Google, Apple, WhatsApp and Microsoft have signed an open letter with 43 other signatories opposing GCHQ's plans to embed itself in every encrypted messaging service in the UK.
The proposal put forth by the British cyber security agency would entail adding a "ghost" user to an end-to-end encrypted messaging service to oversee the content of messages, much like how a group chat would work within the service.
The 47 signatories which include privacy advocate groups, tech giants and Ivy League academics all say that while the principles outlined by GCHQ in November 2018 regarding the need to protect privacy and security are "a step in the right direction", but putting them in practice "would violate important human rights principles".
"The ghost proposal would create digital security risks by undermining authentication systems by introducing unintentional vulnerabilities and by creating new risks of abuse or misuse of systems," read the open letter. "Importantly, it would undermine the GCHQ principles on user trust and transparency."
"Any functioning democracy will ensure that its law enforcement and intelligence methods are overseen independently and that the public can be assured that any intrusions into people's lives are necessary and proportionate," said Ian Levy and Crispin Robinson of GCHQ in a joint essay.
"In the UK, under the Investigatory Powers Act 2016, that means a Secretary of State and an independent judge must both sign-off the use of the most intrusive powers," they added. "We believe this provides world-class oversight of our law enforcement and intelligence agencies."
You can think of end-to-end encryption of messages like an archaic tin can and rope method of communication. Only those with access to that rope can send or receive the communication, keeping everyone else out. That's how messages over services such as WhatsApp and iMessage are conducted, using public key cryptography.
GCHQ plans to embed a "ghost" agent within these messages, creating a three-way communication line with one invisible participant so the agency can oversee messages that would usually be hidden from them.
"It's relatively easy for a service provider to silently add a law enforcement participant to a group chat or call," said Levy and Robinson. "You end up with everything still being end-to-end encrypted, but there's an extra 'end' on this particular communication."
"We're not talking about weakening encryption or defeating the end-to-end nature of the service," they added. "In a solution like this, we're normally talking about suppressing a notification on a target's device, and only on the device of the target and possibly those they communicate with. That's a very different proposition to discuss and you don't even have to touch the encryption."
The reason why GCHQ wants access to these messaging services isn't to spy on regular civilians' personal conversations out of perversion, it's to reduce the powers held by criminal and terrorist organisations that can use these services to plan crimes without law enforcement knowing.
While most can agree that GCHQ should have these powers to protect national security, it does present a conflict, namely between protecting the interests of national security against the fundamental human rights of freedom of expression and privacy of one's own correspondence.
It's a similar conflict of rights that Google had to wrestle with when drafting and imposing its 'right to be forgotten' after a lengthy legal battle with the European courts.
It isn't the first time Apple, in particular, has openly opposed breaking end-to-end encryption of messages sent between members of the public. In a famous legal battle with the FBI, the company refused to unlock an iPhone belonging to the terrorists who committed the San Bernadino shootings in 2015.
Apple wasn't prepared to sacrifice user privacy, their trust in the company's commitment to user security and the sacrosanct encryption of their devices, despite heavy pressure from the FBI amid a major case of national security.
-
M&S suspends online sales as 'cyber incident' continuesNews Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
-
Manners cost nothing, unless you’re using ChatGPTOpinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
-
IBM: Data governance for data-driven organizationswhitepaper Master your data management
-
Google claims US government is too reliant on unsecure Microsoft productsNews The tech giant suggested it might be time for the government to rethink its approach to procurement
-
Over half of London councils lack cyber insuranceNews One council representative called the cyber insurance market “very challenging”
-
EU might force tech giants to share data with smaller rivalsNews The Digital Services Act draft also suggests that firms may be banned from giving their own services preferential treatment
-
Master O365 governance, enforce security policies, and achieve regulatory complianceWhitepaper Identify — and solve — security compliance pain points
-
German housing giant fined £12.5m for GDPR violationsNews The firm’s archive system held onto highly sensitive data from bank statements to health insurance records
-
Heathrow Airport and NHS Digital join ICO sandbox projectsNews The UK regulator will oversee the development of data-reliant services to ensure GDPR compliance
-
Liberty defeated in ‘snooper’s charter’ legal challengeNews High court rules the government’s Investigatory Powers Act doesn’t breach human rights
