GCHQ urged to abandon plans to access encrypted chats

An international coalition of civil society organisations, security researchers and companies is urging GCHQ abandon its “ghost” proposal to access encrypted messages, which they said “poses serious threats to cyber security and fundamental human rights, including privacy and free expression”.

The coalition also urges the UK intelligence and security agency to avoid any alternate approaches that would similarly threaten digital security and human rights.

The call comes in an open letter to the Government Communications Headquarters in Cheltenham and Adrian Fulford, the UK’s investigatory powers commissioner.

The letter was signed by 23 civil society organisations, including Big Brother Watch, Human Rights Watch, Open Rights Group and Liberty, seven technology companies and trade associations, including Apple, Google, Microsoft and WhatsApp, and 17 security and policy experts.

The letter is in response to a proposal published by Ian Levy, technical director for GCHQ’s National Cyber Security Centre, and Crispin Robinson, head of cryptanalysis at GCHQ in Lawfare, on 29 November 2018, entitled Principles for a more informed exceptional access debate.

The paper is aimed at promoting “honest conversations between experts” to tackle the challenges that mass-scale, commodity, end-to-end encrypted services pose to “targeted lawful access to data” by finding ways to enable the majority of the necessary lawful access without undermining societal values.

In recent years, information and communications technology service providers have come under increasing pressure from governments and law enforcement agencies to voluntarily establish lawful access solutions to their products and services.

In the past, law enforcement agencies and counter-terror operatives have been able to gain lawful access to  conventional telecommunications channels, but as mainstream public communications have increasingly become digital and encrypted, this has posed new challenges to police and anti-terror investigations.

The paper sets out six principles that the authors believe will enable solutions that provide for responsible law enforcement access (encrypted messages) with service provider assistance without undermining user privacy or security:

• Privacy and security protections are critical to public confidence.
• Investigative tradecraft has to evolve with technology.
• Even when we have a legitimate need, we can’t expect 100% access 100% of the time.
• Targeted exceptional access capabilities should not give governments unfettered access to user data.
• Any exceptional access solution should not fundamentally change the trust relationship between a service provider and its users.
• Transparency is essential.

Based on the first principle, the Levy and Robinson document said: “We will only seek exceptional access to data where there is a legitimate need, that access is the least intrusive way of proceeding, and there is appropriate legal authorisation.”

While welcoming GCHQ’s invitation for an open discussion, and supporting the six principles outlined in the document as a “step in the right direction”, the letter expressed concern about the proposal for “silently adding a law enforcement participant to a group chat or call”.

This proposal to add a “ghost” user, the letter said, would violate important human rights principles and create digital security risks by undermining authentication systems, by introducing potential unintentional vulnerabilities and by creating new risks of abuse or misuse of systems.

“Importantly, it also would undermine the GCHQ principles on user trust and transparency set forth in the piece,” the letter said.

According to the letter, the “ghost key” proposal put forward by GCHQ would enable a third party to see the plain text of an encrypted conversation without notifying the participants.

“But to achieve this result, their proposal requires two changes to systems that would seriously undermine user security and trust,” the letter said.

“First, it would require service providers to surreptitiously inject a new public key into a conversation in response to a government demand. This would turn a two-way conversation into a group chat where the government is the additional participant, or add a secret government participant to an existing group chat.

“Second, in order to ensure the government is added to the conversation in secret, GCHQ’s proposal would require messaging apps, service providers and operating systems to change their software so that it would change the encryption schemes used, and/or mislead users by suppressing the notifications that routinely appear when a new communicant joins a chat.”

According to Levy and Robinson, the GCHQ proposal is “no more intrusive than the virtual crocodile clips that our democratically elected representatives and judiciary authorise today in traditional voice intercept solutions and certainly doesn’t give any government power they shouldn’t have”.

They also argue that they are not advocating weakening encryption or defeating the end-to-end nature of the service – but signatories of the letter believe the proposal could undermine trust in security.

“Currently, the overwhelming majority of users rely on their confidence in reputable providers to perform authentication functions and verify that the participants in a conversation are the people they think they are, and only those people,” the letter said.

“The GCHQ’s ghost proposal completely undermines this trust relationship and the authentication process.”

In response to the letter, Levy said in a statement: “We welcome this response to our request for thoughts on exceptional access to data – for example, to stop terrorists. The hypothetical proposal was always intended as a starting point for discussion.

“We will continue to engage with interested parties and look forward to having an open discussion to reach the best solutions possible,” he told The Guardian.

The letter expressing opposition to the GCHQ proposal concludes by saying: “We would welcome the opportunity for a continuing dialogue on these important issues.”