In a move to safeguard the privacy and safety of encrypted calls and chats, technology giants Apple, Google and Microsoft have joined hands with fellow companies, civil rights organisations and security and policy experts to condemn a privacy-ending proposal by the UK government's communications privacy watchdog, Government Communications Headquarters (GCHQ). The issue in question is a proposal by GCHQ that suggests technology companes to create a backdoor into encrypted services, thereby allowing government officials to snoop in on private group chats and conversations.
Aptly named 'Ghost proposal' (for obvious reasons), the GCHQ states that it should be "relatively easy" for technology service providers to "silently add a law enforcement participant to a group chat or call". The rather salient observation takes note of how user identification systems work in group chats or calls, and states that despite the encryption, the user identification involve unique identifiable strings of character assigned to each user, which is then used to identify the participants of a chat or a call, while the content of the conversation is kept hidden and private. The character strings are used to notify participants of a conversation when a third (or multiple) parties join in on the conversation, so as to keep all communications-related information public.
To this, GCHQ states that technology companies should cooperate with government agencies to turn off the notification feature for when a third party joins a call, or a new addition is made to a group chat, hence enabling the government agent to 'ghost' himself or herself into a conversation. This would leave the benefactors of the conversation without any knowledge of their presence, and hence enable digital espionage right from the company's end.
However, the open letter, signed by multiple bodies that include WhatsApp, The Tor Project, Human Rights Watch, Internet Society and the Freedom of the Press Foundation, strongly condemns the suggested move. The fundamental grounds of the letter in response to GCHQ's suggestion state that the proposal cannot be validated because it violates basic human rights such as privacy and right to information, along with GCHQ's own principles. Alongside, it also creates a risk of having such backdoors fall in the hands of malicious users, hence endangering the very fundamentals of digital rights and privacy.
Excerpts of the letter state, "Because the safety number is per pair of communicators — more precisely, per pair of keys — a change in the value means that a key has changed, and that can mean that it’s a different party entirely. People can thus choose to be notified when these safety numbers change, to ensure that they can maintain this level of authentication. Users can also check the safety number before each new communication begins, and thereby guarantee that there has been no change of keys, and thus no eavesdropper."
It further states, "Any proposal that undermines user trust penalizes the overwhelming majority of technology users while permitting those few bad actors to shift to readily available products beyond the law’s reach. It is a reality that encryption products are available all over the world and cannot be easily constrained by territorial borders. Thus, while the few nefarious actors targeted by the law will still be able to avail themselves of other services, average users — who may also choose different services — will disproportionately suffer consequences of degraded security and trust."
The letter concludes by stating a crucial fact — while discussions of such a premise has been made public, if it were to be implemented, it would have to be in complete secrecy, which breaches any trace of trust that billions of users worldwide, such as us, put in these companies. The prospect of such a backdoor is indeed deeply concerning, and brings back memories of the Apple vs FBI case, where the US government put massive pressure on Apple to break into its own encryption of Messages, in order to aid the government in solving the crime.
The full copy of the open letter can be read here.