Kazakhstan's New Encryption Law Could Be a Preview of U.S. Policy

Think of all the little things you did on the Internet today. You checked your email. Maybe you shopped for a flight home for the holidays. Perhaps you checked your bank balance to survey the Black Friday damage.

Whether you noticed or not, the websites you visited to complete these tasks displayed a small padlock icon in the corner of your browser window. That little green lock tells you that the data you’re sending and receiving is encrypted, which means it’s protected from hackers and spies.

When a device communicates with a website using an encrypted protocol like HTTPS (the system that makes that padlock appear), the data sent from one to the other is scrambled in such a way that it can only be deciphered by the sender and the recipient—anyone listening in on the stream of data would find only an incomprehensible jumble. The devices on either end are able to parse the data because they first exchange the keys needed to unlock the encryption.

Strong encryption can make governments nervous, especially when it’s used to exchange messages. Led by the FBI Director James Comey, several senior U.S. officials have asked American tech companies to offer government agents access to encrypted messages sent on their platforms. Comey and his ilk say that the encryption used in services like iMessage and WhatsApp allow potential criminals and terrorists to communicate “in the dark,” threatening public safety.

But the resounding consensus of technology experts is that it’s impossible to allow access to encrypted data for one party—the government—without leaving the data vulnerable to hackers and eavesdroppers. “End-to-end” encryption, the system used by HTTPS, depends on keeping the keys to the data in just two places: on the devices sending and receiving it. If a “back door” is created, along with a new set of keys, that door is vulnerable to attack from hackers and foreign spies.

This back door is exactly what some officials have called for. They want companies like Apple to keep a master key, which the companies would use to unlock encryption when asked by law enforcement. But technology companies and lawmakers have pushed back against the request.

Meanwhile, a new plan in Kazakhstan will install a back door in nearly every Internet-connected computer, phone, and tablet, to eavesdrop on encrypted communications.

The system, which will be implemented next month, would require Internet users in Kazakhstan to install a “national security certificate” on their devices, in compliance with a new communications law. The mandatory certificate would allow the government to act as a “man in the middle,” standing between users and the websites they want to access.

Once users install the certificate, its issuer—the state-owned Internet service provider—will have access to all their HTTPS-encrypted Internet traffic. From that vantage point, the government can read users’ requests, log them, and even edit the outgoing and incoming data—all without the users’ knowledge.

That means that Internet users won’t be able to tell if the website they are looking at is the real deal, or if its contents have been tampered with by the government. Alternatively, the government could choose to simply censor the website and block the user from accessing it.

More than just a tool for surveillance and censorship, Kazakhstan’s plan is also a security threat to its Internet users, says Eric Mill, a Washington-based technology-privacy advocate. If a hacker gains access to the Internet provider’s systems, he or she would have the same far-reaching control over the traffic going in and out of the country, he said.

A successful attack on the Internet provider is an entirely plausible scenario—especially considering the valuable data and keys it will hold—given recent intrusions into high-profile American companies and government agencies.

“Centralizing traffic for the purpose of interception brings its own risk, above and beyond recording, access, and modification,” said Mill, who works at 18F, a federal agency focused on digital issues.

The policy announcement has been removed without comment from the website of Kazakhtelecom, the Internet company, but remains accessible via the Internet Archive.

Kazakhstan’s plan is not out of line with its history of restrictive Internet laws. According to a 2015 report on worldwide Internet policies from Freedom House, the country has been expanding its power over the web, using it to shut down websites and target journalists. But some of its neighbors are much worse offenders. China, notably, has pushed foreign technology companies to share their software source code with the government, a request which some firms have already met.

The U.S. government is also looking for ways to circumvent encryption in the name of national security, but it’s not likely to employ a system that’s as radical as Kazakhstan’s or China’s.

American intelligence agencies pour billions of dollars every year into surveillance, including programs to capture and read information about Americans’ emails, but many tech companies are going out of their way to keep information out of the hands of spies, by investing in strong, surveillance-proof encryption. Even the slightest mention of implementing a national policy that would weaken encryption—like President Obama’s veiled encryption reference during a high-profile speech this weekend—is enough to send tech companies and privacy advocates into a panic.

The panic is justified. It would be especially harmful if the U.S. took steps like Kazakhstan’s, because it’s seen as a world leader in protecting free-speech rights online. If the U.S. implemented heavy-handed policies, repressive regimes would be emboldened, and the Internet would be a worse place for it.