Apple, Google, Microsoft and WhatsApp, along with dozens of other companies and civil liberties groups, have joined forces to condemn UK spy agency GCHQ for plans to eavesdrop on encrypted messages.
Late last year, Ian Levy, the technical director of Britain’s National Cyber Security Centre, and Crispin Robinson, GCHQ’s head of cryptanalysis, suggested the introduction of a 'ghost protocol' that would essentially see GCHQ cc'd into all messages.
"You end up with everything still being end-to-end encrypted, but there’s an extra ‘end’ on this particular communication," they wrote.
"This sort of solution seems to be no more intrusive than the virtual crocodile clips that our democratically elected representatives and judiciary authorise today in traditional voice intercept solutions and certainly doesn’t give any government power they shouldn’t have."
However, the signatories to the letter, which include many civil rights organizations and security experts, beg to differ. First, they say, it's fundamentally wrong to add a secret government participant to an existing group chat.
"Second, in order to ensure the government is added to the conversation in secret, GCHQ’s proposal would require messaging apps, service providers, and operating systems to change their software so that it would 1) change the encryption schemes used, and/or 2) mislead users by suppressing the notifications that routinely appear when a new communicant joins a chat," they write.
Online surveillance has been a grumbling issue in the UK for years, particularly since the introduction of the Investigatory Powers Act in 2016. Widely known as the Snoopers' Charter, it greatly increased the goverment's surveillance and hacking powers.
And, the signatories to the letter point out, under the Act, any new capabilities such as those proposed by GCHQ could effectively be kept secret from users.
"Although it is unclear which precise legal authorities GCHQ and UK law enforcement would rely upon, the Investigatory Powers Act grants UK officials the power to impose broad non-disclosure agreements that would prevent service providers from even acknowledging they had received a demand to change thewir systems, let alone the extent to which they complied," the letter reads.
"The secrecy that would surround implementation of the ghost proposal would exacerbate the damage to to authentication systems and user trust."
GCHQ is at pains to emphasise that the proposals are just that - only proposals. But they do show an enthusiasm for increased surveillance that appears to be based on a misunderstanding of user concerns.
"We’re not talking about weakening encryption or defeating the end-to-end nature of the service," Levy and Robinson wrote. But is that really what users care about most? Or do they just not want to be snooped on at all?
