Earlier this month, we revealed how the governing regime in Kazakhstan was testing a new scheme to try and spy on its citizen’s online activity.
Their nefarious plan involved forcing all Kazakh citizens to install an encryption certificate on their devices. Those that refused were told their access to the internet would be shut off altogether.
Kazakhstan’s internet spying scheme
As we explained previously, the purpose of this encryption certificate was to allow the Kazakh authorities to intercept and monitor all internet data to see what its people were doing online.
Because the certificate was installed on users devices, even encrypted communications would be accessible because the authorities could access it before it was encrypted.
Predictably, there was a huge outcry at the scheme. Critics said that it would infringe upon the online rights of opposition politicians, journalists, human rights activists, and countless innocent citizens.
More surprising was the fact that the Kazakh Authorities did back down. They span a deeply unconvincing line that the whole thing had just been a test and people didn’t have to install the certificate after all. Those that had could just delete it with no repercussions.
But, as we warned at the time, the Government did reserve the right to roll out the scheme in the future. While the risk has been averted for now, it will continue to linger threateningly in the background.
The fightback begins
The good news for Kazakh internet users is that the threat this spying scheme posed is now significantly reduced. And for once it is big tech companies who are the good guys.
As the Reuters News Agency confirmed last night, a group of big tech companies have announced that they will be taking steps to block the Kazakh encryption certificate from their browsers.
Google has confirmed that the certificate will be blocked from its Chrome browser. They have also gone even further and blacklisted the certificate in the Chromium source code.
This means that the certificate will soon be blocked on the wide variety of other internet browsers which are based on Chrome too. Around 65% of browsers are rooted in Chromium which means that this step is a particularly important one.
Apple confirmed in a statement that it too would be taking similar measures to block the Kazakh certificate from its Safari browser. This is the most popular browser on its iPhone and iPad devices which hold a sizable share of the mobile device market.
“We have taken action to ensure the certificate is not trusted by Safari and our users are protected from this issue,” a spokesperson for Apple confirmed.
Mozilla too has joined in the move and will be blocking the certificate on its already very privacy-friendly Firefox browser.
Mozilla’s senior director of trust and safety, Marshall Erwin, said in a statement, “We believe that individual security and privacy is fundamental and cannot be treated as optional online”
“This certificate poses a significant threat to our users, which is why we are taking action to protect them,” he added.
A move to future-proof Kazakh internet users
Erwin went on to explain that there would be a proportion of Kazakh internet users who still had the certificate installed on their devices. These users were therefore still vulnerable to being spied on from the Kazakh state. This move would eliminate that risk for all users of the Firefox, Chrome, and Safari browsers.
He also cautioned as we did earlier in the month, that the mechanism to use this certificate to spy on people was still in place. Mozilla, he explained, was not going to wait until it was used again to block it.
Google and Apple clearly felt the same way and the end result is that a great many Kazakh internet users will now be protected from their government’s best attempts to spy on their internet activity.
It is a hugely welcome move and suggests that the new-found commitment to online privacy that many of these companies have developed is more than just a PR move but something they are genuine about.
Having said that, it is not a good idea for internet users in Kazakhstan, or indeed anywhere else, to rest on their laurels.
There are no shortage of authoritarian (and indeed democratic) governments that are hell-bent on knowing what you are doing online at all costs. This is information they have absolutely no right to.
Some browsers and other programmes can offer you a degree of protection but it is wise to seek out something that offers you some cast-iron guarantees too.
They do charge a small monthly subscription. But it is a small price to pay for the protections they offer. Protections that, in countries like Kazakhstan, are becoming increasingly essential.