to match those in cities,18 despite the fact that the average monthly salary is substantially lower in the countryside. In October 2020, mobile service providers agreed to share network infrastructure to facilitate wider rural access.19

Internet access is distributed relatively evenly across Kazakhstan’s ethnic communities. All public institutions are required to provide at least Kazakh and Russian versions of their websites, and many private-sector entities follow this example. The country has started transitioning from the Cyrillic alphabet to the Latin alphabet, with the stated aim of modernizing the Kazakh language by reducing the number of letters and making it compatible with most encoding and fonts for digital communications.20

Gender does not seem to be a barrier to internet access in Kazakhstan.21

Score Change: The score improved from 1 to 2 to reflect the shorter duration and limited geographical coverage of network disruptions, compared to past years.

During the coverage period, connections were repeatedly limited or disabled locally in an apparent attempt to prevent political protests or the dissemination of information about them. These disruptions often only impact areas immediately surrounding protests. The practice of throttling social media platforms has become common, but episodes are typically brief or localized, allowing them to remain important forums for online discussion.

In April 2021, mobile internet access was locally disabled in Almaty during a rally, organized by the unregistered Democratic Party of Kazakhstan, opposing the government’s plan to build factories in cooperation with Chinese companies.22 In March 2021, a Mediazona reporter noted that mobile internet access was also limited in Almaty during a feminist rally held on International Women’s Day.23 In January 2021, mobile communications were disrupted in Almaty during protests over the validity of that month’s parliamentary elections.24 In Nur-Sultan, the authorities restricted access in October 2020, as a rally calling for democratic reforms and the release of political prisoners was held.25

In December 2020, the Ministry of Digital Development, Innovation and Aerospace Industry (MDDIAI) and National Security Committee (NSC) launched the “Cybersecurity Nur-Sultan 2020” drill,26 which mandated the installation of the National Security Certificate, a root certificate that could allow the government to spy on web traffic and conduct MITM attacks, for users in Nur-Sultan. Users who did not install the certificate reported problems accessing foreign websites and social media, including Facebook, Netflix, Twitter, and YouTube, during the six-day drill (see B1, C5, and C6). Schoolchildren studying remotely due to COVID-19 restrictions were unable to attend classes via international videoconferencing platforms and submit assignments, and shops had problems processing card payments.27 The government had previously tried to compel users to install root certificates in 2015 and 2019.28 After receiving complaints from users, the government refuted accusations that the installation of the certificate was linked to the January 2021 parliamentary elections.29 In October 2020, users also had issues accessing Kazakhstan-based websites and international social media platforms. The state claimed it was conducting “unscheduled work… on the equipment of the State Technical Service” in Almaty, Aktobe, Atyrau, and Nur-Sultan (see B1).30

Certain legal mechanisms allow the government to suspend telecommunications networks at will. According to a 2018 decree, the Ministry of Defense, the Ministry of Internal Affairs, the Prosecutor General’s Office, and the NSC have priority access to telecommunications networks as well as the right to suspend those networks in an emergency, or the risk thereof. Experts have voiced concerns about the decree’s vague terminology—particularly “social emergency situation” and “risk of emergency situation.”31 The decree does not specify limits on the duration of network suspensions.

The NSC has controlled STS, the main body to centralize telecommunication networks and internet exchange points (IXPs), since 2017,32 assuming the authority to block content and disrupt internet networks for investigative purposes and to “prevent crimes.” However, in October 2020, the STS was reorganized into a state-owned joint-stock company,33 with two independent directors joining its board.34 The STS still has the legal authority to censor content and restrict connectivity.35 The government cited deregulation as the official reasoning for the STS’s reorganization.36

The NSC can act without a court order, though it must notify other state bodies within 24 hours.37 In 2017, the NSC and a number of other state entities adopted new rules for blocking or suspending networks, information and communication technology (ICT) resources, and other web resources. The rules are classified.38

A 2016 law empowers the NSC to suspend “networks and means of communication and access to the internet” in “urgent cases that may result in commitment of grave or especially grave crimes.” The NSC is not required to obtain prior approval to do so and can subsequently inform the Prosecutor General’s Office and the relevant regulator—the MDDIAI, as of 2020.39

Since 2014, the Prosecutor General's Office has also been authorized to issue orders to shut down communications services without a court order if “networks are used for felonious aims to damage interests of individuals, society or state,” including the dissemination of illegal information and calls for extremism, terrorism, mass riots, or participation in unauthorized public gatherings.40 Orders must be executed by either telecommunications companies or the STS within three hours.

In 2012, amendments to the Law on National Security allowed the government to forcibly suspend telecommunications during antiterrorist or riot-suppression operations.41

The government centralizes internet infrastructure in a way that facilitates control of content and surveillance. State-owned Kazakhtelecom, through its operations and through subsidiaries, holds a de facto monopoly on the country’s backbone internet infrastructure. The state supervision of the STS allows the authorities to exercise control over peering centers and international gateways.42 Amendments enacted in 2017 made the management of cross-border IXPs a state monopoly in the name of “information security.”43 In February 2019, KazNIC, the nonprofit registry for the country’s .kz domain, announced the launch of an independent IXP, but it offers peering only of domestic, not international, traffic.44

While the government does not actively keep new players out of the ICT market, it did little to prevent the merger of Kazakhtelecom with two major mobile service providers in 2019, securing a large share in the mobile market.45 Kazakhtelecom’s only major competitor is the foreign-owned firm Beeline Kazakhstan, which commanded 40 percent of the mobile market at the end of 2020.46

There are several significant internet service providers (ISPs) in Kazakhstan, but Kazakhtelecom holds a dominant market position. As of July 2020, it controlled 76 percent of the fixed-line market and 61 percent of the mobile market.47 It also fully or partially owns a number of other backbone and downstream ISPs. The state owns 45.9 percent of Kazakhtelecom through Samruk-Kazyna, its sovereign wealth fund.48 Skyline Investment Company, a Luxembourg-incorporated firm whose beneficial owners are linked to the Nazarbayev family,49 owns an additional 22 percent of Kazakhtelecom.50

All mobile operators were given the right in 2016 to offer 4G services.51 Since mid-2018, the government and mobile service providers have been moving toward the introduction of 5G services; pilot tests have taken place in Almaty and Nur-Sultan.52 Kazakhtelecom indicated its intention to become the sole 5G provider in Kazakhstan,53 but Beeline had been lobbying for an even field for all operators. In October 2019, Beeline launched a 5G trial in Shymkent54 with Huawei.55

Companies providing telecommunications services require an operating license from the MDDIAI’s Telecommunications Committee under the Law on Permissions and Notifications.56 The Law on National Security limits foreign ownership of companies providing telecommunications services.57 Moreover, these companies are required to purchase and install equipment related to the state’s System for Operational Investigative Measures (SORM), a lawful interception apparatus (see C5), and to bear costs related to data-retention obligations (see C6). These companies are also required to cover costs related to the database of international mobile equipment identity (IMEI) codes (see C4)58 and to pay regular fees to the State Radio Frequency Service, the IMEI database operator. These obligations may deter new players from entering the ICT market.

No special licensing is required for businesses that decide to set up Wi-Fi hotspots.

The MDDIAI is responsible for the telecommunications sector (including ICT infrastructure), e-government, and cybersecurity. The Ministry of Information and Social Development (MISD) oversees mass media, including online content. Until the first half of 2019, both online content and the telecommunications sector were supervised by the now-defunct Ministry of Information and Communication (MIC).59 Ministers are nominated by the prime minister and appointed by the president. The ministries’ operations are not transparent or subject to independent oversight.

The NSC has increased its power to make decisions about ICT infrastructure and online content. In 2018, a cybersecurity entity called the National Coordination Center for Information Security was launched under the NSC’s supervision;60 its workings remained secret. The leadership of the NSC is appointed by the president in coordination with the chair of the Security Council, a position occupied by former president Nursultan Nazarbayev for life.61

The .kz country domain is managed by the nonprofit KazNIC registry. The Kazakhstan Association of IT Companies administers domain names and regulates KazNIC tariffs. A 2015 law granted the government the power to appoint both the registrar and the domain name administrator. Though the government did not immediately dismiss or move incumbent personnel, some experts expressed concern that this power may be abused.62

The government has extensive authority to block online content, and can compel ISPs to restrict access to “unlawful materials.” If ISPs fail to block content in a timely manner, the STS restricts access directly and the ISPs may face fines.

There are no publicly available data on the overall extent of state censorship. The MISD, responding to an access to information inquiry, specified that 3,765 webpages were blocked by government order and 32 were blocked by court order in 2020; 2,242 were blocked for violence, suicide, or pornography, 206 for terrorism and extremism, and 31 for sharing patently false information. Also, in 2020, the regulator extrajudicially restricted circumvention tools, blocking 148.63 According to Internet Freedom Kazakhstan, an independent advocacy group, more than 56,900 international and Kazakhstani domains were blacklisted as of April 2021.64

Users who wish to circumvent censorship still use virtual private networks (VPNs), although many anonymizing tools are blocked, and other tools frequently experience service problems (see C4).65 The authorities have confirmed that they can block VPNs using court decisions or orders from the MISD (see B3).66

In March 2021, lalafo.kg, a Kyrgyzstani marketplace, was collaterally blocked, because its internet protocol (IP) address appeared to be identical to the IP address of a pornographic website, which demonstrates that the current approach to blocking is imperfect.67

In February 2021, the MDDIAI issued an order to block pana-defenders.info, a website for human rights defenders, under Article 274 of the criminal code for allegedly disseminating of false information about a court decision, although the decision was readily available on the official court database.68 The coalition plans to challenge the blocking in court.

In December 2020, the government attempted to force people in Nur-Sultan to install the National Security Certificate, which allows the government to surveil HTTPS traffic; users who did not comply encountered difficulty accessing foreign websites and social media platforms (see A3, C5, and C6). In October 2020, users in Almaty, Aktobe, Atyrau, and Nur-Sultan also had trouble accessing certain social media platforms, which the state blamed on maintenance (see A3). 69

In June 2020, when Aktobe City Court ordered the blocking of a satirical article, along with several more items, on Medium, the IP-based restriction resulted in the full blocking of the popular blogging platform. Users challenged the decision in December 2020, but an appeals court upheld the lower court’s decision. In early 2021, Medium made the article in question inaccessible from Kazakhstan.70 As of April 2021, the website was accessible in Kazakhstan.

The authorities blocked or interfered with social media platforms and messaging apps several times during the coverage period. ISPs and authorities have typically attributed disruptions to ill-explained technical issues. These restrictions have typically taken place during antigovernment demonstrations and emergency situations (see A3). In June 2020, Information Minister Aida Balayeva said the government would apply harsh restrictive measures against Telegram channels that disseminate content that poses a national security threat.71

Petition website Change.org remained inaccessible during the coverage period, but Avaaz.org was unblocked and actively used in Kazakhstan. Both sites were blocked in previous years for hosting open letters that condemned government policies.72 International media outlets like the Daily Mail, Kyrgyzstani outlet Kloop, and Russian-language news site Meduza, remained inaccessible during the coverage period.

SoundCloud, a platform for podcasts and music, was blocked in 2018 for hosting extremist and terrorist materials. Local advocacy organization Internet Freedom Kazakhstan urged authorities to unblock it. The MISD ran tests on the platform and restored access to it in October 2019 upon finding no traces of illegal content.73 This case demonstrates one imperfection of the current practice of website blocking: entire platforms are often blocked for isolated posts or accounts, with the platforms remaining inaccessible even when these posts or accounts have been removed.

Hosting websites, including Archive.org and Issuu, were intermittently or permanently unavailable during the coverage period.

The authorities use various nontechnical means to enforce the removal of content, including direct pressure on outlets to take down specific material and similar requests aimed at international social media platforms. There is no up-to-date information on the number of removals, though sporadic reports are made. In November 2019, the MISD revealed that more than 25,000 “illegal materials” were deleted by website owners or administrators that year to date.74 The government has not disclosed more recent statistics.

The Aktobe City Court’s decision to block a number of articles on blog platform Medium (see B1) caused the full blocking of the website, leaving other articles inaccessible.75

Facebook and Twitter’s transparency reports have no record of removal requests from the Kazakhstani government in 2020.76 However, during that period, Google received 96 takedown requests from the authorities, almost twice as many as in 2019. The requests mostly concerned materials criticizing the government or those that threatened national security—targeting 8,685 items. In the first half of 2020, Google removed 3.8 percent of the 4,925 items, keeping 95.7 percent up and in the second half of the year, it removed 1.1 percent of the 3,760 items, taking no action on 98.4 percent.77

Tilda, a Russia-based platform for designing and hosting websites, was blocked in July 2019 in a bid to remove pornographic content from a single site.78 Some 42,000 websites—including those of independent news outlets, businesses, and nonprofits—were blocked at once, as they shared the IP addresses of Tilda’s cloud hosting service. Tilda released a statement saying the company would cooperate with government requests to remove illegal content but had not received any requests from Kazakhstani authorities.79 When access to Tilda was restored after about a week, the allegedly pornographic website was no longer accessible. In February 2021, Kazakhstani authorities warned that all websites registered in the .kz domain must adhere to the September 2020 amendments to the Rules of Registration, Use and Distribution of .kz and .ҚАЗ domain names and be hosted on Kazakhstani servers. Tilda informed clients in Kazakhstan that it had complied with legislation and landed Kazakhstan-based websites on servers inside the country (see B3 and C6).80

In 2016, the MIC adopted new rules for the monitoring of media, including social media, using the planned Automated System of Monitoring the National Information Space81 to uncover illegal content online. The authorities have continued to conduct manual monitoring since then,82 and development began in 2017.83 It is unclear when the system, which reportedly cost $4.5 million,84 was launched, but it was already operational in 2020, according to the government’s response to an access to information request.

While the legal framework and procedures for blocking websites and removing content did not fundamentally change during the coverage period, the government has greatly expanded its authority to censor the internet in recent years, and extralegal blocking remains a common practice. All website blocking and content removal procedures lack transparency.

Under amendments made in September 2020, websites in the .kz and .ҚАЗ domain names can be suspended if they are physically hosted outside of Kazakhstan, do not have a safety certificate (see B2 and C6), or their software is hosted outside of Kazakhstan.85 In December 2020, the regulator said the amendments were needed to manage domestic data centers’ workload and to pursue “digital sovereignty.”86

The MISD has repeatedly declared that in the event that certain websites are inaccessible, users should blame ISPs.87 For their part, ISPs do not accept blame for website blocking; the STS has the ability to block websites directly on its own.

According to the Mass Media Law,88 all internet resources, including websites and pages on social media platforms, are considered media outlets. Under 2014 amendments to the law, the Prosecutor General’s Office is authorized to order ISPs to block content without a court order. ISPs must comply with such requests until the website owner deletes the content in question. The law provides no leeway for an ISP to reject the order or for the website owner to appeal.89 In 2016, the MIC gained the authority to issue takedown and blocking orders until website owners remove specific content. The NSC has the right to suspend access to websites or information they host “in cases of emergency that may result in criminal actions” autonomously and need only notify the Prosecutor General’s Office and regulator afterward.

By equating all internet resources with media outlets, the Mass Media Law makes web publishers—including bloggers and social media users—liable for the content they post, but the law does not specify whether publishers are responsible for content posted by third parties. In 2015, the MIC stated that social media users could be held liable for extremist comments posted on their pages by third parties, as permitting the publication of extremist materials in a mass media outlet is an offense under the criminal code that can be punished with up to 90 days in jail.

Amendments to the Communications Law in 2016 obliged ISPs to monitor content passing through their networks and to decide whether to restrict any problematic material.90 The amendments do not specify how ISPs are to carry out this obligation. The administrative code, in force since 2016, imposes fines on ISPs for not complying with censorship orders.91

In order to avoid having a website or page permanently blocked and to escape legal liability, owners of internet resources must remove content that is deemed extremist or is otherwise banned. Once illegal content is identified, ISPs and the STS must suspend access to the entire website within three hours. The party responsible for the content then receives a request for its removal; if the party complies, ISPs and the STS must unblock the website.92

Websites can also be blocked by court order, even in the absence of the defendant’s representative. No notification—to the public or the website owner—about the reason for the blocking is required. The courts frequently issue orders to block websites, banning dozens at a time, mostly on the grounds of religious extremism. The appeals procedure is opaque. An individual must apply for judicial approval simply to view court rulings on blocking cases.93

In 2017, the MIC launched a pilot version of a blocked websites roster, which users could check to determine whether a website was blocked by a court decision or government order, or to complain about disturbing online content.94 Many blocked websites were not listed.

In March 2021, lawmaker Bakytzhan Zhumaguov urged Parliament to develop legislation regulating social media, with an aim of making users more responsible for sharing “false and dangerous information” and to “strengthen national values.” However, such legislation was not introduced by the end of the coverage period.95

Self-censorship in the media is pervasive, even among independent online news outlets, because existing legislation often contains ambiguity. The climate of self-censorship also extends to private businesses. However, after the resignation of former president Nazarbayev in 2019, many users have visibly become more outspoken in online discussions—mainly on Facebook—even as most generally avoid a range of taboo topics. Online media workers continue to test boundaries, despite facing legal harassment and real-world violence (see C3 and C7).

A 2017 law prohibits anonymous online comments (see C4).96 Although this ban is loosely observed, it limits the space for free speech on popular news sites that comply with the requirement.

The designation of the Democratic Choice of Kazakhstan (DVK) as an illegal extremist organization prohibits any mention of the banned party that does not note its status as an extremist organization.

Compared with print and broadcast media, the online media landscape in Kazakhstan is subject to less overt forms of restrictions on the free flow of information, such as progovernment propaganda and pressure to self-censor (see B4). While social media platforms remain the most liberal setting for the public exchange of news and opinions, online discourse is prone to manipulation, including by commentators paid by the government.97 According to one analysis, the activities of paid commentators (dubbed Nurbots, after former president Nazarbayev) serve to distract internet users in times of crisis and to play up the state’s successes. Three of Kazakhstan’s most popular domestic online news outlets are owned by the government, while six more have a progovernment bent, according to 2019 research from the Center for Media, Data, and Society at Central European University.98 A 2021 study showed that media consumption during the COVID-19 crisis was dominated by social media and the total number of Kazakhstani social media users increased 26 percent, amounting to 12 million people.99

During the COVID-19 pandemic, President Tokayev called on the MISD, the Prosecutor General’s Office, and other state bodies to “pay close attention to the dissemination of rumors and provocative reports.”100 The pandemic did generate a wave of misinformation,101 as local social media influencers spread conspiracy theories about COVID-19.102 In response, the MISD launched StopFake.kz, a website that aims to verify or rebut information spread online.103

Authorities have cultivated close ties to social media influencers. Some observers alleged in 2019 that Salem Social Media, a video production company in Kazakhstan helmed by a former spokesperson for the ruling Nur Otan party,104 may receive government funding105 and buy off bloggers.106 Similar practices are reportedly employed at the provincial level.107

Shortly ahead of the January 2021 elections, a few nongovernmental organizations (NGOs), including media watchdog Medianet, and independent news sites Vlast.kz and Factcheck.kz were pressured by the tax authorities for alleged violations of foreign funding procedures, which could result in paralyzing fines and potentially total shutdowns.108 The tax claims were repealed in March 2021.109

In December 2020, Facebook identified a network of 59 accounts, on both Facebook and Instagram, connected to the NSC and an antiextremism unit of a regional police department, which became active after a wave of political protests in 2019 and 2020, but was largely inactive by the time Facebook deleted it.110

In April 2019, Factcheck.kz issued a report on the government-sponsored troll farm Smmnetwork LLC. The investigation revealed the existence of a network of fake accounts that could be connected to the First President’s Foundation, a powerful state-funded institution established by former president Nazarbayev in 2000.111 According to researchers at Oxford University, the government and political parties use both automated and human-run social media accounts to amplify friendly narratives, discredit the political opposition, and distract ordinary users from sensitive issues.112

Officials, civil servants, and employees of state-owned companies are obliged to follow a set of guidelines on their use of the internet. These guidelines urge them not to post or repost materials that are critical of the government and not to “friend” the authors of such materials to preserve the image of the public sector and prevent the dissemination of false information or leaks.113

Most major nonstate online news media outlets are affiliated with government officials or business figures with ties to the government. These outlets are likely to be recipients of government procurement contracts to produce favorable reporting. Indeed, many outlets, including domestic privately owned blogging platforms, are frequent recipients of such contracts.114

In 2019, the government planned to spend nearly 36 billion tenge ($97 million) on media contracts; several billion more were to be distributed less transparently by provincial and local administrative bodies.115 Information about media contracts has since become less transparent, with no data on funding for 2020 or 2021 aside from fragmentary updates. For example, the Almaty city administration spent more than 50 million tenge ($117,000) on media contracts with just three news sites in 2020.116 The Legal Media Center, an NGO focused on media rights, sued the MIC to demand information about all media contracts, but a court rejected the case in January 2018, citing “commercial secrecy,” a talking point the MISD repeated when it faced similar questions in October 2020.117 Overall, the volume of state media contracts has exceeded the overall advertising market for several years in a row.118

Online news media are not required to register with the government. There are no serious restrictions on their access to advertising, but periodic blocking discourages businesses from placing ads on independent news sites. Furthermore, the digital media market in Kazakhstan, as in many other countries, is quite small. According to the IREX 2019 Media Sustainability Index, most media in Kazakhstan depend on financing from their founders and owners or grants from international organizations.119 Online outlets’ ability to remain in business is also limited by certain regulations, including a 20 percent cap on foreign-owned stakes in any company.120

Despite the challenging business environment for independent outlets, a small number of respected and critical websites continue to operate in Kazakhstan. The restrictions on the online media market remain less severe than those on the traditional media sector. In the 2021 Inclusive Internet Index, Kazakhstan placed 69th out of 100 countries in terms of the “existence and extent of local language content and relevant content” on the internet, which was 17 spots below its 2020 ranking.121

International social media and communications platforms are accessible and popular, although connectivity is sometimes restricted (see A3 and B1). YouTube, VK, and Wikipedia are among the top sites in Kazakhstan.122 According to a 2019 report from consulting firm Accenture Kazakhstan, more than 70 percent of Kazakhstani adults use social media platforms, with Facebook and YouTube commanding the largest audiences.123

Users can freely access most international news platforms, but only a small percentage of Kazakhstanis consume content in English. While there is much more domestic online content available in Russian than in Kazakh, including on news portals and social media, the volume of Kazakh-language content is gradually increasing.

Tools like VPNs are widely used to circumvent sporadic blocking. The 2019 Global Mobile VPN report showed a 210 percent increase in VPN use compared to the previous year,124 and there appears to be some semiofficial acknowledgment of this fact. When asked about Kazakhstan’s website blocking regime at the 2019 Eurasian Media Forum, Aleksandr Aksyutits, the head of Salem Social Media (see B5), dismissed the impact of the blocking by noting that people can use VPNs to access restricted sites.125

The use of social media platforms and other digital tools for civic and political organizing is quite limited in Kazakhstan. Popular platforms are subject to periodic restrictions, particularly ahead of and during demonstrations. Discussions of political or social issues on social media platforms are often eclipsed by sensationalist content that is widely shared online.

The authorities sometimes block messaging apps ahead of protests to prevent users from accessing group chats to coordinate protest actions, including those run by the banned opposition DVK. Informants have infiltrated critical groups on Telegram and other platforms to build cases for prosecutions. At the end of April 2019, the Prosecutor General’s Office warned that organizing “unauthorized” demonstrations on “social networks and instant messengers” constitutes a violation of Article 488 of the administrative code.126 (While President Tokayev revised the public assembly law to no longer require state authority permission for public gatherings in May 2020, local administrations must still provide approval.)

Many online petition websites remain blocked to prevent campaigning. In early 2019, the Ministry of Public Development announced its intention to create an official petition platform,127 but the process was put on hold due to a cabinet reshuffle. In February 2020, the MISD announced it was developing a service called E-petition that would enable citizens to create petitions and sign them with certified electronic signatures.128 In September 2020, President Tokayev mentioned the development of the platform in his annual address.129 In early June 2021, the MISD reported that it drafted relevant amendments to the administrative code and draft law on public oversight, but the law had not been presented to Parliament by the end of the coverage period.130

Police routinely summon activists ahead of planned protests to warn them against holding demonstrations, intimating that they will face consequences.131 For example, several activists from a grassroots proreform movement called Oyan, Kazakhstan were taken by police from their homes during the morning of March 1, 2020, the day the group had planned to stage a rally in Almaty. They were released five hours later.132

The constitution guarantees freedom of expression, but this right is qualified by other laws and severely restricted in practice by prohibitions on defamation, publication of false information, and other speech-related offenses (see C2).

Although internet resources are deemed mass media outlets, bloggers do not enjoy the same rights as journalists, and even formally employed journalists face numerous restrictions on their work. In February 2019, for example, the MIC said it would further restrict journalists’ already limited access to events at state bodies.133 Police and government supporters who harass bloggers and journalists are seldom punished and enjoy de facto immunity. Nevertheless, the government’s plan for the development of Kazakhstan’s information sphere, adopted in April 2020, envisions raising the profile of bloggers, including by according them the right to be accredited by various government institutions as well as accorded the same protections traditional journalists enjoy in some circumstances.134 The state has long been collaborating with select bloggers to generate positive coverage on social media platforms (see B5).

The president appoints all judges, and the judiciary is not independent in practice. The Constitutional Court was abolished in 1995 and replaced with the Constitutional Council, to which citizens and public associations are not eligible to submit complaints.

In September 2020, President Tokayev urged Parliament to improve legislative protection of citizens against cyberbullying.135 By the end of the coverage period, no such legislation had been introduced in Parliament.

The government uses a number of provisions in the criminal code and the code of administrative offenses to restrict forms of online expression that may be protected under international human rights standards.136 Vaguely worded legislation leaves ample space for interpreting criticism and opinions as defamation or extremism; however, during the coverage period, the government decriminalized libel.

Article 174 of the criminal code prescribes up to 20 years in prison for the incitement of class, ethnic, national, religious, or social hatred.137 Prosecutions under this provision are widespread, and human rights advocates have repeatedly voiced concerns about the lack of clarity in its terminology, especially the concept of “social” hatred.138 Article 179 prescribes 5 to 10 years in jail for “propaganda or public calls” for the seizure of power or “forcible change of the constitutional order,” when made using mass media or telecommunications, while Article 256 prescribes 7 to 12 years in jail for “public appeals to commit an act of terrorism” made through the same means.139 Article 274 prohibits the dissemination of rumors or “knowingly false information that creates the danger of disrupting public order or causing substantial harm” to citizens, organizations, or the state, which is also punishable by up to seven years in prison in the most extreme cases.140

In June 2020, President Tokayev signed into law amendments decriminalizing defamation,141 after announcing that he would do so in December 2019.142 The amendments, initially proposed in March, move defamation from Article 130 of the criminal code to the code of administrative offenses, which entails a $1,000-to-$3,500 fine or 15-to-20-day administrative detention period. If the act of defamation was made publicly, via mass media, or on ICT networks, the fine increases to between $1,200 and $4,200, and the time in detention increases to 20 to 25 days. Moreover, if the act of defamation contains accusations of corruption against a public official, the administrative detention period can reach up to 30 days. Under these amendments, Article 174 remains in the criminal code, although the word “provocation” was changed to “incitement,” and violators can face fines ranging from $13,000 to $45,000, instead of prison sentences in some cases.143

However, insult remains a crime. The criminal code provides stricter punishments for insulting state officials, judges, and lawmakers. Desecration of the president’s image and insulting the president or the president’s family members are also criminal offenses (Article 373), punishable with a fine and up to three years in prison.144 Government officials and progovernment business magnates have a history of using defamation and insult charges to punish critical reporting.

In 2015, the MIC stated that social media users could be held liable for extremist comments posted on their pages by third parties, as this may be regarded as permitting the publication of extremist materials in a mass media outlet, an offense under Article 183 of the criminal code that is punishable by up to 50 days in jail.145 Users who post or share such content may be fined for its “production, storage, import, transportation and dissemination,” and in some cases, jailed for up to 20 years under Article 174 of the criminal code.146

Individuals, including journalists, are frequently penalized for online activities. In 2020, media rights watchdog group Adil Soz recorded 58 criminal, 35 administrative, and 62 civil cases against media and individual journalists.147 The group’s statistics do not differentiate between online and offline authors.

In May 2021, Temirlan Yensebek, a blogger who ran a satirical social media account, was arrested by police for allegedly spreading “misinformation and misleading the public,” despite the fact that Yensebek deleted the account several months before he was detained.148 Yensebek was interrogated and released, but an investigation was still ongoing at the end of the coverage period and he was facing charges of “dissemination of patently false information, posing a hazard of significant damage to rights and lawful interests of citizens, society, and state.”149

In August 2020, Lukpan Akhmedyarov, a prominent independent journalist and chief editor of the Uralsk Weekly online and print newspaper in West Kazakhstan, was charged under Article 147 of the criminal code for breach of privacy after he wrote about the alleged corruption of a prosecutor.150 Akhmedyarov has faced continued legal scrutiny for his professional activity in the recent years; in February 2021, he was arrested for a solitary protest in front of a police station. Akhmedyarov was detained again that day, along with publishing editor Raul Uporov and videographer Isatay Yermekov,151 while traveling to cover the release of an activist from prison.152

In December 2020, several bloggers, including Makhambet Abzhan and Nasima Korganbekova, were summoned to the prosecutor’s office for conducting online surveys about the January 2021 parliamentary elections.153 Abhzan, who conducted his poll through Telegram, did not receive a warning, but had to sign a form clarifying that a political party did not financially support it. The law states that election-related surveys can only be conducted by institutions accredited by the Central Election Commission.154

In October 2020, blogger and activist Margulan Boranbay was arrested. The day after his arrest, the Almaty Interdistrict Investigative Court placed him under house arrest,155 ruling he violated Articles 174 and 179 of the criminal code, which concern inciting extremism and spreading propaganda about “a violent seizure of power,” respectively. His lawyer reported that he was placed in custody under charges originating from 2019 that were later suspended.156 In the early days of his house arrest, Boranbay continued to post videos on his YouTube channel. There were no other updates by the end of the coverage period.

In September 2020, ahead of protests organized by the Koshe Partiyasy (Street Party) movement, blogger and activist Aigul Utepova was arrested after she criticized the government’s COVID-19 response on Facebook.157 She was charged under Article 405/2 of the criminal code and detained on suspicion of her “implication in the illegal organization.” The authorities searched her apartment and seized her mobile phone and computer. A week later, Utepova was put under house arrest.158 In November 2020, the court agreed to the prosecutor’s request place her in a psychiatric institution for examination. Amnesty International condemned the decision, calling it an act of suppression.159 Utepova was released shortly after, but remained under house arrest.160 In April 2021, the court found her guilty of membership in prohibited political groups, sentencing her to one year of “restricted freedom,” which limits her ability to travel, forces her to regularly check in with authorities and includes a ban on “public and political activities” for two years.161

In June 2020, political activist and outspoken Facebook critic Alnur Ilyashev was tried for the dissemination of purportedly false information during the state of emergency in a lawsuit filed by Nur Otan.162 Ilyashev wrote about corruption charges against party members and about the party’s financial activity on Facebook. The lawyers representing Ilyashev stressed that their client did not post any false information. Amid numerous procedural irregularities, an Almaty district court sentenced Ilyashev to three years’ “restricted freedom” and 300 hours of forced labor. Additionally, he was banned from public activity, participation in political parties, associations, or NGOs for five years.163

The authorities are known to use terrorism and extremism charges, including “provocation of hatred” (Article 174 of the criminal code), to prosecute online activity,164 usually applying “restricted freedom,” or suspended sentences.165 Local human rights advocates have criticized the lack of expertise among judges and prosecutors evaluating extremism or terrorism charges.166

In past years, the authorities routinely arrested and prosecuted individuals for posting critical commentary online, especially DVK-related online activities. The classification of the DVK as an extremist group made it illegal to disseminate its content online, including through private messages.167 In May 2020, a court ruled that the DVK-affiliated Koshe Partiyasy was also an extremist organization, arguing that it was, in fact, one and the same as the DVK.168 However, there continued to be fewer prosecutions for DVK-related online activities during the coverage period.

The government places restrictions on anonymous communication. Since December 2017, users have been required to identify themselves using government-issued digital signature technology or short-message service (SMS) verification in order to comment on domestic websites;169 failure to enforce the rule can lead to fines.170 Some news outlets and other sites introduced identification functionality in response to the requirement, but more simply disabled their comment sections, inviting readers to comment on social media platforms instead.

The government is cracking down on VPNs and other anonymizing tools with court orders.171 In 2020, the regulator blocked 148 circumvention tools (see B1).172 Encryption tools are not restricted, but most users do not employ them.

SIM card registration is required for mobile phone users. The government also requires users to register all devices that use mobile networks—including mobile phones, tablet computers, and smartwatches—with their mobile service providers, linking a person’s government-issued identification, SIM card information, and device IMEI codes. Under 2018 legal amendments, unregistered mobile devices were to be disabled by service providers beginning in January 2019.173 In February 2019, law enforcement bodies admitted that there had been multiple “technical problems” that would require mobile service providers to further modernize their networks.174 In October 2019, the authorities enabled the IMEI code system, forcing operators to disable numerous unregistered devices (see A3). By law, operators are prohibited from providing services to clients with unregistered devices.175

Authorities presented the 2018 amendments as a means of fighting mobile device theft, counterfeiting, and terrorism.176 However, human rights advocates warned of their effects on user privacy and their potential to enable surveillance by effectively linking personal ID numbers, SIM cards, and IMEI codes.177 The technical capacity to disable a device was reportedly used to target activists during the protests during and after the 2019 presidential elections.178

Since 2016, users have had to obtain an SMS code to access public Wi-Fi networks. Such authentication potentially opens the door to surveillance because of the country’s SIM card registration requirement.179 Businesses can be fined up to 300,000 tenge ($700) for failing to comply with the new rules, while users can be fined up to 30,000 tenge ($70).180 As of 2021, only larger restaurant chains introduced this system, and open access to public Wi-Fi networks remained the norm.

It is difficult to estimate the extent of government surveillance in Kazakhstan, but users in the country have been targeted by spyware. Digital rights groups allege that large-scale surveillance infrastructure is in place. The government employs SORM technology, which originated in Russia and is similar to that employed by other former Soviet countries, for deep packet inspection (DPI) of data transmissions, among other functions. An investigation by the news site Vlast.kz published in February 2019 revealed a vast network of ties between Kazakhstan and Russia in the area of cybersecurity.181

In July 2021, after the coverage period, Forbidden Stories, a French nonprofit news outlet, and a coalition of news organizations including the Organized Crime and Corruption Reporting Project (OCCRP), identified phone numbers linked to Kazakhstani oligarchs and political figures in a leaked dataset. Investigators describe the dataset as a list of people of interest to clients of the company NSO Group, which sells the spyware product Pegasus. According to the investigation, almost 2,000 Kazakhstani phone numbers were selected for targeting during former president Nazarbayev’s rule.182 Out of the 2,000 numbers, 92 included oligarchs, political figures close to Nazarbayev, and opposition figures. The government has repeatedly denied the allegations. Additionally, two Kazakhstani journalists identified their numbers on the list.183

In January 2018, new technical regulations for SORM developed by the NSC entered into force.184 Telia Company, a Swedish firm that owned mobile service provider Kcell (now a part of Kazakhtelecom), warned in 2017 that the impending new surveillance requirements gave the government real-time access to providers’ networks, threatening freedom of expression.185 Local human rights monitors have since alleged that law enforcement bodies and special services watch and wiretap phone conversations of opposition activists without following proper procedures.186

Various authorities monitor internet traffic. The STS is responsible for overseeing cross-border network traffic through a system called Centralized Management of Telecommunication Networks. All telecommunications service providers must be connected to this system and are required to grant authorities physical access to their control centers.187 Kazakhtelecom, which maintains a DPI system separate from SORM, insists that it is used for traffic management and provides no access to users’ personal data.188

In 2019, ISPs urged subscribers in Nur-Sultan to install a root security certificate called the Qaznet Trust Certificate. The legal groundwork for the National Security Certificate had been introduced in 2016.189 Users were warned they might have difficulty accessing foreign websites if they chose to not install the certificate.190 The certificate’s introduction was justified as a means of fighting the theft of users’ personal data, fraud, and other online threats, including cyberattacks.191 The government stated that this “pilot test” of the certificate was part of its Cybershield cybersecurity program.192

In early August 2019, the NSC declared that the certificate’s trial period was over, claiming that the pilot test allowed it to test its cybersecurity systems as well as reveal and prevent millions of cybersecurity incidents.193 It also informed users that they could remove the certificate.194 In early December 2020, one month prior to the parliamentary elections, residents of Nur-Sultan had been advised to install the certificate again, citing the “Cybersecurity Nur-Sultan 2020” drill (see A3 and B1). Users were warned they would experience trouble accessing foreign websites unless they install the certificate on devices. The MDDIAI cited a nearly threefold rise in cybercrime in 2020 to justify the six-day drill.195 Users complained about their inability to access Facebook, YouTube, and other sites that had not installed the certificate.196

Officials later apologized for the inconvenience,197 denied the link between the drill and upcoming elections,198 and vowed that the certificate is not meant to monitor users, but to exercise targeted blocking of unlawful content.199 Despite these assurances, commentators and experts inside the country have previously insisted that the certificate is a government-initiated technology for the interception of encrypted user traffic via MITM attacks.200 Some of the 37 websites that University of Michigan and University of Colorado–Boulder researchers identified as targets of the certificate in 2019 included Facebook, Gmail, Instagram, Mail.ru, OK.ru, Twitter, VK, and YouTube, suggesting that its purpose was to “surveil users on social networking and communication sites.”201 In July 2019, the NSC admitted the certificate enables it to decrypt secure traffic but said it did not plan to store and view the details of citizens’ online activities.202

In August 2019, Apple, Google, and Mozilla stated that they would ban the certificate from their respective web browsers (Safari, Chrome, and Firefox) to ensure that their users’ personal data were not intercepted.203 In December 2020, these companies, along with Microsoft, followed through and banned the certificate from their networks and software.204 MDDIAI officials called the decision “a sign of double standards policy” that would hinder the work of the country’s special services.205

The authorities appear to engage in social media surveillance, including under the auspices of the MISD206 and via contractors such as Alem Research or IMAS, a private company that advertises a “monitoring system” that can “identify dangerous sources of social destabilization inciting interethnic discord, calling for violation of the constitutional order, holding illegal rallies… and much more.”207 IMAS’s clients include the Prosecutor General’s Office, the Ministry of Justice, and various local government administrations.208 In March 2021, the MISD disclosed that it monitors Clubhouse for unlawful content because it is considered a mass media outlet under Kazakhstani legislation.209

Activists using social media are occasionally intercepted or punished, sometimes preemptively, by authorities who have prior knowledge of their planned activities.210 Reports have emerged that authorities penetrated group chats on WhatsApp and Telegram, based on claims by activists that they faced repercussions for material they posted only on the communication apps. It is unclear how authorities could have gained access to these closed chats, but it is generally understood that either there are informants in critical groups, or that police seize and access the phones of detained activists.211

The government has also moved to introduce video surveillance systems featuring facial recognition technology, but these measures have faced public backlash.212 In October 2019, President Tokayev praised the technology he had observed on a recent visit to China, telling Nur-Sultan officials, “you click on a screen [where a person’s image is] and all the data comes up for that person, including literally everything: when he graduated from college, where he goes in his spare time, what kind of loans he has outstanding. We need to head in that direction.”213 However, public criticism of a proposed “Smart CCTV” pilot in Almaty led to that project’s cancellation in January 2020.214 In November 2020, government officials stated that facial recognition cameras are not being installed in Kazakhstan.215 A spokesperson for Sergek, a closed-circuit television (CCTV) network that monitors traffic incidents, assured citizens in February 2021 that their system does not employ facial recognition.216

In November 2020, the NSC adopted the Rules of Operation of the National Video-Monitoring System.217 The system contains hardware and software for collection, processing, and storage of video files for the purpose of national security and public order. The NSC determines if an individual or entity is obliged to connect to the system, defining them as “clients,” and outlines the costs for the installation and service of the equipment.

In June 2020, Tokayev signed the law on digital technologies, which designated the Information Security Committee at the MDDIAI as the body responsible for the protection of personal data, but rights activists and experts condemned218 the concentration of power in the executive along with a lack of independence. The law also provided for creation of the national video-monitoring system, which lacks precise regulation and public oversight, and biometric authentication of citizens with no guarantee of data protection.219

During the coverage period, Kazakhstani authorities actively began working to collect biometric data from citizens and link it to other personal data already at their disposal.220 This work is legally based on an October 2020 decree, issued by the MDDIAI, to provide for collection, storage and use of biometric data for the purpose of authentication at provision of government services to citizens.221

Amid the COVID-19-related state of emergency, authorities in Almaty, Kostanai, Nur-Sultan, and Oral required COVID-19 patients and quarantined individuals to install a location-tracking app on their mobile devices so that their movements could be traced.222 In early 2021, another app, Ashyq (Open), was developed by the MDDIAI together with the Ministry of Health. Ashyq offers to scan QR codes, placed on various points of interest, to provide safety updates to users. It also tracks the COVID-19 status of the user, ranging from green if they tested negative to red if the user is under outpatient supervision or is told to isolate.223

In 2015, WikiLeaks published an exchange of emails between an alleged secret service official and Hacking Team, an Italian firm that sells surveillance software. The exchange suggests that the government might have obtained software to monitor and interfere with online traffic, including encrypted communications, as well as to perform targeted cyberattacks against certain users and devices.224

Telecommunications companies have fully implemented the new SORM technical regulations (see C5), effectively granting the Kazakhstani government real-time access to their subscribers’ data.

There is a process that governs authorities’ ability to request user data from various companies, but it is not always followed. Security agencies can effectively access user data stored by the companies at will, as firms that wish to operate in the country have no means of resisting their demands. In its “exit report” upon leaving the Kazakhstani market, Tele2, the Swedish mobile service provider whose stake in Tele2-Altel was bought by Kazakhtelecom in 2019, noted that “it was not possible for Tele2 KZ to know how often the SORM system was used and whether the required warrant had been obtained.”225

Legislation obliges both fixed-line ISPs and mobile service providers to retain records of users’ online activities, phone numbers, billing details, IP addresses, browsing history, protocols of data transmission, and other data.226 Providers must store user data for two years and grant access within 24 hours to “operative-investigatory bodies,” including the NSC and other security agencies, when approved by a prosecutor or “by coordination with the Prosecutor General's Office.”227 The code of administrative offenses imposes fines on ISPs for failure to store user data.228 Tele2’s exit report revealed that the company “started preparations to publish the number and nature of requests it receives from law enforcement to disclose historical (meta)data on customers’ usage of telecommunications services… but was not allowed [to] publish the data.”229

Domain names using the .kz and .KA3 country codes must operate on domestic servers.230 According to Kazakhstani communications law, users’ personal data must be stored within Kazakhstani borders.231 In late 2017, the government announced that it planned to negotiate with foreign social media platforms and persuade them to operate local servers that could provide easier state access to citizens’ personal data.232 In September 2020, the government amended domain registration rules, enabling the government to suspend a domain name if the website is physically hosted outside of Kazakhstan or if any of its software is hosted outside of the country (see B2 and B3).233

In April 2021, the government adopted the Rules on examination of processes related to personal data, which allows the STS to access the hardware and software (“objects of informatization”) of “electronic information resources” to assess their “personal data management.”234 Also, according to the administrative code, operators are subject to fines for failure to distribute the National Security Certificate among clients, store personal information of users, or grant law enforcement bodies or special services access to data or equipment (see A3, B1, and C5).235

Domestic website owners are required to retain commentators’ data for at least three months and provide the government with this information upon request.236

The coverage period showed a dip in violence against activists and journalists working for online outlets, though such violence did occur. In October 2020, police physically assaulted Radio Free Europe/Radio Liberty (RFE/RL) journalist Saniya Toiken, who regularly writes for their website, as she was covering a political rally in Nur-Sultan.237

Also in October 2020, Ruslan Lazuta, a Karaganda activist who had created a network of car owners fighting corrupt traffic police officers, fled the country after he was accused of disseminating patently false information and insulting of a representative of the authorities.238

Members of the LGBT+ community in Kazakhstan frequently face online harassment.239 In a July 2019 incident, a gay man in Nur-Sultan was reportedly catfished over VK and then tortured.240

Technical attacks against independent media were observed during the coverage period, as were cyberattacks against public and private targets, including penetrations into government-owned information systems that resulted in citizens’ personal data being leaked.

On January 10, 2021, as parliamentary elections took place, news site Vlast.kz reported it suffered a persistent DDoS attack.241

In September 2020, the STS reported that Kazakhstani educational online platforms suffered a DDoS attack at the hands of foreign hackers.242

In July 2020, the Center for Analysis and Research of Cyberattacks, a local cybersecurity association, reported that the personal data from the Ministry of Justice and medical records of numerous citizens had been stolen, but officials denied the claims.243

In September 2019, reports emerged that hackers working for the Chinese government had broken into telecommunications networks to track Uyghur travelers in Central Asia, including Kazakhstan.244

In November 2019, a Chinese cybersecurity firm reported on an extensive hacking operation in Kazakhstan by a group it dubbed “Golden Falcon” which apparently targeted government and military agencies, researchers, journalists, private companies, dissidents, and foreign diplomats. The group, with alleged ties to Russia, had targeted Kazakhstan in the past, the firm said. Experts speculate that the operation may have been a Russia-sponsored advanced persistent threat actor, a Kazakh intelligence agency using Russian technical support, or a Russian mercenary group engaging in on-demand spying for the Kazakh government.245