The mobile-messaging application WhatsApp and the Facebook app are displayed along with other apps on an Apple iPhone.
Brent Lewin | Bloomberg | Getty Images
Tech giants, civil society groups and Ivy League security experts have condemned a proposal from Britain’s eavesdropping agency as a “serious threat” to digital security and fundamental human rights.
In an open letter to GCHQ (Government Communications Headquarters), 47 signatories including Apple, Google and WhatsApp have jointly urged the U.K. cybersecurity agency to abandon its plans for a so-called “ghost protocol.”
It comes after intelligence officials at GCHQ proposed a way in which they believed law enforcement could access end-to-end encrypted communications without undermining the privacy, security or confidence of other users.
Details of the initiative were first published in an essay by two of the U.K.’s highest cybersecurity officials in November 2018. Ian Levy, the technical director of Britain’s National Cyber Security Centre, and Crispin Robinson, GCHQ’s head of cryptanalysis (the technical term for codebreaking), put forward a process that would attempt to avoid breaking encryption.
The pair said it would be “relatively easy for a service provider to silently add a law enforcement participant to a group chat or call.”
In practice, the proposal suggests a technique which would require encrypted messaging services — such as WhatsApp — to direct a message to a third recipient, at the same time as sending it to its intended user.
Levy and Robinson argued the proposal would be “no more intrusive than the virtual crocodile clips” which are currently used in wiretaps of non-encrypted communications. This refers to the use of chat and call apps that can silently copy call data during digital exchanges.
Opposing this plan, signatories of the open letter argued that “to achieve this result, their proposal requires two changes to systems that would seriously undermine user security and trust.”
‘Completely undermines’ authentication process
“First, it would require service providers to surreptitiously inject a new public key into a conversation in response to a government demand. This would turn a two-way conversation into a group chat where the government is the additional participant, or add a secret government participant to an existing group chat,” signatories of the open letter, which was first sent to GCHQ on May 22, said Thursday.
“Second, in order to ensure the government is added to the conversation in secret, GCHQ’s proposal would require messaging apps, service providers, and operating systems to change their software so that it would 1) change the encryption schemes used, and/or 2) mislead users by suppressing the notifications that routinely appear when a new communicant joins a chat.”
Apple, one of the signatories of the open letter to GCHQ, previously took a stand over data privacy in a widely publicized standoff with the FBI in 2015 and 2016.
Apple publicly opposed the FBI when it asked for access to the iPhone of the San Bernardino shooter, Syed Farook. The technology giant refused to help the FBI, citing issues of data privacy. Eventually, the FBI backed down, finding another way into the device without Apple’s help.
“The overwhelming majority of users rely on their confidence in reputable providers to perform authentication functions and verify that the participants in a conversation are the people they think they are, and only those people,” the letter said.
“The GCHQ’s ghost proposal completely undermines this trust relationship and the authentication process.”
In response to the open letter, the National Cyber Security Centre’s Ian Levy said: “We welcome this response to our request for thoughts on exceptional access to data — for example to stop terrorists. The hypothetical proposal was always intended as a starting point for discussion.”
“We will continue to engage with interested parties and look forward to having an open discussion to reach the best solutions possible,” Levy said, in an emailed statement to CNBC on Thursday.