Major Tech Companies Unite to Oppose UK Spyware Proposal ‘Ghost Protocol’
“The ‘ghost’ proposal would pose serious threats to cybersecurity and thereby also threaten fundamental human rights, including privacy and free expression” – Open Letter to GCHQ
In an open letter to the U.K.’s Government Communications Headquarters, 47 signatories including Google, WhatsApp, Apple, the ACLU and more raised concern that a new British government proposal posed “serious threats to cybersecurity and fundamental human rights including privacy and free expression.”
The program nicknamed “Ghost Protocol” by CNBC would give the U.K. government the ability to eavesdrop on encrypted messages.
Some messaging apps like WhatsApp, iMessage and Signal feature “end-to-end” encryption, meaning only the sender and recipient can read the message and nobody in between has access, not even WhatsApp itself. While end-to-end encryption is an attractive feature for users, it’s a frustration for governments.
Two of the U.K.’s highest cybersecurity officials, Ian Levy, the technical director of Britain’s National Cyber Security Centre, and Crispin Robinson, GCHQ’s head of cryptanalysis outlined a proposal on Lawfareblog.com that would give the British government access to encrypted messages in an essay last November.
Levy and Robinson called for adding a “ghost user” to encrypted messaging apps or “silently adding a law enforcement participant to a group chat or call.” They argued such an approach would preserve privacy and the security of users.
In response to Levy and Robinson’s proposal, Lawfareblog.com published the Open Letter to GCHQ raising concern that the program would create numerous privacy and human rights violations.
The letter argued:
“The ‘ghost key’ proposal put forward by GCHQ would enable a third party to see the plain text of an encrypted conversation without notifying the participants. But to achieve this result, their proposal requires two changes to systems that would seriously undermine user security and trust. First, it would require service providers to surreptitiously inject a new public key into a conversation in response to a government demand. This would turn a two-way conversation into a group chat where the government is the additional participant, or add a secret government participant to an existing group chat. Second, in order to ensure the government is added to the conversation in secret, GCHQ’s proposal would require messaging apps, service providers, and operating systems to change their software so that it would 1) change the encryption schemes used, and/or 2) mislead users by suppressing the notifications that routinely appear when a new communicant joins a chat.”
While Levy and Robinson think they have proposed a workaround that still preserves data privacy and users’ trust, signatories to the open letter disagreed, writing:
“These cybersecurity risks mean that users cannot trust that their communications are secure, as users would no longer be able to trust that they know who is on the other end of their communications, thereby posing threats to fundamental human rights, including privacy and free expression.
In response to the open letter, the National Cyber Security Centre’s Ian Levy told CNBC: “We welcome this response to our request for thoughts on exceptional access to data — for example to stop terrorists. The hypothetical proposal was always intended as a starting point for discussion.”
“We will continue to engage with interested parties and look forward to having an open discussion to reach the best solutions possible,” Levy said, in an emailed statement to CNBC on Thursday.