A range of laws that came into force on January 1 positions the state as the intermediary for all online traffic. One law makes it an offence for a communications provider to deny government requests for information deemed suspicious.
The new system will require all Internet users in Kazakhstan to install a “national security certificate” which will effectively position the government as a middleman between users and all websites and online.
The government says that the certificate ensures that every connection will be encrypted and help protect Kazak citizens from terrorist propaganda, child pornography and online fraud.
But opposition journalist Sergey Duvanov said these latest moves were extremely concerning.
“Now, people in uniform can take possession of all information exchanged online,” he told IWPR. “They are formally guarding our national security, but in fact they turned into internet inspectors.”
The development and investment ministry will issue the certificate through its committee on connection, IT penetration and information.
This means that the state-owned service provider will have access to all encrypted Internet traffic and will not only be able to read and log users’ requests, but even edit incoming and outgoing data.
Although the law was supposed to come into effect on January 1, questions remain about its implementation.
The move was announced in a November 2015 press release from Kazak state communications provider KazakTelecom. It said the security certificate would be mandatory and that it would provide a step-by-step guide to installation.
However, this press release was later deleted from the website, and on December 4 KazakTelecom told Digital Report, an IT news website specialising in the post-Soviet region, that users could refuse to install the security certificate. There would be no sanctions for those who did so.
However, KazakTelecom was unavailable for comment when IWPR tried to clarify the current status of the certificate.
IT specialists point out that even if it is deemed to be voluntary, anyone who does not install the certificate is likely to face difficulties accessing the internet and services such as email, online retailers and banks.
Gmail and Amazon, for instance, require their own security certificate, so anyone trying to access them from within Kazakstan would be blocked from establishing a secure connection until their browser recognises the new state certificate.
Despite the potential consequences of allowing the government access to all online transactions, digital expert Adil Nurmakov said that there was unlikely to be much debate about the new legislation.
“Regular [internet] users including journalists are not experts on information security. For this reason this news was more broadly discussed on Russian IT community forums and by the foreign press. People [in Kazakstan] do not fully understand what the security certificate initiative means for them,” Nurmakov told IWPR.
“Since online users almost automatically click “I accept”, most Kazakstanis would just accept the new national certificate without knowing details about it,” agreed Shavkat Sabirov, the head of the Internet Association of Kazakstan forum.
As well as privacy issues, the new move has raised concerns over data security.
Once the security certificate is introduced, personal data including bank transactions, passwords and private photos stored online will be available to cyber criminals as well as the state, said Erlan Kemeshev, a lawyer.
The business community appears to be as much in the dark about the possible implications as private internet users.
An employee of a bank in Almaty, who asked to remain anonymous, told IWPR that her senior management still did not know how the security certificate could impact on their own work.
“We are in the same position as our clients,” she said.
IT specialist Artyom Tihonov warned that the new system would leave users far more vulnerable to fraud.
He said that the third party inserted between a bank and each client would give fraudsters another opportunity to steal data.
In cases of fraud, Tihonov said that the burden would be more likely to be borne by the consumer.
“If there is an incident and a bank client loses money as a result of the certificate implementation and a leak of client personal data, the client will suffer, whereas the bank [will be likely to] wash hands off the affair,” he said.
A further law included as part of the internet legislative package which also came into effect on January 1 further increases government access to private data.
“Owners of net and communications providers would have to improve communication [with the state] to avoid new administrative sanctions,” Kemeshev explained.
One new article made it an administrative offence for a communications provider to deny a state request for access to supposedly “illegal information”.
“We live in a police state where the secret service… doesn’t worry too much about adhering to various procedural safeguards especially when it comes to operative search activities and preventing extremism and radicalism,” said Evgeniy Zhovtis, the head of the Kazak International Bureau on Human Rights.
“The procedure of how this certificate is going to be used is not well articulated which creates uncertainty and gives broader authority to the secret service,” agreed Ayna Shormanbaeva, the head of the International Legal Initiative, a Kazak NGO offering legal advice.
Kazakstan has the highest rate of internet penetration in Central Asia at 55 per cent, accord to Freedom House. But it is also regarded as “not free” and falls in the lower half of the Internet freedom index.
In 2015 criminal liability for disseminating rumours was introduced, and penalty for defamation was toughened.
Also, according to Freedom House, the government repeatedly bans certain online content, ranging from coverage of Kazak citizens fighting with the Islamic State (IS) to political criticism.