Update on Aug 7, 5:00 PM IST: Kazakhstan has now abandoned its plans to intercept citizens’ internet traffic for monitoring cyber threats. The about-turn comes as lawyers argued the certificate installation as illegal. The government said the initial rollout was a test.
The Kazakhstan government has started to intercept all HTTPS traffic from all devices within its borders effective July 17, reports ZDNet.
Local internet service providers (ISPs) have been instructed by the government to force their citizens to install a state-authorized certificate on all devices, and all browsers.
This certificate allows the Kazakhstan government to decrypt HTTPS internet traffic, view its contents, and then re-encrypt it with the certificate once again before it is sent to its destination, making it easy for the Kazakhstan government to surveil its citizens’ online activities.
While the government says only internet users in Kazakhstan‘s capital of Nur-Sultan will have to install the certificate, it appears users from across the nation are said to be blocked from accessing the internet until they they installed the certificate.
Local ISP Kcell, for example, has put up a new page instructing users on how to install the Qaznet Trust Certificate, stating “it will help protect the information systems and data, as well as detect hacker and cyber-attacks of the Internet fraudsters on the country’s information space, private and banking sector, before they can cause damage.”
“Customers failing to install Security Certificate on their mobile devices may face technical limitations when accessing certain websites,” it adds.
The Kazakhstan government and local ISPs are positioning the certificate as beneficial to citizens, government agencies and companies by protecting them from cyber threats. But the development has raised privacy concerns about man-in-the-middle (MITM) certificate schemes.
According to Reclaim the Net, “this isn’t the first time the Kazakhstan government has attempted to force its citizens to install a government-issued root certificate which decrypts their HTTPS internet traffic.”
In 2015, the country’s government ordered its citizens to install a certificate but ultimately had to go back on its plans after multiple organizations sued the Kazakhstan government, citing fears that the certificates would weaken the security of the country’s internet traffic.
If its citizens want to avoid being spied on, they’ll have to rally similar efforts to push back against this ruling right quick.