Tech giants, including Apple, Google and WhatsApp, have urged the UK’s GCHQ to abandon a proposal that would allow it to eavesdrop on encrypted chat conversations.
More than 50 companies, civil society organisations and security experts have united to voice concern about “serious threats to cybersecurity and fundamental human rights” that a so-called “ghost protocol” could pose.
In November, National Cyber Security Centre technical director Ian Levy and GCHQ’s technical director for cryptanalysis, Crispin Robinson, published a paper suggesting a way that could let law enforcement agencies act as a silent added participant in people’s private conversations.
They said at the time: “In a world of encrypted services, a potential solution could be to go back a few decades. It’s relatively easy for a service provider to silently add a law enforcement participant to a group chat or call.”
It stated that “what we’re outlining here is just to start discussion” and “more detailed work is needed”.
But in an open letter, the critics argue the proposal “creates serious threats to digital security” and risks damaging the public’s trust.
They said: “If implemented, it will undermine the authentication process that enables users to verify that they are communicating with the right people, introduce potential unintentional vulnerabilities and increase risks that communications systems could be abused or misused.”
‘Threats to fundamental rights’
“These cybersecurity risks mean that users cannot trust that their communications are secure, as users would no longer be able to trust that they know who is on the other end of their communications, thereby posing threats to fundamental human rights, including privacy and free expression.
“Further, systems would be subject to new potential vulnerabilities and risks of abuse.
“Beyond undermining current security tools and the system for authenticating the communicants in an encrypted chat, GCHQ’s ghost proposal could introduce significant additional security threats. There are also outstanding questions about how the proposal would be effectively implemented.
“By requiring an exceptional access mechanism like the ghost proposal, GCHQ and UK law enforcement officials would require messaging platforms to open the door to surveillance abuses that are not possible today.”
Responding to the open letter, Levy said: “We welcome this response to our request for thoughts on exceptional access to data – for example to stop terrorists. The hypothetical proposal was always intended as a starting point for discussion. It is pleasing to see support for the six principles and we welcome feedback on their practical application.
“We will continue to engage with interested parties and look forward to having an open discussion to reach the best solutions possible.”
Earlier this month, Norfolk police chief Simon Bailey, the UK lead for child protection, said tech firms should make a digital key for police to unlock encrypted messages in “exceptional circumstances” such as child abuse or terror cases.
Speaking at the Independent Inquiry Into Child Sexual Abuse, he said: “If I know and you know that somebody is abusing a child or sharing abusive imagery, then you surely give up your right to privacy.”