Skip to main content
banner image
venafi logo

Apple, Google, Microsoft and Others Say GCHQ ‘Ghost Proposal’ Threatens Privacy

Apple, Google, Microsoft and Others Say GCHQ ‘Ghost Proposal’ Threatens Privacy

GCHQ, ghost proposal, privacy rights, encrypted communication
June 7, 2019 | David Bisson

Apple, Google, Microsoft and others stated that a “ghost proposal” put forward by the Government Communications Headquarters (GCHQ) threatens fundamental human rights including privacy.

On 22 May 2019, a group of civil and society organizations including some of the world’s most well-known tech giants published an open letter in opposition to a proposal by the GCHQ to silently inject a law enforcement officer, or “ghost,” into encrypted chats. The coalition specifically stated that the proposal, if enacted, “would pose serious threats to cybersecurity and thereby also threaten fundamental human rights, including privacy and free expression.”


GCHQ first proposed the idea of a “ghost” in a Lawfare blog post entitled, “Principles for a More Informed Exceptional Access Debate.” Ian Levy, technical director of the National Cyber Security Centre (a part of GCHQ) and Crispin Robinson, technical director for cryptanalysis at GCHQ, wrote in the article that using a ghost would constitute a “better way” for enabling law enforcement to access services and devices protected by end-to-end encryption. Towards this end, the duo crafted six principles which they felt would help attenuate the concerns of both privacy advocates and digital security experts. These guidelines are as follows:

  1.     Law enforcement would receive exceptional access as a ghost in only certain situations where there’s a legitimate need, where the collection of certain pieces of information could prove useful in an investigation, where access is the least intrusive means of obtaining that data and where there is appropriate legal authorization for listening in.
  2. Law enforcement and service providers should work together to understand technology’s evolution so that the former doesn’t waste time trying to reverse engineer new products.
  3. If the ghost proposal were to come into effect, law enforcement should work together with service providers and device manufacturers so that instances of exceptional access don’t change users’ trust in those services or devices. A key part of this objective, per the authors, involves recognizing security as an imperfect, non-binary construct.
  4. Service providers should work with law enforcement so that they themselves are involved in enacting every instance of exceptional access, thereby preventing governments from abusing such a solution as a backdoor into their citizens’ data.
  5. If enacted, the ghost proposal should not force service providers to do something that fundamentally changes the trust relationship between it and its users.
  6. Together, service providers and law enforcement should be transparent about any exceptional access solutions and should be willing to submit these implementations for expert analysis and testing.

In their open letter, Google, Microsoft and their co-signatories vocalized their support for these principles. But that didn’t stop them from rejecting the ghost proposal. Their reasoning is that accepting the proposal would require service providers to secretly inject a new public key into a conversation, thereby turning a dialogue into a group chat, and that the proposal might even require service providers to either change whatever encryption schemes they use or mislead users by disabling notifications of when the law enforcement agent joins their conversations.

The international coalition argued that such modifications would violate one of the key GCHQ principles for exceptional access solutions. As it explained in its letter:

“The GCHQ proponents of the ghost proposal argue that “[a]ny exceptional access solution should not fundamentally change the trust relationship between a service provider and its users. This means no tasking the provider to do something fundamentally different to things they already do to run their business.” However, the exceptional access mechanism that they describe in the same piece would have exactly the effect they say they wish to avoid: it would degrade user trust and require a provider to fundamentally change its service.”

The organizations went on to argue that enacting the ghost proposal would undermine users’ trust in the authentication methods used for their apps, introduce potential security vulnerabilities and empower law enforcement and/or malicious actors to potentially abuse the ghost function.

Google, Apple and the other signatories weren’t alone in their opposition to the letter, either. Susan Landau, Bridge Professor in the Fletcher School of Law and Diplomacy and the School of Engineering at Tufts University, wrote on Lawfare that it’s not clear what adding a silent listener would look like and that the current proposal doesn’t fully appreciate the sweeping changes it would require service providers to make to their communication infrastructure.

Indeed, ACLU Senior Technology Fellow Jon Callas clarified that every company providing secure communications and all governments wishing exception access would need to agree on a means of implementation and cooperate towards building that capability. This effort, as he notes, "is about embodying policy and that policy is international politics and this is often possible.

Then there was Bruce Schneier, a security technologist who argued in his own Lawfare post that the GCHQ proposal is unthinkable because all “exceptional access mechanisms… reduce the security of the underlying system” and thereby expose users to digital threats.

Broderick Perelli-Harris, senior director at Venafi, said something similar to NS Tech:

“Tech companies simply can’t grant access and to ‘cc’ a third recipient into communications, it will allow cyber criminals to undermine all types of private and secure communications. At this moment, citizens in the UK have basic rights to privacy. But if the government mandates backdoors that protection goes away.”

Perelli-Harris is right. The principles identified by GCHQ might be good starting points for further discussion about user privacy and law enforcement. However, they don’t justify a proposal that would increase users’ digital risk and affect the level of trust they have with service providers. These organizations have a duty to keep users’ and their data safe. Towards that end, they need to exercise extreme care with their encryption assets. That includes making sure that bad actors aren’t misusing their keys and certificates.



Related posts    

Like this blog? We think you will love this.
Featured Blog

EARN IT Act Is Back and So Is Debate Over End-To-End Encryption

The Eliminating Abusive and Rampant Neglect of Interactive T

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more