Internet freedom in Kazakhstan remained “Not Free” in 2018, as new legal amendments further restricted online anonymity and a court recognized an opposition movement as extremist.
Despite improved affordability, speeds, and internet access, the internet is heavily regulated by the country’s authoritarian government.
Authorities regularly block websites and employ the legal system to stifle free expression online.
Kazakhstan is also developing a complex infrastructure to control internet traffic.
The government significantly increased the cost of online dissent over the past year. On March 13, 2018, a court ruled that the Democratic Choice of Kazakhstan (DVK), an opposition movement supported by exiled oligarch Mukhtar Ablyazov, is an extremist organization.
The government has since prosecuted DVK-related activity and content online under broad and harsh extremism laws.
Authorities have also requested that a number of social media and communication apps remove DVK content and groups from their platforms. VKontakte, Odnoklassniki, and Instagram all reportedly complied.
The government also moved to further restrict anonymity online while increasing its surveillance capabilities.
New amendments to the law on information and communications require users wishing to comment on local websites to register by either using their government-issued digital signature or using SMS identification.
In January 2018, new technical regulations for SORM developed by the National Security Committee reportedly became effective, which could seriously impact freedom of expression and privacy.
Obstacles to Access:
The government of Kazakhstan continued to improve ICT infrastructure by facilitating market competition and private ownership in the telecommunications industry, although the partly-government owned Kazakhtelecom announced its plans to acquire 75 percent of Kcell.
There were no internet shutdowns during the reporting period, but users frequently experienced connectivity issues when trying to access social media and communication platforms.
Availability and Ease of Access
Internet access has grown significantly in Kazakhstan over the past decade. According to the government, 77 percent of the population uses the internet, although access is more limited in rural areas where 45 percent of the population resides.
By the beginning of 2018, 4G LTE network covered cities and towns with more than 50,000 residents.
The government-run Digital Kazakhstan program hopes to increase internet penetration to 82 percent by 2022.
The ambition is to ensure broadband connectivity with fiber-optic infrastructure to a large portion of rural areas by 2020.
Most people access the internet from their mobile devices and at home, and the internet is often available free-of-charge in various public places in cities.
According to Budde, a telecommunications research and consultancy company, the mobile broadband market is mature and developed, and further growth is predicted over the next five years.
Both mobile internet and fixed broadband remain relatively affordable.
In 2018, monthly fixed-line unlimited broadband subscriptions started at KZT 3,000 (US $8.20), while popular monthly mobile broadband subscriptions with prepaid 8 GB traffic were as low as KZT 1,790 (US $5.60).
As of August 2018, the average monthly salary in Kazakhstan was KZT 159 125 (US $437).
Access is distributed relatively evenly across Kazakhstan’s multiethnic communities.
The competition between the Kazakh language and Russian language – still widely used by many urban residents as a part of the Soviet legacy – has an impact on access.
All public institutions are required to provide at least two language versions on their website, and many private sector actors follow this example.
However, there is much more domestic content available in Russian than in Kazakh, especially in alternative news coverage online; social media discussions are also held primarily in Russian.
In late 2017, authorities decided that over the next eight years the Kazakh language will transition from using the Russian Cyrillic script to using the Latin alphabet in order to better utilize the language online.
Gender does not seem to be a barrier to internet access in Kazakhstan.
ICT Market
According to the e-government portal of Kazakhstan, there are 10 major ISPs and a dozen providers that cover several cities and provinces.
The state owns 51 percent of Kazakhtelecom, the largest telecommunications operator in Kazakhstan, through the sovereign wealth fund Samruk-Kazyna.
Alexander Klenabov, an oligarch close to the government, controls 22 percent of stakes in Kazakhtelecom.
As of June 2016, Kazakhtelecom had a 75 percent share in the fixed broadband internet market, a decline from 85 percent at the end of 2014.
It fully or partially owns a number of other backbone and downstream ISPs.
The country’s three GSM operators, Kcell, Beeline, and Tele2/Altel, are privately owned by foreign shareholders, however Kazakhtelecom owns half of Tele2/Altel after a 2016 merger of Kazakhtelecom’s Altel with Tele2-Kazakhstan, a subsidiary of the Scandinavian operator.
In January 2018, Kazakhtelecom announced its plans to acquire 75 percent of Kcell,[ which is being sold by the Nordic Telia Company as it withdraws from post-Soviet countries.
If the deal is approved by Kazakhstan’s anti-trust authority, Kazakhtelecom would control a 65 percent share of the market.
All operators were given the right to offer 4G LTE in 2016.
No special licensing is required for businesses that decide to set up a Wi-Fi hotspot, and free public access over Wi-Fi is ubiquitous in cafes, shopping centers, and other public places.
To day …..
The Kazakhstan government has once again issued an advisory to all major local Internet Service Providers (ISPs) asking them to make it mandatory for all their customers to install government-issued root certificates on their devices in order to regain access to the Internet services.
The root certificate in question, labeled as “trusted certificate” or “national security certificate,” if installed, allows ISPs to intercept and monitor users’ encrypted HTTPS and TLS connections, helping the government spy on its citizens and censor content.
In other words, the government is essentially launching a “man in the middle” attack on every resident of the country.
But how installing a “root certificate” allow ISPs to decrypt HTTPS connection? For those unaware, your device and web browsers automatically trust digital certificates issued by only a specific list of Certificate Authorities (CA) who have their root certificates installed on your system.
Therefore compelling Internet users into installing a root certificate that belongs to a Government Organisation gives them the authority to generate valid digital certificates for any domain they want to intercept through your HTTPS traffic.
Starting from April this year, Kazakh ISPs began informing their users about the “national security certificate” that would be mandatory to install in order to continue uninterrupted access to a list of “allowed” HTTPS websites.
Now, Tele2, one of the major Kazakh ISPs, has finally started redirecting all HTTPS connections of its customers to a web page containing certificate files and instructions on how to install it on Windows, macOS, Android, and iOS devices.
One of the most serious security implications we can easily spot here is that — since users can only browse non-HTTPS sites before installing the certificates, the Cert files are available for download only over insecure HTTP connections, which can easily allow hackers to replace Certificate files using MiTM attacks.
Other national ISPs, listed below, also have plans to start forcing their Internet users into installing the root certificate shortly to comply with the law.
The controversial advisory has been issued with respect to amendments to the Law on Communications 2004 (the “Communications Law“) that the Kazakhstan government passed in November 2015.
According to Clause 11 of Article 26, the “Rules for Issuing and Applying a Security Certificate,” all national communications service providers are obliged to monitor the encrypted Internet traffic of their customers using government-issued security certificates.
The law was intended to come in force starting 1 January 2016, but the Kazakhstan government failed to force the local ISPs following a series of lawsuits.
It seems now the Kazakhstan government is making another attempt to force the amendments, putting privacy and security of millions of its citizens at risk from both hackers and the government itself by breaking the fundamentals of Internet security protocol.
According to the note displayed by Internet providers, the amendments have been forced “in connection with the frequent cases of theft of personal and credential data, as well as money from bank accounts of Kazakhstan.”
“A security certificate has been introduced that will become an effective tool for protecting the country’s information space from hackers, Internet fraudsters and other types of cyber threats,” the note reads.
“The introduction of a security certificate will also help in the protection of information systems and data, as well as identifying hackers and Internet fraudsters before they can cause damage.”
“It will also allow Kazakhstan Internet users to be protected from hacker attacks and viewing illegal content.”
From these statements, it’s evident that the Kazakh government wants to take control over what content their citizens should be allowed to view on the Internet and also to turn Kazakhstan into a deep surveillance state.
Also, since half of the education is more dangerous than no education, I find it very concerning that ISPs are promoting “custom CA root certificate installation” as a better solution that boosts online security.
The pages and press releases created by ISPs with instructions on “why and how to install the government-issued certificate” doesn’t correctly explain the threat of installing a wrong root certificate.
It littery leaves the majority of citizens at risk of social engineering attacks, and an opportunity for hackers to trick users into installing a malicious root cert from unofficial websites and sources.
Besides this, intercepting HTTPS communications will also allow ISPs to inject advertisements or tracking scripts on all web pages users visit.
At this moment, it is not clear how major tech companies and web browsers will respond to this new privacy infringement of the Kazakh citizens. We’ll update the story with more information as soon as they are available.
