Several of the world’s largest technology companies have warned that British proposals to provide law enforcement agencies with access to encrypted conversations could undermine human rights and create “serious threats to digital security”.
An open letter signed by Apple, Google and WhatsApp calls into question the legitimacy of plans, proposed by senior officials from GCHQ and the National Cyber Security Centre (NCSC) last year, to “silently [add] a law enforcement participant to a group chat or call”.
In a blogpost published in November, NCSC’s technical director Ian Levy and GCHQ’s cryptanalysis lead Crispin Robinson said the solution “seems to be no more intrusive than the virtual crocodile clips […] in traditional voice intercept systems”.
“It’s relatively easy for a service provider to silently add a law enforcement participant to a group chat or call […],” the officials wrote. “You end up with everything still being end-to-end encrypted, but there’s an extra ‘end’ on this particular communication.”
But the open letter, which has been sent to GCHQ and the UK’s Investigatory Powers Commissioner, said the proposed solution “requires two changes to systems that would seriously undermine user security and trust”.
“First, it would require service providers to surreptitiously inject a new public key into a conversation in response to a government demand. This would turn a two-way conversation into a group chat where the government is the additional participant, or add a secret government participant to an existing group chat.
“Second, in order to ensure the government is added to the conversation in secret, GCHQ’s proposal would require messaging apps, service providers, and operating systems to change their software so that it would 1) change the encryption schemes used, and/or 2) mislead users by suppressing the notifications that routinely appear when a new communicant joins a chat.”
Sign up to Emerging Threats, our weekly cyber security newsletter
Broderick Perelli-Harris, a senior director at Venafi, a provider of machine identity protection services, said the proposal raised concerns about people’s right to privacy. “Tech companies simply can’t grant access and to ‘cc’ a third recipient into communications, it will allow cyber criminals to undermine all types of private and secure communications,” he said. “At this moment, citizens in the UK have basic rights to privacy. But, if the government mandates backdoors that protection goes away.”
Commenting on the open letter, a spokesperson for NCSC said: “We welcome this response to our request for thoughts on exceptional access to data – for example to stop terrorists. The hypothetical proposal was always intended as a starting point for discussion.
“We will continue to engage with interested parties and look forward to having an open discussion to reach the best solutions possible.”