A proposal from a British spy agency to allow law enforcement access to encrypted communications in certain cases “poses serious threats to cybersecurity and fundamental human rights including privacy and free expression,” a group of security researchers, civil liberties groups, and tech giants like Apple, Google, and Microsoft, have warned.
In an open letter to GCHQ, the United Kingdom’s signals intelligence agency, the coalition of tech organizations rejected the agency’s suggestion that adding a law enforcement official to a group chat or call would not threaten civil liberties or the security of encrypted messaging services.
If implemented, the GCHQ proposal would “undermine the authentication process that enables users to verify that they are communicating with the right people, introduce potential unintentional vulnerabilities, and increase risks that communications systems could be abused or misused,” states the letter, which was made public this week. Other signatories include Human Rights Watch, Reporters Without Borders, the Tor Project, and WhatsApp.
The tech coalition was reacting to a November editorial in Lawfare, a national security blog, from two senior GCHQ officials, which raised longstanding grievances from security and law enforcement officials around the world that end-to-end encryption makes it harder to catch criminals.
“It’s relatively easy for a service provider to silently add a law enforcement participant to a group chat or call,” wrote Crispin Robinson, GCHQ’s technical director for cryptanalysis, and Ian Levy, technical director of GCHQ’s National Cyber Security Centre. “You end up with everything still being end-to-end encrypted, but there’s an extra ‘end’ on this particular communication.”
“We’re not talking about weakening encryption or defeating the end-to-end nature of the service,” Robinson and Levy wrote. “In a solution like this, we’re normally talking about suppressing a notification on a target’s device, and only on the device of the target and possibly those they communicate with.”
But carrying out GCHQ’s “ghost proposal,” so called for the stealthy eavesdropper added to communications, would be a dangerous abuse of trust place in encrypted messaging services, the tech organizations said. Well over a billion people use applications like iMessage, Signal, and WhatsApp, the coalition pointed out, and most users rely on the tech companies providing those services to authenticate and verify who is on the other end of the call or chat.
Robinson and Levy’s proposal is another salvo in the so-called “going dark” debate, made famous in a 2014 speech by then-FBI Director James Comey, between law enforcement officials and the private cybersecurity community. Cops and spies insist there must be some way to allow limited access to encrypted communications that does not weaken security for law-abiding citizens, while many security experts say there is not.
The tech coalition urged GCHQ to refrain from developing other approaches to the “going dark” challenge that would threaten human rights and digital security.
But the issue isn’t going away. While stating support for encryption and privacy, the “Five Eyes” intelligence alliance – Australia, Canada, New Zealand, the UK, the United States – issued a statement last September that rued an “increasing gap between the ability of law enforcement to lawfully access data and their ability to acquire and use the content of that data.”
That issue, the statement continued, “is a pressing international concern that requires urgent, sustained attention and informed discussion on the complexity of the issues and interests at stake.”
A report prepared for the UN Human Rights Council last year found that, since 2015, several countries, including China, Iran, and Russia, “have intensified their efforts to weaken encryption used in widely available communications products and services.”