Ghost protocol: Tech firms beg GCHQ not to eavesdrop on encrypted messages

31 May 2019

Haunted laptop. Image: Gudella/Depositphotos

New proposal requires sending encrypted messages to a third party simultaneously.

47 signatories, including Apple, Google, WhatsApp and civil society groups, have urged UK intelligence agency GCHQ not to implement a “ghost protocol” for eavesdropping on private, encrypted messages.

The proposed protocol involves a technique that would require encrypted messaging services such as Facebook’s WhatsApp or Apple’s iMessage to direct a message to a third party at exactly the same time as it is sent to its intended reader.

The proposal was outlined in a paper published by two of GCHQ’s top cybersecurity sleuths, Ian Levy and Crispin Robinson, entitled Principles for a More Informed Exceptional Access Debate.

In an open letter signed by the tech giants, civil society organisations, and individual experts in digital security and policy, GCHQ has been called on not to implement Levy and Robinson’s proposal.

Ghost in the machine

Their proposal calls for “silently adding a law enforcement participant” or “ghost” to a group chat or call rather than actually cracking the encryption system.

“This proposal to add a ‘ghost’ user into encrypted chats would require providers to suppress normal notifications to users, so that they would be unaware that a law enforcement participant had been added and could see the plaintext of the encrypted conversation. Levy and Robinson state that they offer their proposal in an effort to have an ‘open and honest conversation’ about how law enforcement can gain access to encrypted communications. We appreciate this call for a discussion and have organised our coalition in response,” the signatories said.

They warn that for the proposal to work in practice, tech companies would need to change their systems and open users up to all kinds of dangers and vulnerabilities.

“Although the GCHQ officials claim that ‘you don’t even have to touch the encryption’ to implement their plan, the ‘ghost’ proposal would pose serious threats to cybersecurity and thereby also threaten fundamental human rights, including privacy and free expression.

“In particular, the ghost proposal would create digital security risks by undermining authentication systems, by introducing potential unintentional vulnerabilities and by creating new risks of abuse or misuse of systems. Importantly, it also would undermine the GCHQ principles on user trust and transparency set forth in the piece.”

In response, Levy has said that the idea is at this point “hypothetical” and was aimed as a starting point for discussion.

“We will continue to engage with interested parties and look forward to having an open discussion to reach the best solutions possible,” he said.

Haunted laptop. Image: Gudella/Depositphotos

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com