BREAKING GCHQ’s ‘Ghost User’ Designed to Spy on Encrypted Communications
Tech companies and civil liberties groups condemn British spy agency’s proposal to get around encryption using a hidden group chat facility.
Imagine if every private message, picture or recording you sent to a friend, a loved one or even an enemy was being read and examined by another person.
You would never know that the person was part of the conversation but they would be assessing every word and using it to profile you – every one-to-one exchange would be turned into a group chat that you never agreed to.
As much as this ‘ghost proposal’ sounds like something you would find operating under an authoritarian regime, it is in fact an idea that has been floated by the UK’s spy agency Government Communications Headquarters (GCHQ).
It was revealed in November last year by the agency’s technical director, Ian Levy and chief codebreaker, Crispin Robinson.
“You end up with everything still being end-to-end encrypted, but there’s an extra ‘end’ on this particular communication.”
The pair proposed allowing a law enforcement official as a third party to every communication as a way to circumvent the growing trend of tech companies using encryption to keep messages private.
Explaining their idea, they wrote in the Lawfare Blog:
“In a world of encrypted services, a potential solution could be to go back a few decades. It’s relatively easy for a service provider to silently add a law enforcement participant to a group chat or call.
“The service provider usually controls the identity system and so really decides who’s who and which devices are involved – they’re usually involved in introducing the parties to a chat or call.
“You end up with everything still being end-to-end encrypted, but there’s an extra ‘end’ on this particular communication. This sort of solution seems to be no more intrusive than the virtual crocodile clips that our democratically elected representatives and judiciary authorise today in traditional voice intercept solutions and certainly doesn’t give any government power they shouldn’t have.”
They add that it is not about “weakening encryption or defeating the end-to-end nature of the service”.
This is the latest attempt by the Government to gain access to encrypted communications, which they say can keep people safe from things such as terror attacks and help track paedophile rings. The debate became a major issue in the UK during the height of the ISIS terror attacks, when it was claimed that the long wolf terrorist Khalid Masood sent messages over WhatsApp two minutes before driving his car into a crowd on Westminster bridge.
But a letter sent to GCHQ on May 22 by no fewer than 47 tech companies, campaigners and experts, warns it “poses serious threats to cybersecurity and fundamental human rights including privacy and free expression”.
It was signed by the likes of Apple, Google, and Microsoft as well as a range of civil liberties groups such as Big Brother Watch, Liberty and Privacy International.
Once the UK actually Brexits, presumably the authorities would have more leeway to institute their own regulations and will not have to worry about things like European or global standards when it comes to regulation and surveillance.Charlie Smith, Great Fire
The letter goes on to say: “Currently, the providers of end-to-end encrypted messaging applications like WhatsApp and Signal cannot see into their users’ chats.
“By requiring an exceptional access mechanism like the ghost proposal, GCHQ and UK law enforcement officials would require messaging platforms to open the door to surveillance abuses that are not possible today.”
They explain the system would require tech companies to change key aspects of how encrypted applications work in order to mislead users and allow a third party to join a conversation at the request of the government.
“It won’t matter that the messages are encrypted in the first place because the contents of those encrypted communications will be accessible to the malicious third party,” they add.
Silkie Carlo, director of Big Brother Watch, told Byline Times the plans seem to be more about removing people’s right to privacy rather than about keeping them safe.
“The security and intelligence agencies already have a range of powers they can use to access even encrypted communications of targets, including covert hacking of devices,” she said.
“Government plans to secretly sabotage encrypted communications platforms reflect their desire to narrow the spaces we have left to enjoy private conversations.
“This move would pose a serious risk to whistle-blowers, journalists and human rights campaigners in particular. But everyone has something to worry about when their Government starts drawing up plans to silently slide into private conversations.
“This approach requires the state to issue a notice to companies, such as WhatsApp, and force them to break their own security features whilst gagged into silence. Ordinary people increasingly have no way of knowing what companies they can trust, where their information is going and what security risks they’re being exposed to.”
The new power would be another in a series of severely intrusive mass surveillance programmes that are already keeping tabs on the UK’s population. This includes many that were revealed by NSA whistle-blower Edward Snowden such as Tempora, which intercepts almost all internet traffic, and Karma Police, which creates a web browsing profile for every visible user on the internet.
Both of these programmes have been found to be unlawful by the European Court of Human Rights, which said they had the potential to “undermine or even destroy democracy under the cloak of defending it” – but they are still in use.
Charlie Smith, who runs Great Fire, an organisation which centres on breaking the restrictions on China’s internet and helping provide its citizens access to sites such as Google and The New York Times, said allowing governments to break encryption sets a dangerous precedent.
“Demanding that back doors be in put in place for the UK authorities weakens encryption for everybody. If a company like Facebook, for example, allows this to happen, then their users will simply move to other applications. If those applications refuse to comply with government orders, then the authorities likely will attempt to block those applications in the UK.
“It is then that you start down the slippery slope of a China-like system of censorship and surveillance, except probably at a much more efficient scale because the UK has a relatively small population, mainly all living on an island so it is much more controllable.
“Once the UK actually Brexits, presumably the authorities would have more leeway to institute their own regulations and will not have to worry about things like European or global standards when it comes to regulation and surveillance.”