Companies and Experts Call on GCHQ to Abandon "Ghost User" Proposal
Technology companies, trade associations, civil society organizations and 17 individual experts in digital security and policy have signed an open letter to the UK's Government Communications Headquarters (GCHQ), outlining concerns regarding a proposal by the intelligence center on allowing access to encrypted devices. The letter was shared with GCHQ on May 22, 2019, and made public on May 29, 2019.
GCHQ set forth its proposal for “silently adding a law enforcement participant to a group chat or call” in an Lawfare article in November 2018. This would "add a ghost user into encrypted chats" that would "require providers to suppress normal notifications to users." According to the letter, this would make users "unaware that a law enforcement participant had been added and could see the plain text of the encrypted conversation."
Written by Sharon Bradford Franklin and Andi Wilson Thompson, the letter to GCHQ explains how the ghost proposal would work, the ways in which technology companies would need to change their systems and the dangers that it would present. Specifically, the consortium outlined that if implemented, such access would “undermine the authentication process that enables users to verify that they are communicating with the right people, introduce potential unintentional vulnerabilities, and increase risks that communications systems could be abused or misused.”
Jake Moore, security specialist at ESET, told Infosecurity that the proposal by GCHQ "makes a mockery of the fundamental basics of encryption."
"Not only is it going against what privacy is all about, but if you create a back door for the good guys, the bad guys won’t be far behind. Encryption is there for multiple reasons and shouldn’t be messed with. GCHQ has always had an issue with breaking serious encryption but to now demand access to private chats has far-reaching implications.
"Cyber-criminals are not just using WhatsApp and, if a law one day passes to read this application, it will just push them to use another app – if they aren’t already. There are many apps which already promise ultimate privacy and are heavily used and relied upon.”
The open letter from the group asks GCHQ "to abandon the ghost proposal and any other approach that would pose similar risks to digital security and human rights." They also request an open dialogue with the intelligence organizations to address law enforcement access to encrypted chats and messages.
This news comes after Germany proposed giving access to security authorities to apps such as WhatsApp and Telegram.
Source: Information Security Magazine