Several technology firms have written an open letter to the GCHQ (Government Communications Headquarters), a UK intelligence and security organization, in response to the agency's proposed eavesdropping measure. If implemented, law enforcement would be able to spy on encrypted messages, such as those that are sent with WhatsApp, a secure instant messaging platform.
WhatsApp is one of nearly four dozen signature on the open letter. Others include Apple, Google, and Microsoft. At issue is a "ghost" protocol that would effectively allow law enforcement or some other entity to silently observe encrypted chats in plain text, both without the knowledge of the parties participating in the chat, and without otherwise affecting the encryption scheme.
In the letter, the companies explain that the principles laid out by the GCHQ "are an important step in the right direction," but contend that a ghost protocol wold "violate important human rights principles," as well as others outlined by the organization.
"Although the GCHQ officials clam that 'you don't even have to touch the encryption' to implement their plan, the 'ghost' proposal would pose serious threats to cybersecurity and thereby also threaten fundamental human rights, including privacy and free expression," the letter states.
The letter also points out that the ghost proposal would undermine authentication systems, which in turn would create digital security risks and potentially introduce unintentional vulnerabilities.
"Importantly, it would also undermine the GCHQ principles on user trust and transparency set forth in the piece," the letter states.
The GCHQ envisions this ghost protocol being implemented into end-to-end encryption schemes, whereby state agencies could then bypass the security mechanisms. As such, the platform provider—say, WhatsApp—would add the agency as an eavesdropper. In theory, the encryption would not be otherwise compromised.
"It’s relatively easy for a service provider to silently add a law enforcement participant to a group chat or call. The service provider usually controls the identity system and so really decides who’s who and which devices are involved—they’re usually involved in introducing the parties to a chat or call," National Cyber Security Center's (NCSC) Ian Levy said. "You end up with everything still being end-to-end encrypted, but there’s an extra ‘end’ on this particular communication."
Big tech firms have taken public stands against this sort of thing. Apple, for example, took on the FBI when the agency wanted help in cracking an iPhone model that belonged to one of the San Bernardino shooters. Apple eventually won that standoff.
Now Apple and others are at odds over encryption once again, this time in the UK. The letter concludes by urging that the GCHQ to abandon the ghost proposal, and "avoid any alternate approaches that would similarly threaten digital security and human rights."