Respecting Freedom of Expression - TeliaSonera view on new legislation in the country of Kazakhstan

14 December 2015. Up-date 17 February 2016 - See below

TeliaSonera’s Group Policy on Freedom of Expression in Telecommunications is available here. According to this Policy we will, whenever possible, report on new legislation with potentially serious impacts on the freedom of expression of our customers.

Government’s surveillance and control of communications often serve legitimate purposes such as the protection of certain human rights, but they may also be problematic in that they could conflict with other human rights. TeliaSonera’s commitment is to respect freedom of expression in telecommunications.

New Kazakh legislation on communications was published on 26 November 2015 aimed to strengthen cybersecurity, increase the combat against international terrorism, child sexual abuse material as well as transnational crime. The law implies that operators of international and/or intercity telephone communication will, as soon as secondary regulation is in place (see up-date below), be obliged to transfer its traffic via a protocol that supports encryption using a certificate issued by the State. This obligation does not apply to traffic which was encrypted in the territory of Kazakhstan. All users will, as soon as the secondary regulation is in place, have the right not to download certificates on their respective device. While there will be no sanctions for not installing the certificates, users may encounter limitations in functionality of foreign websites and services which uses other encryption than such under the national and trusted certificate. Access to websites which do not use encryption will not be affected.

Information about the law is available, in Russian, via the following link. So far, there is no official press release  from the Regulator on the introduction of security certificates on their website to refer to.

In the beginning of December 2015, the Kazakhstan National Telecom Association sent a letter to the Regulator with its proposals on the draft rules for the use of security certificates. Earlier, in February of 2015, Kcell addressed other operators with its concerns on the draft  law on protection of children from harmful information, which was the first time the introduction of security certificates was proposed. Kcell was engaged in the law-making process for secondary legislation.

The Policy of TeliaSonera is not to engage in the politics of the countries in which we operate. We do not comment on politics or make political statements when representing our company. However, TeliaSonera does engage in dialogue regarding regulations that affect our business and customers of companies in which we have ownership interests. TeliaSonera, as further defined in our Group Policy, advocates clear and transparent legal provisions on proportionality and necessity for all government legislation in the context of surveillance and control over communications. TeliaSonera will continue to promote these views, also when interacting with the Government of Kazakhstan in applying this new legislation.

Up-date February 17, 2016:

The following secondary legislation related to the above new law and security certificates has now been adopted and officially published;

  • The Order of the Regulator “On Approval the Rules for the issuance of security certificates” was published on January 19, 2016.
  • The Order of the Regulator “On Determining the certification center” was published on January 19, 2016.
  • The Order of the Regulator “On Approval of the Rules for the use of security certificates” was published on January 26, 2016.

The latest Order (out of 3) came into force on February 6, 2016.

There is another Order of the Regulator “On Approval of the Rules for the interconnection of international and intercity communication operators networks at the point of Internet traffic exchange” to be adopted, but not published yet. This Order shall be related to the use of the security certificates in some way.

Kcell has applied and received the security certificate from the certification center (the State Technical Service under the Regulator).

The practical implementation of the use of security certificates is subject to further consultations with the Regulator.