wordpress blog stats
Connect with us

Hi, what are you looking for?

47 signatories, including Apple, Google, Microsoft and Whatsapp say no to UK’s proposed eavesdropping ‘Ghost Protocol’

A group of 47 signatories, headed by Open Technology Institute and including Apple, Google, Microsoft and WhatsApp, penned a letter to UK’s Government Communications Headquarters (GCHQ) expressing their concerns about the latter’s proposal, made last autumn, to implement the so-called ‘ghost protocol’ in private, encrypted communication. This would have allowed government agents to be added as a participant in private chats/calls without the knowledge of users. The letter was sent to GCHQ on 22 May 2019, and made public by the signatories on Lawfare on May 30, 2019.

What was the contested proposal?

On November 29, 2018, Lawfare published an article by Ian Levy and Crispin Robinson that proposed that a service provider could ‘silently add a law enforcement participant to a group chat or call’. They argued that everything would still be end-to-end encrypted, but there would be an ‘extra’ end to this particular communication. They compared this kind of eavesdropping by the state to analogue modes of intercepting communications using crocodile clips that are routinely authorised by courts and governments alike.

Levy and Robinson argued that this would only involve ‘suppressing a notification on a target’s device’, and possible users’ the target communicated with so the users wouldn’t know that their ‘secure’ and ‘encrypted’ communication channel had an uninvited guest. Encryption, according to them, remains intact.

Why did they propose this?

The premise of Levy and Robinson’s solution is that ‘mass-scale, commodity, end-to-end encrypted services’ are one of the biggest challenges for ‘targeted lawful access to data’ that’s meant to preserve security.

Their proposal is governed by the idea of ‘exceptional access’, that is, it would be ‘a targeted government authorisation to access, with the assistance of the service provider’ in a criminal or anti-terror prevention or investigation. This would be akin to getting a warrant to set up surveillance on an individual, but in this case, the service provider would have to give access. The authors were quick to placate that all users wouldn’t be affected by it and wouldn’t be very common.

Advertisement. Scroll to continue reading.

Who will decide what’s an accepted ‘exception’?

Levy and Robinson argue against the status quo where service providers, single-handedly, decide on whether or not they would provide access to different world governments depending upon the ‘goodness’ of their regime. To that end, Levy and Robinson proposed defining a minimum standard that takes into account issues such as privacy protection and oversight that governments must meet to have their requests accepted by the companies.

But the principles they mentioned in their article made sense …

Yes, they actually did. They gave 6 principles to inform the debate around exceptional access, paraphrased here:

  1. Exceptional access only in times of legitimate need, in the least intrusive way, and under proper legal authorisation
  2. Service providers should help investigative agencies keep current with the evolution of their technologies
  3. Despite legitimate need, 100% access, 100% of the time is impossible
  4. Under no circumstances should governments have unfettered access to user data
  5. Trust relationship between a service provider and its users should remain fundamentally unaffected by exceptional access solution
  6. Transparency is essential

On paper, they are good and honest principles to adhere to as they emphasise the importance of law, private citizens’ privacy, and transparency. But their proposal undermines these principles.

Who are the authors?

Ian Levy is the Technical Director at UK’s National Cyber Security Centre, a part of GCHQ. Crispin Robinson is the technical director for cryptanalysis at GCHQ. GCHQ is an intelligence and security organisation that provides intelligence and information to the British government and armed forces, that is, it is the British eavesdropping agency, or the British NSA. Their proposal to, eavesdrop must be treated with extreme caution.

Their proposal was made in August 2018 at an international academic conference on cryptography, Workshop on Encryption and Surveillance. The article was published as a part of essay series by Lawfare three months later.

What did the international coalition’s response say?

The coalition’s letter called on GCHQ ‘to abandon its dangerous “ghost” proposal that threatens encryption & poses serious threats to cybersecurity & fundamental rights’. The coalition supported and appreciated the 6 principles but argued that the ‘ghost protocol’s’ implementation would ‘undermine the authentication process that enables users to verify that they are communicating with the right people, introduce potential unintended vulnerabilities, and increase risks that communications systems could be abused or misused’.

Who are the signatories of this letter?

There are 47 signatories to this letter, Headed by Open Technology Institute, they include 23 civil society organisations, 7 technology companies and trade associations, and 17 individual digital security and policy experts. Apple, Google, Microsoft, and WhatsApp are co-signatories. Twitter is the notable Big Tech absentee. MediaNama has reached out to OTI and Twitter for comment.

Advertisement. Scroll to continue reading.

What would implementing ‘ghost protocol’ mean?

  1. The service providers would need to change their encryption systems and mislead users by suppressing the notifications that appear when a new communicant joins a chat.
  2. Users won’t know whom they are talking to. End-to-end encryption amounts to nothing if the identity of the communicant cannot be authenticated.
  3. As the encrypted messaging software and encryption keys will have to be overhauled, new vulnerabilities may be inadvertently introduced.
  4. As of now, end-to-end service encrypted messaging service providers cannot see users’ chats. However, exceptional access mechanism such as ‘ghost protocol’ would require these platforms to open the door to surveillance abuses.
  5. Trust between users and service providers will be compromised. (see here for how Guardian’s flawed report on WhatsApp’s non-existent backdoor led to alarm amongst users)

Why should India care?

In case this ‘ghost protocol’ is implemented, even if it is only in UK, it will set a dangerous global precedent. The Indian government has asked WhatsApp to introduce traceability to ascertain the original sender of a message. WhatsApp has so far resisted that compromise as that would break its end-to-end encryption. ‘Ghost protocol’ would provide Indian government a precedent. Exceptional access, much like the state of exception, would then become the norm.

Levy and Robinson’s point about an international organisation deciding which request befits an exceptional access solution would come into the picture here. That would potentially be better than either individual countries, or the companies themselves making a call.

Written By

Send me tips at aditi@medianama.com. Email for Signal/WhatsApp.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

India and US come to terms on how to deal with the equalisation levy in light of the impending Global Tax Deal.

News

Find out how people’s health data is understood to have value and who can benefit from that value.

News

The US and other countries' retreat from a laissez-faire approach to regulating markets presents India with a rare opportunity.

News

When news that Walmart would soon accept cryptocurrency turned out to be fake, it also became a teachable moment.

News

The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.

You May Also Like

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ