For years, authoritarian governments around the world have looked for ways to snoop on their citizens online and gain access to the massive trove of personal information and sensitive data that their citizens are creating across the Internet. It now looks like the government of Kazakhstan – a country already known for its repressive, authoritarian style of control – is now implementing a so-called “man-in-the-middle” (MITM) Internet surveillance strategy that will enable it to decrypt, read, and then re-encrypt all HTTPS web traffic of Internet users in Kazakhstan.
How Kazakhstan’s Internet surveillance plan works
The key aspect of Kazakhstan’s Internet surveillance strategy is forcing every citizen to install a government-issued national security certificate on every device used to access the Internet, and within every browser. The idea is simple yet profound: the installation of the security certificate will enable the Kazakh government to read every single message sent by its citizens within Kazakhstan. Even more alarmingly, the Kazakh security forces could carry out an elaborate MITM attack on known dissenters or government opponents. Once they have decrypted a message from the HTTPS protocol, they would theoretically be able to change or alter the contents of those messages.
Imagine, for example, a group of political dissenters planning a top-secret meeting or protest for a certain day. Using the Internet surveillance strategy outlined above, the government would be able to track and monitor the communications of those activists, and then change the date, time or place of their meeting in order to round them up for arrest. Or, even more chillingly, they might be able to plant incriminating evidence of plots against the government directly within those messages – all without the knowledge of the people communicating with each other.
The planned Internet surveillance strategy was supposed to start on July 17, 2019. On that date, Kazakh citizens attempting to access the Internet in the usual manner (by connecting to an Internet Service Provider and then opening a web browser) would, instead, be prompted to download the government-issued security certificate. Failure to do so might mean a whole host of technical problems – like the impossibility of getting some or all pages to load. In a worst-case scenario, a Kazakh Internet user would be unable to access the Internet at all.
Reaction to Kazakhstan’s Internet surveillance plan
As might be expected, reaction from privacy advocates and Internet experts was quite negative to the Kazakh Internet surveillance plan that will make it possible to intercept all HTTPS traffic. They saw the MITM scheme as a ruthless crackdown on free speech, and a backdoor approach for state security services being able to snoop on each and every citizen.
Back in 2015-2016, the Kazakh government had attempted a similar plan to snoop on Internet traffic. However, Mozilla (makers of the popular Firefox browser) led an all-out assault on the plan. Banks, private corporations and even foreign governments banded together to deplore the plan and force the Kazakh government to shelve the plan.
A new paradigm for Internet sovereignty
So what has happened since now and then that convinced government leaders in Kazakhstan that now might be a good time to snoop on Internet traffic? A big reason might have to do with the election of a new Kazakh president in 2019. The country’s long-time leader, Nursultan Nazarbayev, is no longer in office after a long reign from 1991 to 2019. In his place is an even more hard-core authoritarian (President Kassym-Jomart Tokayev), who is probably looking forward to cracking down on Internet dissent, disrupting citizen’s Internet access, and cementing his power within the country.
More broadly, there seems to be an international fracturing of the long-time model of the “global Internet.” At one time, the Internet seemed to be borderless: it belonged to all governments and no governments at the same time. But then authoritarian governments around the world woke up to the idea of snooping on their citizens online the same way that they snooped on them in the analog world. Instead of phone taps to eavesdrop on conversations, there are now hacker-like MITM attacks that result in 24/7, around-the-clock Internet surveillance.
China and Russia are the two countries most often cited for cracking down on Internet freedoms. They are advancing the notion of “Internet sovereignty,” in which each nation controls its own Internet in the way that it sees fit (much like they control their own domestic air space). Of course, these nations must conform to general, international norms – but there is plenty of wiggle room for interpretation when it comes to Internet traffic that is entirely within their own borders. For example, Russia is pushing for Internet data to be stored on servers located on Russian soil, while China is pushing for the complete censorship of certain apps and websites. And don’t forget that even liberalized Western nations such as the United States are not opposed to massive Internet surveillance programs carried out by secretive government agencies. Social media companies, too, are a privacy risk.
Kazakhstan, of course, says that the move to intercept all Kazakh Internet traffic of its citizens is simply meant to protect them from hackers, terrorists, cyber criminals and various cyber threats. Where privacy advocates and champions of free speech see a brutal crackdown on freedom of expression and a dangerous invasion of privacy, Kazakh government leaders see themselves as part of a benevolent, paternal state looking after the safety of its citizens.
Next steps in the battle against Internet surveillance
The big question, of course, is how companies like Microsoft, Apple and Mozilla are going to respond to this Internet surveillance plan. Combined, these three Internet leaders make the world’s most popular browsers (Internet Explorer, Safari, Firefox). If they band together as they did back in 2016, they could theoretically force the government of Kazakhstan to back down. Right now, these three major players have not yet announced what they are going to do, or how they are going to react.
Right now, the most likely option is that these browser companies will accede to the requests of the Kazakh government, and perhaps display a visual message along the lines of, “This is not a trusted browser certificate.” But is that message really going to be enough to dissuade users? Online, there has already been talk about potential ways to evade the strategy of the Kazakh government, such as by using Internet-connected devices running on Linux or other open source operating systems and/or other freely available Internet resources.
Failure to install government-issued security certificate could mean no internet access for Kazakhstan citizens. #surveillance #respectdata Click to Tweet
One thing is clear: the concept of a free, global, and borderless Internet is now very much under fire. In places like Russia, China and the former Soviet Union (both Kazakhstan and Turkmenistan) plans are afoot to block traffic, restrict access, carry out Internet censorship and snoop on all communications. It’s up to Internet citizens around the world to rise up and defeat these authoritarian Internet surveillance schemes and similar types of government orders.