Western countries including the U.S. and U.K. continue to voice their concerns against encrypted devices and Internet services, saying they hinder the efforts of spy agencies looking to prevent things like the mid-November Paris attacks from happening. American tech companies, which are primarily attacked for their use of encryption, aren’t willing to budge and provide governments backdoors into encrypted devices so that they can be used for spying purposes.
It turns out that one country doesn’t even need Internet companies to get on board – not that this particular country would have any sway on American corporation – and plans to spy on all encrypted Internet traffic going in and out of the country.
According to Motherboard, Kazakhstan announced it plans to spy on all Internet traffic, encrypted or not, starting with January 2016. The company wants to introduce a “national Internet safety certificate,” that will help it spy on incoming and outgoing traffic.
“The national security certificate will secure protection of Kazakhstan users when using coded access protocols to foreign Internet resources,” the country’s government-backed Internet service provider said in a press release early this week before the announcement vanished.
While it may not matter to most people what countries like Kazakhstan are doing when it comes to Internet surveillance, the fact that such a state is concocting ways to conduct mass spying operations indicates that there might be ways for governments to try to break encryption.
It’s not clear how the “national Internet safety certificate” would work and whether it would be effective, but it’s likely a digital certificate that should be installed on any device that can connect to the Internet, including computers, iPhone, and Android. Even so, services like Google, Twitter, and many others will probably not acknowledge the certificate’s validity, which may lead to a poor Internet experience for end-users in Kazakhstan, which, in turn, could hinder intelligence collection programs.
“All internet users will have to install the certificate, issued from the online portal of national operator Kazakhtelecom, on their end-user devices,” report from Telecompaper says. “According to the law, operators will have to use a safety certificate for transferring traffic under protocols supporting encryption, except for traffic encrypted in Kazakhstan”
“By trying to introduce infrastructure that disables encryption on foreign communications through a masquerading certificate, Kazakhstan is making a brazen attempt to increase its ability to control security over the Internet in the country,” Privacy International advocacy officer Matthew Rice told Motherboard. “This will make the collection and storage of communications much easier by removing the encryption on the data. It is a concern from a security perspective and for the technological naivety of the proposal.”