In an open letter signed by more than 50 companies, civil society organisations and security experts – including Apple, WhatsApp, Liberty and Privacy International – GCHQ was called on to abandon its so-called “ghost protocol”, and instead focus on “protecting privacy rights, cybersecurity, public confidence, and transparency”.
The proposal was first mooted by two senior intelligence officials, Ian Levy, the technical director of the UK’s national cyber security centre, and Crispin Robinson, head of cryptanalysis (the technical term for codebreaking) at GCHQ, in November 2018.
The pair put forward a technique that would avoid breaking encryption, instead requiring encrypted messaging services to – in effect – “cc” the encrypted message to a third recipient, at the same time as sending it directly. Levy and Robinson argued that the proposal was “no more intrusive than the virtual crocodile clips” which are used today in wiretaps of non-encrypted communications.
Opposing the plan, the letter argues that “to achieve this result, their proposal requires two changes to systems that would seriously undermine user security and trust.
“First, it would require service providers to surreptitiously inject a new public key into a conversation in response to a government demand. This would turn a two-way conversation into a group chat where the government is the additional participant, or add a secret government participant to an existing group chat.
“Second, in order to ensure the government is added to the conversation in secret, GCHQ’s proposal would require messaging apps, service providers, and operating systems to change their software so that it would 1) change the encryption schemes used, and/or 2) mislead users by suppressing the notifications that routinely appear when a new communicant joins a chat.”
While GCHQ’s proposal stops short of calling for “back doors” to encryption, which experts have argued inherently introduce security flaws that can be exploited by hackers, its opponents argue that it does almost as much damage by undermining trust in security altogether.
“The overwhelming majority of users rely on their confidence in reputable providers to perform authentication functions and verify that the participants in a conversation are the people they think they are, and only those people. The GCHQ’s ghost proposal completely undermines this trust relationship and the authentication process,” the letter argues.
Apple, one of the signatories to the letter, is no stranger to this argument. The company endured a widely publicised standoff with the FBI in 2015 and 2016 over the company’s refusal to breach a different sort of encryption, that which protects the contents of a locked iPhone. Eventually, the FBI backed down, finding another way into the device without Apple’s help.