Kazakhstan needs tougher laws to address the impacts of spyware

In July 2021, the United Nations (UN) High Commissioner for Human Rights, Michelle Bachelet, issued a statement exposing the widespread use of Pegasus spyware that targeted journalists, human rights activists, politicians, and other people across the world. Software, originally designed to spy on terrorists, is a product of the Israeli “cyber intelligence” NSO Group. Pegasus can penetrate messaging systems, including Gmail, Facebook, WhatsApp, Facetime, Viber, WeChat, Telegram, built-in messengers, Apple mail, and others.

The Pegasus scandal confirmed one of the most common concerns related to the state’s illegal access to citizens’ digital devices and the use of digital surveillance technologies. More recently, in December 2021, Amnesty International confirmed that the mobile phones of at least four Kazakhstani civil society activists had been contaminated with Pegasus software.

Pegasus works by monitoring keystrokes on an infected device – all written communications, search queries [3], and passwords. Pegasus also provides access to voice data and the phone camera.

Programs of this type require special attention due to their great potential in the field of technology and their rapid improvement, as it relates to the risks of violating human rights, in particular privacy. The NSO Group says that Pegasus is not a technology designed for mass surveillance, and the spyware is used by governments to “combat terrorism and other serious crimes“.

The tracking software has highlighted a number of legal cybersecurity issues that need to be addressed. In the Pegasus case, the personal mobile devices of certain individuals (politicians, journalists, human rights activists) are infected by installing tracking software, and then infected mobile phones are used as spy devices to illegally monitor the data and actions of target actors. 

The NSO Group states that the Pegasus software is provided exclusively to government agencies in order to combat terrorism and crime. However, as practice shows, the clients of the Israeli company exploit Pegasus software as a tool for digital surveillance of persons not related to terrorism or criminal acts.

In addition, when hacking smartphones with Pegasus tracking software, the attacker has full access to the user’s personal information. For example, when Pegasus is implemented in a mobile phone, the offender has the ability to listen to all phone calls, determine the location of the user, and also has access to the microphone, camera and many other functions of the phone. It is worth emphasizing that malicious software has the ability to modify, destroy, and distribute the user’s personal data. Unauthorized access to the user’s personal data violates the person’s right to privacy.

Relatedly, one of the Kazakhstanis, who may also have become a target of surveillance by the Pegasus software, is 25-year-old Temirlan Yensebek. A criminal case under Article 274 of the Criminal Code of the Republic of Kazakhstan (dissemination of knowingly false information) was initiated against him. Yensebek is a supporter of the Oyan, Qazaqstan political movement. In April 2021, inspired by the Russian satirical publication Panorama, he created a similar media outlet in Kazakhstan – the Instagram account Qaznews24. Humorous news immediately attracted attention – the account began to be quoted and distributed not only by users who believed in the content of the posts but also by large audience. The pre-trial investigation against Temirlan, who was accused of spreading false information, was eventually terminated because the police found no criminal offence had occurred. In another case, civil society activist Inga Imanbai, the wife of the leader of the unregistered Democratic Party, Zhanbolat Mamay, claimed that Hermit spyware was found in her phone. She holds that spyware was used by the authorities of Kazakhstan.

“The authorities are watching me through an expensive Italian spyware program. The antispyware program Lookout detected the Hermit virus on my phone. After all, you’re probably now convinced that we’re not criminals, aren’t we? Not only are we being watched by five cars, well, admit already that we are not criminals, let go of Zhanbolat!” wrote Inga Imanbai on her Facebook page.

In June 2022, cybersecurity research group Lookout Threat Lab reported that it had discovered an Android surveillance program used by the Kazakh government domestically.

Apple has notified a number of Kazakhstanis that Pegasus tracking software has been installed on their devices. In particular, the notification came to the device of the human rights defender Bakhytzhan Toregozhina. In addition to the fact that her number was the target by Pegasus, it is assumed that the tracking software was successfully installed on her device. According to Bakhytzhan, she noticed that her phone froze and poorly functioned for some time. 

Analysis of the legislation of the Republic of Kazakhstan

Ensuring privacy and protection of personal data is an important part of the development of the Legislation of the Republic of Kazakhstan. And the use of tracking software, like Pegasus, contradicts a number of regulatory legal acts that assert and protect personal non-property rights. 

According to Article 18 of the Constitution of Kazakhstan, “everyone has the right to inviolability of private life, personal and family secrets, protection of honor and dignity”. Tracking software directly violates users’ constitutional privacy rights.

Thus, spyware without notifying the user receives unauthorized access to the personal information of the victim whose device was infected, which obviously contradicts the Constitution of Kazakhstan. Article 10 of the Law of Kazakhstan “On Personal Data and Their Protection” states that “Access to personal data is determined by the terms of the consent of the subject granted to the owner or operator for their collection and processing”. Thus, offenders when infecting a mobile device with tracking software do not ask the subject for consent to access the personal data contained in the device. Consequently, this access obtained with the help of such software is illegal.  

In turn, criminal liability is established by Article 147 of the Criminal Code of Kazakhstan. Meanwhile, the Law “On Operational-Search Activities” establishes that the list of special technical means includes “software for obtaining and documenting information in the course of operational-search measures and secret investigative actions” [15].  Tracking software such as Pegasus, as discussed above, is software designed to record, collect and transmit information without the knowledge of the owner of the information. 

It should be concluded that an important role in the investigation and prosecution for the establishment of spyware or malware is played by the regulatory framework, which requires significant revision.

Image source: Reporters Without Borders