On 26 November 2015, amendments to the Law on Communications 2004 (the "Communications Law") were published. One of the amendments introduces national security certificate. From 1 January 2016, all RK communications service providers are obliged to pass the encrypted traffic with the application of the security certificate. The national security certificate is introduced for the needs of the RK state authorities and governmental organizations and will allow to decipher traffic that is transmitted with the use of encryption, both from the RK territory to the territory of a foreign state and vice versa. Changes in the Communications Law do not apply to the transfer of encrypted traffic in the RK territory.
Introduction of a national security certificate has caused heated discussion, primarily because the wording of the Communications Law is broad and does not give entrepreneurs a clear answer to the following questions: what kind of traffic will be subject to control - only Internet traffic or other traffic that is transmitted by other communication channels; in respect of which encryption protocols will the security certificate be used; will the amendments apply to corporate networks that connect offices and clients of a company in multiple jurisdictions?
The draft regulations and explanations of the Committee for Communications, Information and Informatization of the Ministry of Investment and Development of Kazakhstan (the "Communications Committee"), which can be found on the Internet, do not answer those questions. We hope that regulations that would clarify the procedure for the application of the national security certificate will be adopted soon. At the moment, we only have verbal comments of the staff of the Communications Committee on the purpose of introduction of the national security certificate, and their related views.
Why is Kazakhstan introducing a national security certificate?
With the help of the security certificate Internet traffic will be controlled. Upon subscribers' request for access to Internet resources which are transmitted with the use of an encryption protocol, access to such resources will be made available only to those subscribers who have the devices with the security certificate installed. If the security certificate is not installed, access to the Internet resource will be denied or the functionality of Internet resource will be limited. According to the Communications Committee, the security certificate will only be applicable to the HTTPS protocol.
The purpose of introduction of the security certificate is automatic tracking of Internet resources for information that is contrary to the legislation of the Republic of Kazakhstan e.g. terrorism propaganda. Such information is often transmitted through the HTTPS protocol. As the traffic passes in encrypted form, it is impossible to read this information without deciphering it. Hence, such traffic cannot be automatically checked for banned information by keywords. When using the security certificate, the traffic that is requested by subscribers on the territory of the Republic of Kazakhstan will be "unpacked" and scanned by the keywords. This will be possible as the RK security certificate will be installed on the subscriber's device, the hardware and software set of communications services providers and international points of juncture between Kazakhstan networks and neighboring countries. Now the search for the sites that contain information contradicting the legislation is carried out by the employees of the relevant authorities in charge of Internet resources.
The security certificate is not intended to decrypt information sent through internal corporate networks using encryption protocols other than HTTPS.
Amendments to the Communications Law and the regulations impose an obligation to install the security certificate and pass the encrypted traffic only with the use of the security certificate on Kazakhstan communications services providers. Entrepreneurs and citizens of the Republic of Kazakhstan are not required to establish the national security certificate. However, if the certificate is not installed by the subscriber, it will not have access to the Internet traffic that is transmitted over the HTTPS-protocol.
At the moment, the RK security certificate is not yet available to the subscribers for instalment on their devices, and the transmission of the international Internet traffic is carried out as usual. We suppose that the security certificate will become available for instalment by the communications service providers and subscribers in 2016. We will follow the developments related to introduction of the national security certificate, and keep you updated accordingly.