Last fall, the U.K.’s Government Communications Headquarters (GCHQ), Britain’s counterpart of the U.S. National Security Agency (NSA), came up with a plan to allow law enforcement groups to eavesdrop on fully encrypted communications, ostensibly without undermining user privacy.
The details of the agency’s new initiative was fist published in an essay titled Principles for a More Informed Exceptional Access Debate, where Ian Levy, technical director for Britain’s National Cyber Security Centre joined Crispin Robinson, the GCHQ’s head of cryptanalysis, to propose a solution that would allow eavesdropping without the need to break encryption.
While Levy and Robinson penned a 2500+ word paper to explain their solution, it ultimately boils down to a proposal that all encrypted messaging service providers be required to send copies to law enforcement agencies of encrypted messages sent through their services. In other words, under the proposed solution, every time an iMessage user in the U.K. sent a message to another iMessage user, an additional copy would be created and sent to the GCHQ, allowing them access to all communications in real-time without having to worry about breaking encryption to gain access to them after the fact.
Not surprisingly, just about every major tech company, civil liberties group, privacy advocate, and security expert has come out in vociferous opposition to this idea. Specifically, Apple has joined 46 other organizations — including tech companies Google, Microsoft, and WhasApp, civil society organizations such as the Electronic Frontier Foundation and Human Rights Watch, and a long list of security and policy experts — in penning an Open Letter to GCHQ.
In the letter, the group unequivocally condemns the proposal, saying that it “poses serious threats to cybersecurity and fundamental human rights including privacy and free expression.”
This proposal to add a “ghost” user would violate important human rights principles, as well as several of the principles outlined in the GCHQ piece. Although the GCHQ officials claim that “you don’t even have to touch the encryption” to implement their plan, the “ghost” proposal would pose serious threats to cybersecurity and thereby also threaten fundamental human rights, including privacy and free expression.Open Letter to GCHQ
While the letter lauds the GCHQ’s principles in recognizing that governments should not expect “unfettered access” to user data, that trust between service providers and users is important, and “transparency is essential,” it accuses the GCHQ of undermining those very principles by proposing that it should even be possible for law enforcement to be silently added to group chats and calls.
Not only would this violate rights to privacy and freedom of expression, the letter notes, but would also create new digital security risks “by undermining authentication systems.” As Apple famously pointed out during its opposition to the FBI’s “backdoor” proposal back in 2016, creating any kind of deliberate security hole, even if its intended solely for use by law enforcement, would be the “software equivalent of cancer” since there’s never a guarantee that such capabilities wouldn’t fall into the wrong hands or be misused by bad actors, both inside government agencies or elsewhere.
In fact, this concern is being raised at an interesting time, amidst a recent report in The New York Times that the massive cyberattack currently ongoing in Baltimore has been waged using a software tool that was originally developed by, and later stolen from, the U.S. National Security Agency.
As the letter explains, due to the way secure encrypted messaging systems rely on public key technology, the ability to add a third recipient to an existing conversation would actually require companies to make signifiant modifications to the software in order to allow law enforcement participants to be added to the app in secret, both changing the encryption systems used and suppressing the notifications that are issued when new participants join a chat. This would, as the letter states, “undermine the authentication process that enables users to verify that they are communicating with the right people” as well as possibly adding “potential unintentional vulnerabilities,” as can happen any time new security exceptions are added to any system.
The ghost proposal involves changing how the encryption keys are negotiated in order to accommodate the silent listener, creating a much more complex protocol — raising the risk of an error. Any such unintentional vulnerability could be exploited by malicious third parties.Open Letter to GCHQ
Further, one of the strengths of encrypted end-to-end messaging systems like iMessage today is that even the providers cannot see into their users’ chats. The systems are designed in such a way as to prevent this, but the requirement for a “backdoor” for law enforcement — even one that simply involves copying messages to a third-party — would open the door to other surveillance abuses that are not currently possible in any way right now.
One of the co-authors of the original paper, Ian Levy, responded positively to the Open Letter in a statement to CNBC, saying that “We welcome this response to our request for thoughts on exceptional access to data — for example to stop terrorists. The hypothetical proposal was always intended as a starting point for discussion. We will continue to engage with interested parties and look forward to having an open discussion to reach the best solutions possible.”