Experts Warn Against Digital Security Certificate Required by Kazakhstan’s Government

Published
The certificate may pose real risks for users

The new certificate, which Kazakhstan’s government suggests people use, is not verified by the international certification authorities. As a result, potential vulnerabilities of it could be dangerous for regular citizens, according to Mikhail Klimarev, IT specialist and head of the non-profit organization Internet Protection Society, who has given a speech at the Privacy Week 2021 conference.

In 2015 Kazakhstan developed a digital security certificate Qaznet Trust Network, which is supposed to be a shield to protect people against hacker attacks or sensitive content. However, as Russian expert Klimarev has noted, none of the international certification centers confirmed it.

«It might be hard for a regular user to distinguish the real certificate from the fraud. If I would give you my certificate with the same name, your browser would approach my service, not the Kazakhstani one. That is how I can obtain all your passwords and personal data. There is no big difference between this Kazakhstani certificate and fraud because there is no infrastructure for its verification and, of course, none of the verification centers would confirm it,» he said. 

Another expert, Olzhas Satiev from the Center for Analysis and Investigation of Cyber Attacks, believes that the certificate could be applied in some situations. However, there is no clear understanding of what such a situation should be. Therefore, if the state wants to use the certificate in specific cases, a clear definition of them is needed.
According to Satiev, the certificate can’t be used for spying on people. 

«Many people think that the certificate is aimed to trace them, but it’s not true. Those people who are involved in terrorism or extremism will find ways to bypass the certificate through VPNs or other tools. I don’t think someone from a state agency would read everything people write on a daily basis on social media or websites. It’s almost impossible, so there is no tracing for anything people have written,» he said.

In contrast, Elzhan Karbyshev from the Coalition of New Generation of Human Rights Advocates said that the certificate can be a limiting factor for correspondence privacy. While regular people can refuse the installation of the certificate, Kazakhstan’s mobile operators are obliged to use that certificate and distribute it.

«Operators must require their clients to use the certificate; otherwise they can deny clients from access to the internet. So this is not a voluntary decision of users; if they need the internet, they must use the certificate,» the expert underlined.

Chairman of the Information Security Committee of the Ministry of Digital Development, Innovations and Airspace Industry Ruslan Abdikalikov insists that the law on communication covers all aspects of the certificate’s use.

«We often approach owners of foreign resources and ask them to limit access to certain content for our citizens because it may violate Kazakhstan’s legislation. However, they never respond. Therefore, we’ve been forced to move forward with such an unpopular move as the security certificate,» he said.

Even though the Kazakhstani government continues to negotiate with foreign online resources, it preserves its right to use the certificate as the national legislation envisages in some situations.

In 2019 when the security certificate developed by Kazakhstan’s specialist was just presented, it caused a negative reaction among big IT companies such as Apple, Google and Mozilla, which have started to block Qaznet Trust Network in their browsers.

On December 6, 2020, many residents of Nur-Sultan reported problems with access to the internet. As the digital ministry announced later, the incident was caused by the training with the security certificate.
 

Read also