GCHQ proposals to allow secret government surveillance of encrypted messaging apps would “violate important human rights”, internet giants including Apple, WhatsApp and Google have warned.
Dozens of civil society groups and tech companies have signed an open letter condemning GCHQ’s proposals to create a “ghost protocol” which would allow it to”silently” add a “law enforcement participant” to a group chat or call.
The letter reads: “If implemented, [the proposal] will undermine the authentication process that enables users to verify that they are communicating with the right people, introduce potential unintentional vulnerabilities, and increase risks that communications systems could be abused or misused.”
This poses a threat to “fundamental human rights, including privacy and free expression” as users could no longer trust that they know who is on the other end of their communications, it adds.
The controversial “ghost” proposal was first outlined in an essay by Dr Levy and Mr Robinson, from GCHQ’s National Cyber Security Centre, on security blog Lawfare.
The article intended to set out principles for when the government can be permitted “exceptional access” to people’s encrypted data without undermining “the values we all hold dear”.
Responding to the letter, Dr Levy said he welcomes the response and insisted that the proposals is only “hypothetical” and “starting point for discussion”.
What Is The Ghost Proposal?
Image Credit: Alejandro Escamilla/Unsplash
Security in most modern messaging apps relies on a technique called “public key cryptography”.
This technique sees devices generate a pair of ‘keys’ – one of them public and the other private – which are essentially two very large, mathematically linked numbers.
The public key is used by a person to send out encrypted messages which can only be unscrambled and read using the intended recipient’s corresponding private key.
GCHQ’s proposed “ghost key” would allow a third party – namely a law enforcement official – who possesses neither key to read a plain-text version of a conversation without the users’ knowledge, according to the letter.
This means that companies such as WhatsApp, or iMessage would need to “surreptitiously inject a new public key into a conversation in response to a government demand,” the letter adds.
It is believed that it would also require these companies to either change their encryption schemes or “mislead users” to prevent them being notified when a government operative has been added to their conversation.
Doing this could introduce security vulnerabilities into the apps which could be exploited by non-state actors for malicious purposes, the letter adds.
What About Human Rights?
Image Credit: Ella/Flickr
Currently, the right to privacy in the UK is protected through Article 8 of the Human Rights Convention, the right to a family and private life, alongside the common law in each of the UK’s jurisdictions.
While Article 8 provides a qualified right, states are supposed to use the least restrictive measures possible when they cut down on our privacy rights.
What is GCHQ’s Response?
Image Credit: Defence Images/Flickr
Dr Ian Levy said: “We welcome this response to our request for thoughts on exceptional access to data – for example to stop terrorists. The hypothetical proposal was always intended as a starting point for discussion.
“It is pleasing to see support for the six principles and we welcome feedback on their practical application.
We welcome this response to our request for thoughts on exceptional access to data – for example to stop terrorists. The hypothetical proposal was always intended as a starting point for discussion.
Dr Ian Levy, Technical Director of the National Cyber Security Centre
“We will continue to engage with interested parties and look forward to having an open discussion to reach the best solutions possible.”