UK: Rights groups join Apple, Google and Microsoft in calling on GCHQ to drop eavesdropping plans
A coalition of more than 50 civil rights groups, security experts and tech companies including Apple, Google and Microsoft have signed an open letter calling on GCHQ to abandon proposals for eavesdropping on encrypted conversations.
Under the so-called “ghost protocol”, the providers of end-to-end encrypted messaging apps like WhatsApp and Signal would allow law enforcement officials to be secretly added to encrypted group chats or calls, allowing them to eavesdrop.
The proposal was set out by Ian Levy and Crispin Robinson of GCHQ in a piece published by LawFare, part of a series of essays from the Crypto 2018 Workshop on Encryption and Surveillance.
The pair suggested that their proposal was “very different” to earlier controversial proposals to build back-doors into encryption technology, because it does not affect the encryption algorithms themselves.
They wrote: “We’re not talking about weakening encryption or defeating the end-to-end nature of the service. In a solution like this, we’re normally talking about suppressing a notification on a target’s device, and only on the device of the target and possibly those they communicate with.”
However, in an open letter to GCHQ, critics warn that the proposal still “poses serious threats to cybersecurity and fundamental human rights including privacy and free expression”.
As well as violating “important human rights principles”, they say the proposal “would create digital security risks by undermining authentication systems, by introducing potential unintentional vulnerabilities, and by creating new risks of abuse or misuse of systems”.
It adds: “Any proposal that undermines user trust penalizes the overwhelming majority of technology users while permitting those few bad actors to shift to readily available products beyond the law’s reach.
“It is a reality that encryption products are available all over the world and cannot be easily constrained by territorial borders. Thus, while the few nefarious actors targeted by the law will still be able to avail themselves of other services, average users – who may also choose different services – will disproportionately suffer consequences of degraded security and trust.”