Tech Firms Oppose GCHQ ‘Ghost’ Encryption Proposal


Apple, Google, Microsoft signal opposition to GCHQ proposal to eavesdrop on encrypted messages

Big name tech firms have signalled their deep opposition to a proposal from the UK’s top secret listening agency, GCHQ.

GCHQ had proposed a solution to the thorny issue of encryption. Essentially, it wants to be added as an anonymous third party to encrypted messages, so that the intelligence service can obtain a plaintext copy of every encrypted message.

But the proposal has outraged privacy advocates and tech firms alike, and they have signed an open letter to GCHQ signalling their deep opposition.

data encryption

Ghost protocol

GCHQ proposal, known as the “Ghost protocol” was first proposed by GCHQ technical director Ian Levy and chief codebreaker Crispin Robinson in Lawfare last November.

The title of their proposal was “Principles for a More Informed Exceptional Access Debate.”

In it, GCHQ outlined a proposal for “silently adding a law enforcement participant to a group chat or call.”

This proposal to add a “ghost” user means that GCHQ doesn’t have to touch (i.e. break) encryption.

At the moment, each device messaging encrypted conversations works by generating so called encryption keys. One of those keys – the public key – can be distributed to anyone. The corresponding private key must be kept secure, and not shared with anyone.

A person’s public key can be used by anyone to send an encrypted message that only the recipient’s matching private key can unscramble.

But the GCHQ proposal could undermine all that, tech firms and privacy groups have stated in their open letter.

“The ‘ghost key’ proposal put forward by GCHQ would enable a third party to see the plain text of an encrypted conversation without notifying the participants,” says the letter. “But to achieve this result, their proposal requires two changes to systems that would seriously undermine user security and trust. First, it would require service providers to surreptitiously inject a new public key into a conversation in response to a government demand. This would turn a two-way conversation into a group chat where the government is the additional participant, or add a secret government participant to an existing group chat.”

“Second, in order to ensure the government is added to the conversation in secret, GCHQ’s proposal would require messaging apps, service providers, and operating systems to change their software so that it would change the encryption schemes used, and/or mislead users by suppressing the notifications that routinely appear when a new communicant joins a chat,” the letter warned.

The letter has been backed by a group of 47 organisations, including privacy groups such as Liberty, Open Rights Group, and Privacy International.

Tech firms such as WhatsApp, Apple, Google, and Microsoft has also added their backing to the letter, saying the Ghost Protocol is a “serious threat” to trust and security.

The GCHQ idea is an alternative to not asking tech firms to weaken encryption systems.

Encryption debate

The debate about national security and encryption has been raging for some time now, with former Prime Minister calling for British intelligence agencies to be able to monitor the encrypted communications of terror suspects.

Last December Australia made a significant change to online privacy after it passed a law that required technology giants to give police access to encrypted data, in cases where it could be linked to criminal or militant activity.

That made Australia the first Western nation to breach the last bastion of online privacy, namely encryption.

Yet governments and law enforcement agencies around the world have long called for measures that would enable them to decode encrypted communications when needed.

That said, it is thought the NSA and GCHQ already have the supercomputing power to crack 512-bit encryption in just a few minutes. And the NSA is widely believed to be capable of breaking 1024-bit encryption as well.

Do you know all about security? Try our quiz!