Skip to main content
banner image
venafi logo

Apple, Google, Microsoft and Others Say GCHQ ‘Ghost Proposal’ Threatens Privacy

Apple, Google, Microsoft and Others Say GCHQ ‘Ghost Proposal’ Threatens Privacy

GCHQ, ghost proposal, privacy rights, encrypted communication
June 7, 2019 | David Bisson

Apple, Google, Microsoft and others stated that a “ghost proposal” put forward by the Government Communications Headquarters (GCHQ) threatens fundamental human rights including privacy.

On 22 May 2019, a group of civil and society organizations including some of the world’s most well-known tech giants published an open letter in opposition to a proposal by the GCHQ to silently inject a law enforcement officer, or “ghost,” into encrypted chats. The coalition specifically stated that the proposal, if enacted, “would pose serious threats to cybersecurity and thereby also threaten fundamental human rights, including privacy and free expression.”

GCHQ first proposed the idea of a “ghost” in a Lawfare blog post entitled, “Principles for a More Informed Exceptional Access Debate.” Ian Levy, technical director of the National Cyber Security Centre (a part of GCHQ) and Crispin Robinson, technical director for cryptanalysis at GCHQ, wrote in the article that using a ghost would constitute a “better way” for enabling law enforcement to access services and devices protected by end-to-end encryption. Towards this end, the duo crafted six principles which they felt would help attenuate the concerns of both privacy advocates and digital security experts. These guidelines are as follows:

 

  1.     Law enforcement would receive exceptional access as a ghost in only certain situations where there’s a legitimate need, where the collection of certain pieces of information could prove useful in an investigation, where access is the least intrusive means of obtaining that data and where there is appropriate legal authorization for listening in.
     
  2. Law enforcement and service providers should work together to understand technology’s evolution so that the former doesn’t waste time trying to reverse engineer new products.
     
  3. If the ghost proposal were to come into effect, law enforcement should work together with service providers and device manufacturers so that instances of exceptional access don’t change users’ trust in those services or devices. A key part of this objective, per the authors, involves recognizing security as an imperfect, non-binary construct.
     
  4. Service providers should work with law enforcement so that they themselves are involved in enacting every instance of exceptional access, thereby preventing governments from abusing such a solution as a backdoor into their citizens’ data.
     
  5. If enacted, the ghost proposal should not force service providers to do something that fundamentally changes the trust relationship between it and its users.
     
  6. Together, service providers and law enforcement should be transparent about any exceptional access solutions and should be willing to submit these implementations for expert analysis and testing.
     

In their open letter, Google, Microsoft and their co-signatories vocalized their support for these principles. But that didn’t stop them from rejecting the ghost proposal. Their reasoning is that accepting the proposal would require service providers to secretly inject a new public key into a conversation, thereby turning a dialogue into a group chat, and that the proposal might even require service providers to either change whatever encryption schemes they use or mislead users by disabling notifications of when the law enforcement agent joins their conversations.
 

The international coalition argued that such modifications would violate one of the key GCHQ principles for exceptional access solutions. As it explained in its letter:
 

“The GCHQ proponents of the ghost proposal argue that “[a]ny exceptional access solution should not fundamentally change the trust relationship between a service provider and its users. This means no tasking the provider to do something fundamentally different to things they already do to run their business.” However, the exceptional access mechanism that they describe in the same piece would have exactly the effect they say they wish to avoid: it would degrade user trust and require a provider to fundamentally change its service.”
 

The organizations went on to argue that enacting the ghost proposal would undermine users’ trust in the authentication methods used for their apps, introduce potential security vulnerabilities and empower law enforcement and/or malicious actors to potentially abuse the ghost function.
 

Google, Apple and the other signatories weren’t alone in their opposition to the letter, either. Susan Landau, Bridge Professor in the Fletcher School of Law and Diplomacy and the School of Engineering at Tufts University, wrote on Lawfare that it’s not clear what adding a silent listener would look like and that the current proposal doesn’t fully appreciate the sweeping changes it would require service providers to make to their communication infrastructure. Then there was Bruce Schneier, a security technologist who argued in his own Lawfare post that the GCHQ proposal is unthinkable because all “exceptional access mechanisms… reduce the security of the underlying system” and thereby expose users to digital threats.
 

Broderick Perelli-Harris, senior director at Venafi, said something similar to NS Tech:
 

“Tech companies simply can’t grant access and to ‘cc’ a third recipient into communications, it will allow cyber criminals to undermine all types of private and secure communications. At this moment, citizens in the UK have basic rights to privacy. But if the government mandates backdoors that protection goes away.”
 

Perelli-Harris is right. The principles identified by GCHQ might be good starting points for further discussion about user privacy and law enforcement. However, they don’t justify a proposal that would increase users’ digital risk and affect the level of trust they have with service providers. These organizations have a duty to keep users’ and their data safe. Towards that end, they need to exercise extreme care with their encryption assets. That includes making sure that bad actors aren’t misusing their keys and certificates.


Learn how Venafi can help in this regard
 

Related posts    

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

Why Encryption Should Be the Next Step in Operationalizing GDPR Compliance

Russia-Yandex Encryption Spat Highlights Trust as a Competitive Business Advantage

Russia-Yandex Encryption Spat Highlights Trust as a Competitive Business Advantage

https phishing, tls certificate, phishing scam

FBI Warns Users about Phishing Campaigns that Leverage HTTPS Websites

About the author

David Bisson
David Bisson

David Bisson writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat