Last November, the United Kingdom’s Government Communications Headquarters (GCHQ) publicly floated a plan that would require messaging services to silently carbon copy encrypted communications to law enforcement personnel — a “ghost protocol” that would reduce the need for device-specific hacking. Now 47 signatories, including Apple, Google, Microsoft, and WhatsApp, have published an open letter (via CNBC) urging the GCHQ to kill the plan, describing it as a violation of both human rights and privacy principles, with the potential to create unintended new threats.
The key argument behind the GCHQ plan was that law enforcement agencies need a way to surveil end-to-end encrypted communications, much as they currently monitor unencrypted ones by listening in on calls or viewing SMS text messages, typically pursuant to active investigations. While tech companies would still be able to encrypt communications between two parties on both their ends, preventing intrusion from non-governmental actors, the service provider would “silently add a law enforcement participant to a group chat or call,” letting agencies monitor the messages with a key and removing any need to manually break the encryption.
Unsurprisingly, privacy-conscious companies such as Apple and Facebook-owned WhatsApp said the proposal would mislead users by denying them the ability to see all participants in a discussion and would undermine encryption efforts by adding a public key that could unlock conversations. Any mistake in issuing or sharing that public key “could be exploited by malicious third parties,” the signatories noted and would invite currently impossible surveillance abuses — including situations in which law enforcement personnel eavesdrop on people they know or are personally abusing.
Tech companies aren’t the only ones opposing the ghost protocol. Experts from the ACLU, Columbia Law School, and Stanford signed the letter, along with a large collection of civil society organizations, including the EFF, Human Rights Watch, and Reporters Without Borders.
The GCHQ’s data surveillance efforts have previously been called into question, notably including a 2015 court ruling that found the agency had unlawfully obtained information from its U.S. counterpart, the NSA, in violation of European human rights laws. Even so, the agency has been involved in vetting potential outside threats, including risks created by Huawei telecommunications hardware.
One of the ghost protocol’s original proponents, Ian Levy, responded to the letter by noting that the plan was “hypothetical” and “a starting point for discussion,” which he hoped would “reach the best solutions possible.” For their part, the 47 signatories called on the GCHQ to avoid not only the specific ghost protocol plan but also “any alternate approaches that would similarly threaten digital security and human rights.”