Tech companies, civil rights groups, and security experts have released an open letter condemning the U.K. security agency GCHQ’s (Government Communications Headquarters) proposal to circumvent encryption on private messages.
The proposal was raised last year, and is known as the “ghost protocol.” It suggested encrypted messages should be copied and sent to law enforcement agencies who would act as “ghost users.” They would then be able to read the encrypted messages. This was suggested an alternative to weakening encryption to allow law enforcement to crack it.
The proposal was almost universally unpopular, with opposition swiftly mounted by privacy groups, tech companies, and lawyers. One main concern was that even if the ghost protocols were only used in extreme circumstances, they would both violate trust in the privacy of messages, and introduce a fatal security hole in vital encryption technology.
The open letter, which is downloadable in PDF form, was published this week alongside an explanation in the Lawfare blog. The letter was signed by a total of 47 organizations and individuals, including 23 civil liberties organizations, seven tech companies, and 17 experts in digital securities. The tech companies that signed included Microsoft, Apple, Google, and WhatsApp.
“Currently the overwhelming majority of users rely on their confidence in reputable providers to perform authentication functions and verify that the participants in a conversation are the people they think they are, and only those people,” the letter read. “The GCHQ’s ghost proposal completely undermines this trust relationship and the authentication process.”
In addition to the concerns over privacy and trust in encryption, the letter also made mention of the potential security threats of the proposal. “The ghost proposal would introduce a security threat to all users of a targeted encrypted messaging application since the proposed changes could not be exposed only to a single target,” it read.
“In order for providers to be able to suppress notifications when a ghost user is added, messaging applications would need to rewrite the software that every user relies on. This means that any mistake made in the development of this new function could create an unintentional vulnerability that affects every single user of that application.”
The technical director of the U.K. National Cyber Security Center, Ian Levy, who originally proposed the legislation, responded that the idea was only “hypothetical” and intended as a “starting point for discussion,” according to the BBC.