The Kazakhstan government started intercepting its citizens' web activities by forcing everyone to install a state-authorized certificate on their devices.
The certificate allows the government to decrypt HTTPS web traffic, view the contents, and then re-encrypt it once again before it is sent to its destination.
This in turn allows the government to conduct surveillance on all of its citizens within its borders, providing the means to get information on users' amount of time spent on the web, including sign in times, connection types, transmitted and received traffic between parties of the connection, identification numbers of sessions, duration of time spent online, IP address, and speed of data receipt and transmission.
Effective on July 17th, local internet service providers (ISPs) have been redirecting Kazakhstan internet users to web pages to instruct them to install this certificate.
Starting in Kazakhstan‘s capital Nur-Sultan, the ISPs gradually roll the redirection to everyone else in the country.
Without installing this certificate, users would be blocked from accessing the internet.
In a statement by local ISP Kcell:
"Customers failing to install Security Certificate on their mobile devices may face technical limitations when accessing certain websites."
The Kazakhstan government and local ISPs are positioning the certificate as beneficial to citizens, government agencies and companies by protecting them from cyber threats. But the development has raised privacy concerns about man-in-the-middle certificate schemes.
Kazakhstan sits in a region ruled by dictators, and this kind of move by the government isn't its first time.
Since internet traffic in the country goes through KazakhTelecom's channels, the web in the country is centralized. KazakhTelecom, along with some Russian companies, has openly signed an agreement to provide filtering, censorship, and surveillance on the basis of Security Council resolutions.
The system is similar to the Russian's SORM, which was introduced to monitor activities of users and any related information, and block any information that contain offensive political content, social networking sites, proxy sites and others.
Previously, Kazakhstan has also attempted to force its citizens to install a government-issued root certificate which to decrypt their HTTPS internet traffic. But the plan was cancelledafter backlash and criticisms from multiple organizations, ISPs and banks in the country, citing fears that the certificates would weaken the security of the country’s internet traffic.
And the 2019 reenacted move for this pervasive interception and surveillance is under Kassym-Jomart Tokayev, President of Kazakhstan who assumed office on 20 March 2019.
Just months after his election, Tokayev has quickly taken a greater control of the country through various technology means.
Kazakhstan government is also a known as a customer of NSO Group, an Israeli company that sells hacking technology to governments around the world, including to dictatorships that use it to curb dissidents.