As major technology companies in the United States like Apple, Google and Facebook find themselves in the spotlight over various security and privacy snafus, government spooks in the United Kingdom are looking to exploit critical flaws such as the group FaceTime bug as a feature, hoping to secretly listen in on encrypted Messages chats and FaceTime calls.
The American Civil Liberties Union (ACLU) said Friday that the United Kingdom’s Government Communications Headquarters (GCHQ) wants Apple and other tech providers to secretly add law enforcement to encrypted chats and calls under what is named the Ghost proposal.
GCHQ officials recently proposed that government agents be able to inject hidden participants into secure messaging services. Written by GCHQ’s Ian Levy and Crispin Robinson, it recommends institutionalizing an untrustworthy user interface when the government wants to spy on a conversation.
The blog post cites Robinson and Levy as arguing that it would be far easier for spies to exploit vulnerabilities like the massive Group FaceTime privacy bug as a backdoor of sorts than attempting to break strong encryption that those services employ.
It’s relatively easy for a service provider to silently add a law enforcement participant to a group chat or call. The service provider usually controls the identity system and so really decides who’s who and which devices are involved—they’re usually involved in introducing the parties to a chat or call.
In a solution like this, we’re normally talking about suppressing a notification on a target’s device and possibly those they communicate with.
The GCHQ authors claim that the Ghost proposal provides law enforcement with wiretap-like capability, and “you don’t even have to touch the encryption.”
The ACLU warned about the dangers of any such proposal because it would effectively render any encryption insecure and meaningless:
The Ghost proposal institutionalizes a significantly worse user interface failure than Monday’s FaceTime flaw.
With the FaceTime bug, the vulnerable user at least gets an alert about an incoming call to know that something is happening, even if the user interface is misrepresenting the situation and violating the user’s expectations.
With the Ghost proposal, the user has no way of even knowing that something is happening that violates their expectations.
Everyone, not just our UK readers, should be concerned about this because GCHQ is a close surveillance partner of the United States National Security Agency.
The two agencies are in bed together: don’t forget that in the not-too-distant past GCHQ and CIA closely cooperated on a massive surveillance programs that allowed them to listen in on phone calls and access troves of data that their citizens store on various cloud services.
What do you make of this, ladies and gents?
Let us know by leaving your comment below.