But the resounding consensus of technology experts is that it’s impossible to allow access to encrypted data for one party—the government—without leaving the data vulnerable to hackers and eavesdroppers. “End-to-end” encryption, the system used by HTTPS, depends on keeping the keys to the data in just two places: on the devices sending and receiving it. If a “back door” is created, along with a new set of keys, that door is vulnerable to attack from hackers and foreign spies.
This back door is exactly what some officials have called for. They want companies like Apple to keep a master key, which the companies would use to unlock encryption when asked by law enforcement. But technology companies and lawmakers have pushed back against the request.
Meanwhile, a new plan in Kazakhstan will install a back door in nearly every Internet-connected computer, phone, and tablet, to eavesdrop on encrypted communications.
The system, which will be implemented next month, would require Internet users in Kazakhstan to install a “national security certificate” on their devices, in compliance with a new communications law. The mandatory certificate would allow the government to act as a “man in the middle,” standing between users and the websites they want to access.
Once users install the certificate, its issuer—the state-owned Internet service provider—will have access to all their HTTPS-encrypted Internet traffic. From that vantage point, the government can read users’ requests, log them, and even edit the outgoing and incoming data—all without the users’ knowledge.
That means that Internet users won’t be able to tell if the website they are looking at is the real deal, or if its contents have been tampered with by the government. Alternatively, the government could choose to simply censor the website and block the user from accessing it.
More than just a tool for surveillance and censorship, Kazakhstan’s plan is also a security threat to its Internet users, says Eric Mill, a Washington-based technology-privacy advocate. If a hacker gains access to the Internet provider’s systems, he or she would have the same far-reaching control over the traffic going in and out of the country, he said.
A successful attack on the Internet provider is an entirely plausible scenario—especially considering the valuable data and keys it will hold—given recent intrusions into high-profile American companies and government agencies.
“Centralizing traffic for the purpose of interception brings its own risk, above and beyond recording, access, and modification,” said Mill, who works at 18F, a federal agency focused on digital issues.
The policy announcement has been removed without comment from the website of Kazakhtelecom, the Internet company, but remains accessible via the Internet Archive.
Kazakhstan’s plan is not out of line with its history of restrictive Internet laws. According to a 2015 report on worldwide Internet policies from Freedom House, the country has been expanding its power over the web, using it to shut down websites and target journalists. But some of its neighbors are much worse offenders. China, notably, has pushed foreign technology companies to share their software source code with the government, a request which some firms have already met.