Kazakhstan Halts Internet Surveillance Plan That Sidestepped Encryption On Phones

NUR-SULTAN -- The controversial rollout of encryption software to Kazakh mobile-phone users has been stopped, with President Qasym-Zhomart Toqaev saying the move was just a test that he ordered for security reasons.

Toqaev said in a Twitter message dated August 6 that the encryption certificate customers were told to install or potentially lose access to the Internet was conducted by the National Security Committee (KNB) on his direct order to prove "that Kazakhstan's information space is protected" from "outer intrusions."

He added that the "testing" was "completed rapidly" and assured Internet users in the former Soviet republic that "there are no grounds for worries."

Since July, Internet users across Kazakhstan have been receiving messages from telecom operators asking them to install the "security certificate" called Qaznet on their smartphones, computers, and other devices connected to the Internet.

Users who refused to install the root certificate reported difficulties with access, in particular to social networks and instant messengers.

While security officials claimed the certificates were aimed at protecting mobile-phone users from cyberthreats such as hackers and online fraud, many legal analysts and technical experts worried the government could use them to monitor private communications by going around encryption walls commonly found in software applications.

According to a report published on July 23 by Censored Planet , a project at the University of Michigan, users "should not install" the root certificates because "it opens them up to having their otherwise secure communication intercepted or modified without their knowledge."

The KNB said it intended to use the system in the future "in the event of a threat to national security in the form of cyber- and information attacks."

However, it said citizens would receive "prior notice" before the system was implemented and that "instructions for removing the security certificate from personal devices" would be posted on its website.

The interception targeted connections to 37 domains, according to the Censored Planet research, which was carried out between July 17-20. Applications and websites targeted included Facebook, Twitter, and YouTube, as well as e-mail and messaging tools and Google services.

According to Shavkat Sabirov, president of the Internet Association of Kazakhstan, root certificates are not foolproof, and their use could backfire.

He said that on a global level, "it is already recognized that this is an unsuccessful and even a terrible attempt to work in a safe mode" because if the certificate is stolen or hacked, "the attackers will get absolutely all the information about users' data."

With reporting by Ehackingnews.com