In late 2018, The British Government Communications Headquarters (GCHQ) published an essay on Lawfare outlining its principles for “exceptional” or “lawful” access[1] to encrypted information, alongside a proposed use case – the “ghost proposal”. The GCHQ proposal would add a silent (or ghost) user to end-to-end encrypted messaging services, such as WhatsApp, and allow the government to listen in to ongoing encrypted conversations secretly for law enforcement or national security purposes. The Internet Society is pleased to add its name to an open letter outlining the dangers that this proposal, and techniques like it, pose to the Internet and to users everywhere.
All exceptional or lawful access proposals put users, the economy, the services we depend on and the Internet itself at greater risk to security threats. GCHQ’s “ghost proposal” is no exception.
As stated in the open letter, the ghost proposal would
“introduce potential unintentional vulnerabilities, and increase risks that communications systems could be abused or misused … [and] mean that users cannot trust that their communications are secure.”
Protected communications are a matter of security. Whether they are used to keep critical infrastructure running, safeguard our financial information, or keep personal information from those who would use it to do us harm, protected communications keep us all safe. All of these rely on encryption and other digital security tools.
The Internet Society is proud to add its voice to a diverse group of stakeholders from civil society, industry and academia calling on GCHQ to abandon the ghost proposal and avoid any alternate approaches that would similarly threaten digital security and human rights.
We must strengthen, not weaken encryption. By whatever name, any point of entry to a secure service is a weakness.
[1]Generally, when people speak of lawful or exceptional access they refer to some means of allowing law enforcement the ability to lawfully access the content of encrypted communications and encrypted data in an unencrypted form. For example, by asking companies to have the technical ability to access encrypted content.