Tech industry bands together to oppose GCHQ snooping

Internet snooping

Google, Apple, WhatsApp and Microsoft have signed an open letter with 43 other signatories opposing GCHQ's plans to embed itself in every encrypted messaging service in the UK.

The proposal put forth by the British cyber security agency would entail adding a "ghost" user to an end-to-end encrypted messaging service to oversee the content of messages, much like how a group chat would work within the service.

The 47 signatories which include privacy advocate groups, tech giants and Ivy League academics all say that while the principles outlined by GCHQ in November 2018 regarding the need to protect privacy and security are "a step in the right direction", but putting them in practice "would violate important human rights principles".

"The ghost proposal would create digital security risks by undermining authentication systems by introducing unintentional vulnerabilities and by creating new risks of abuse or misuse of systems," read the open letter. "Importantly, it would undermine the GCHQ principles on user trust and transparency."

"Any functioning democracy will ensure that its law enforcement and intelligence methods are overseen independently and that the public can be assured that any intrusions into people's lives are necessary and proportionate," said Ian Levy and Crispin Robinson of GCHQ in a joint essay.

"In the UK, under the Investigatory Powers Act 2016, that means a Secretary of State and an independent judge must both sign-off the use of the most intrusive powers," they added. "We believe this provides world-class oversight of our law enforcement and intelligence agencies."

You can think of end-to-end encryption of messages like an archaic tin can and rope method of communication. Only those with access to that rope can send or receive the communication, keeping everyone else out. That's how messages over services such as WhatsApp and iMessage are conducted, using public key cryptography.

GCHQ plans to embed a "ghost" agent within these messages, creating a three-way communication line with one invisible participant so the agency can oversee messages that would usually be hidden from them.

"It's relatively easy for a service provider to silently add a law enforcement participant to a group chat or call," said Levy and Robinson. "You end up with everything still being end-to-end encrypted, but there's an extra 'end' on this particular communication."

"We're not talking about weakening encryption or defeating the end-to-end nature of the service," they added. "In a solution like this, we're normally talking about suppressing a notification on a target's device, and only on the device of the target and possibly those they communicate with. That's a very different proposition to discuss and you don't even have to touch the encryption."

The reason why GCHQ wants access to these messaging services isn't to spy on regular civilians' personal conversations out of perversion, it's to reduce the powers held by criminal and terrorist organisations that can use these services to plan crimes without law enforcement knowing.

While most can agree that GCHQ should have these powers to protect national security, it does present a conflict, namely between protecting the interests of national security against the fundamental human rights of freedom of expression and privacy of one's own correspondence.

It's a similar conflict of rights that Google had to wrestle with when drafting and imposing its 'right to be forgotten' after a lengthy legal battle with the European courts.

It isn't the first time Apple, in particular, has openly opposed breaking end-to-end encryption of messages sent between members of the public. In a famous legal battle with the FBI, the company refused to unlock an iPhone belonging to the terrorists who committed the San Bernadino shootings in 2015.

Apple wasn't prepared to sacrifice user privacy, their trust in the company's commitment to user security and the sacrosanct encryption of their devices, despite heavy pressure from the FBI amid a major case of national security.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.