December 17, 2015 | by Dean Jackson

On November 30, 2015, the authorities in Kazakhstan fired off the latest salvo in authoritarian regimes’ battle against Internet freedom. Kazakhtelecom, the Central Asian country’s largest telecommunications company, released a statement announcing that pursuant to Kazakh law, starting January 1, 2016, all Internet providers in Kazakhstan will be “obliged” to screen encrypted traffic travelling between Kazakh Internet users and servers based abroad. (For the time being, traffic within Kazakhstan would be exempt. The statement has since been removed from Kazakhtelecom’s website, but an archived version can be read here).

Kazakh Internet service providers (ISPs) will be aided in this endeavor by new regulations requiring that all Internet users install a “national security certificate” on their devices. Once installed, this certificate will expose any communications between Kazakh Internet users—including independent journalists and political activists—and the global Internet to “man-in-the-middle attacks” allowing the regime to intercept, read, and (if it so desires) falsify those communications. Further, it would make the Kazakh government the ultimate intermediary between Kazakh Internet users and the outside world—a radical proposition in line with authoritarian proposals advocating “Internet sovereignty.”

Important questions remain about key details, and the original statement claims that more information will be released before the end of the year. Some have questioned the effectiveness of requiring users to self-install the certificate, noting that those most worried about state surveillance are unlikely to do so. In the end, that might not matter to the authorities, who may simply desire a legal mechanism for selectively persecuting those found to be noncompliant with the new regulations. Targets will be easy to identify, as ISPs will be required to keep lists of users who fail to install the certificate.

With international terrorism high on the agenda of governments worldwide, encryption and online anonymity face growing scrutiny from national security establishments. According to Freedom House’s Freedom on the Net 2015, “democracies and authoritarian regimes alike stigmatized encryption as an instrument of terrorism, and many tried to ban or limit tools that protect privacy.” This is precisely the rationale used to justify restrictions in Kazakhstan; the Kazakhtelecom statement claims the new certificate will “secure protection of [Kazakh] users when using coded access protocols to foreign Internet resources.” In all likelihood, it will do the opposite: not only will government agencies be able to access the communications, but the certificate will create a weak point in the encryption process vulnerable to exploitation by terrorists and criminals, as well as foreign governments. The authorities in Kazakhstan can create encryption backdoors—but cannot guarantee control of who passes through them.

Many critics of state surveillance point out that governments seeking to combat terrorism by undermining encryption standards weaken Internet freedom in a technical sense—by exposing users to crime and espionage—but also in a normative one: if backdoors come to be seen as a regular fixture of the Internet, it will be harder to criticize bad actors for enabling them. The government in Kazakhstan, a country whose overall political environment and Internet are rated “Not Free” by Freedom House, is as likely to use any newfound surveillance powers against civic activists and political opposition as against terrorists and criminals. And given the near complete lack of independent courts, rule of law, free media, and other institutional constraints on government authority in the country, there is virtually no force that can stop the authorities from doing so.

Of course, this only holds true if the regime can obtain such powers in the first place. One possible outcome of Kazakhstan’s new regulations could be that Internet giants such as Google refuse to recognize the certificate’s legitimacy. This would render their services inaccessible to those who download the certificate, placing the Kazakh regime squarely in what has been called the “dictator’s dilemma”: the desire to harness information technology for economic growth balanced against the fear that increased connectivity could encourage meaningful political pluralism. Kazakhstan has been playing both sides of the dilemma, but this new certificate runs the risk of tipping Kazakh policy too far in the direction of online control.

Even if the Kazakh initiative fails, it will be one failed experiment in a larger project to place the state as the ultimate authority over online communications. “Internet sovereignty,” a cause championed by China (known for its sweeping Internet controls), already has many adherents: in a 2011 paper for Strategic Studies Quarterly, Chris C. Demchak and Peter Dombrowski write that “from India to Sweden, nations are demanding control over what happens electronically in their territory.” They argue that this change is natural and inevitable, noting that “no frontier lasts forever… the topology of the Internet, like the prairie of the 1800s’ American Midwest, is about to be changed forever—rationally, conflictually, or collaterally—by the decisions of states.”

But these changes do not have to resemble those proposed in Kazakhstan. If the decisions of states will shape the Internet, states can decide to protect user rights and regard violations of those rights as illegitimate rather than normal. Ronald Deibert, director of the Citizen Lab, has urged the development of “models of cyberspace security that can show us how to prevent disruptions or threats to life and property without sacrificing liberties and rights.” The state may come to settle the digital frontier, but must not bring the end of Internet freedom with it.

Photo: Chany167/Shutterstock