The British intelligence agency GCHQ (Government Communications Headquarters), which analyzes signals and cracks codes, has proposed eavesdropping on encrypted chat services. The backlash has been strong, with 50+ companies, security experts and civil rights organizations calling it a “serious threat” to human rights and digital security. Apple, Google, Microsoft, WhatsApp and Privacy International are among those encouraging GCHQ to drop the “ghost protocol” proposal first put forward in November 2018.
The Guardian reports that the proposal is the brainchild of the U.K. national cybersecurity center’s technical director Ian Levy and GCHQ head of cryptanalysis Crispin Robinson. Their technique would not break the encryption per se, but would rather require messaging services to simultaneously send a copy to a third party. The duo said it is “no more intrusive than the virtual crocodile clips” used to wiretap non-encrypted communications.
Opponents contend that the technique would “require service providers to surreptitiously inject a new public key into a conversation in response to a government demand,” and, secondly, “require messaging apps, service providers, and operating systems to change their software” and/or “mislead users by suppressing the notifications that routinely appear when a new communicant joins a chat.”
“The overwhelming majority of users rely on their confidence in reputable providers to perform authentication functions and verify that the participants in a conversation are the people they think they are, and only those people,” said the opponents in a letter. “The GCHQ’s ghost proposal completely undermines this trust relationship and the authentication process.” Levy responded, “the hypothetical proposal was always intended as a starting point for discussion.”
Forbes reports that opponents of the “ghost protocol” proposal argue that, “it’s fundamentally wrong to add a secret government participant to an existing group chat.” The topic is sensitive in the U.K., which introduced the Investigatory Powers Act in 2016. Now dubbed the Snoopers’ Charter, the law “greatly increased the government’s surveillance and hacking powers.”
In their letter, opponents noted that, “although it is unclear which precise legal authorities GCHQ and U.K. law enforcement would rely upon, the Investigatory Powers Act grants U.K. officials the power to impose broad non-disclosure agreements that would prevent service providers from even acknowledging they had received a demand to change their systems, let alone the extent to which they complied.”