“Not only is it going against what privacy is all about: if you create a backdoor for the good guys, the bad guys won’t be far behind,” says Jake Moore, Security Specialist at ESET. He was referring to a proposal from GCHQ to effectively bypass encryption by CCing messages on chat services to a third party.
Moore said: “Encryption is there for multiple reasons and shouldn’t be messed with. GCHQ has always had an issue with breaking serious encryption but to now demand access to private chats has far-reaching implications. Cybercriminals are not just using WhatsApp and, if a law one day passes to read this application, it will just push them to use another app – if they aren’t already.
“There are many apps which already promise ultimate privacy and are heavily used and relied upon.”
GCHQ Director, Jeremy Fleming’s, speech on cyber security — a detailed analysis
In fairness to GCHQ, its proposal was precisely that, a proposal. The idea was first mooted back in November 2018, when it was put forward by Ian Levy, the technical director of the UK’s national cyber security centre, and Crispin Robinson, head of cryptanalysis at GCHQ, the department that carries out the activity GCHQ is most famous for, namely code breaking.
In their proposal they stated: “In a world of encrypted services, a potential solution could be to go back a few decades. It’s relatively easy for a service provider to silently add a law enforcement participant to a group chat or call.” They argued that “this sort of solution seems to be no more intrusive than the virtual crocodile clips that our democratically elected representatives and judiciary authorise today in traditional voice intercept solutions and certainly doesn’t give any government power they shouldn’t have.”
UK smart meters could be vulnerable to cyber attacks – GCHQ warns
They said: “We’re not talking about weakening encryption or defeating the end-to-end nature of the service. In a solution like this, we’re normally talking about suppressing a notification on a target’s device, and only on the device of the target and possibly those they communicate with. That’s a very different proposition to discuss and you don’t even have to touch the encryption.”
In response, a group of tech companies including Apple, Facebook, Microsoft and Google along with civil society organisations such as Big Brother Watch and Freedom of the Press Foundation sent an open letter slamming the proposal.
“Even where procedures exist for access to data that is collected under current surveillance authorities, government agencies have not been immune to surveillance abuses and misuses despite the safeguards that may have been in place,” stated the letter.
They gave an example: “A former police officer in the U.S. discovered that ‘104 officers in 18 different agencies across the state had accessed her driver’s license record 425 times, using the state database as their personal Facebook service.‘ Thus, once new vulnerabilities like the ghost protocol are created, new opportunities for abuse and misuse are created as well.”
They also said: “If UK officials were to demand that providers rewrite their software to permit the addition of a ghost UK law enforcement participant in encrypted chats, there is no way to prevent other governments from relying on this newly built system. This is of particular concern with regard to repressive regimes and any country with a poor record on protecting human rights.”
Ian Levy responded, saying: “We welcome this response to our request for thoughts on exceptional access to data – for example to stop terrorists. The hypothetical proposal was always intended as a starting point for discussion.
“We will continue to engage with interested parties and look forward to having an open discussion to reach the best solutions possible.”