Note: This is part two of a four-part series where security expert Jon Callas breaks down the fatal flaws of a recent proposal to add a secret user — the government — to our encrypted conversations. Part one can be found here.
A recent essay by technical leaders of Britain’s GCHQ proposes a law that would require software companies to enable the secret addition of an extra user — the government — to spy on an otherwise securely encrypted conversation, thereby destroying the confidentiality and privacy encrypted communications provide us. The essay claims that this exceptional access proposal would only be used by “responsible law enforcement” and “democratically elected representatives and judiciary...and certainly doesn’t give any government power they shouldn’t have.”
This is a fantasy. When I build software and hardware as a software engineer and security specialist, I am never naïve enough to think that my customers would only be surveilled by good governments, any more than I was naïve enough to think my tools would only be used by good people. In fact, I build my systems presuming that even I’m not to be trusted with my customers' data. I’m not alone by any means in this. Those of us who build services know that we make outright mistakes, do favors we shouldn’t have, and never understand the whole picture. So we accept that we are threats, too, to the safety of our users. We remove our own privileged position every place we can and make sure that not even we can decrypt our users’ information.
The GCHQ authors understand this, too. They should know better than to suggest that the genie will only grant good wishes made by good people, and that those people will only use their wish only for good once granted. The now-fictional GCHQ “ghost user” technology would provide access for democratically elected representatives inevitably will also be used by non-democratic, unelected, unrepresentative, and autocratic governments.
China will demand status to use ghost users. China already mandates its own standards for encryption, networking, network security, and cloud services. It will certainly demand that it be allowed to use the ghost user backdoor, too — and will use its substantial economic power to pressure companies to comply. There's no way around this. Messaging services will be forced to either offer China the same access they give to the UK, US, and any other imaginary club of “good countries,” or forego Chinese users. Employees of services that resist and decide not to operate in China would be wise to never travel to China nor to countries that have extradition treaties with China, because they may be at risk for refusing to facilitate Chinese surveillance with their “good guy” backdoored products. Once the ghost user technology is built, Saudi Arabia, Russia, the United Arab Emirates, and other nations will require access to it as well.
Emboldened by U.S. and U.K. technology regulation, these nations will push for additional security compromises as well as data retention and other privacy-invading practices.
- The Indian government has a history of fighting WhatsApp — the unnamed target of the GCHQ proposal — over its encryption. India has proposed changes to its laws that would require services to break encryption for the government and to retain data about users’ conversations. The proposed changes to Indian law would require access to messages if there is a court order from any country.
- Thailand, where insulting the king is illegal, has also proposed laws mandating that its government be able to access private communications. So has Vietnam.
- Singapore has proposed a “Protection from Online Falsehoods and Manipulation Bill,” that uses the problem of misinformation as a reason for many restrictions.
For now, tech creators and civil liberties organizations have managed to push back on exceptional access requirements, and we shouldn’t discount the moral and persuasive force of being able to point to the absence of such requirements in the US and the UK. Should mandatory “wiretappability” be required in the United States and the United Kingdom, other countries will take advantage of the feature, or make it be a requirement to do business there as well.
Today, governments that want to spy on political opponents, activists, and journalists generally have to resort to commercial malware and spying tools sold by unscrupulous contractors such as the NSO Group and Darkmatter, which supply turnkey spyware developed in Israel and the UAE respectively to Ethiopia, Saudi Arabia, Mexico, Turkey, and many more countries. These tools have been used to , are connected to , and to a .
Currently, oppressive governments have to pay for the services of these hacking companies. They have to hope that their targets are using vulnerable software or that they click on malicious links in phishing emails. And they have to avoid detection by investigators at groups like Citizen Lab. But if the GCHQ proposal worked, doing all of this bad-guy hacking would be so much easier. Governments could just call Facebook and demand access to the conversations of any of WhatsApp’s 1.8 billion active users. These demands may or may not be accompanied by whatever legal papers are required under local laws.
As co-founder of PGP and Silent Circle, it was never far from my mind that if my product wasn’t secure, oppressive governments would use it to spy on my customers. We didn’t want to be a part of Mexico undermining health advocates, and we knew that eventually our companies would be put to the test by oppressive regimes. It is a fantasy to think that companies, even those based in the U.S., can define a club of “good” countries and only respond to legal demands from those governments, or that so-called “good” countries would only put the technology to “good” uses. So we built our products to securely encrypt user data. It would have been irresponsible to vulnerable communities, human rights activists, and journalists that depend on secure encryption for their physical safety for us to try to just wave away the thorny details of the inevitable tide of international exceptional access demands.
Of course, we nevertheless had to be ready for international demands for whatever data our products did generate. When you have data, they will come. As a provider of communications tools and services, you are the intermediary ensuring that investigators get the data they are permitted to, but no more. There are real dangers — to public relations, privacy, and security — to mismanaging these demands.
Rather than grapple with the reality of these difficulties, the GCHQ proposal seems to just trust that technology providers will magically be able to sift between deserving and undeserving governments demanding ghost user access. It would never be that easy and creating such a mechanism would open the door to vast abuses around the globe. The ghost user capability should never be created.
Part three, which addresses the GCHQ authors assertion that adding a secret listener to a conversation is just like attaching “crocodileclips” to a phone wire, can be found here.
Further Reading
Here is some further reading on the international assault on secure and private communications by nation-states and quasi-governmental actors.
China’s Technology and Business Standards
John Battelle, ""
Manyi Kathy Li, ""
Andrew Polk, ""
Indian changes to their Information Technology Act
Seema Chichi, ""
Aria Thaker, ""
(Indian) Internet Freedom Foundation, ""
TechCrunch, ""
Bao Ha, ""
Jon Russell, ""
Singapore's Protection from Online Falsehoods and Manipulation Bill
Allie Funk, ""
David D. Kirkpatrick, ""
CBS 60 Minutes, ""
Times of Israel Staff, ""
John Scott-Railton, Bill Marczak, Claudio Guarnieri, and Masashi Crete-Nishihata, ""
Jenna McLaughlin, ""
Mark Mazzetti, Adam Goldman, Ronen Bergman and Nicole Perlroth,""
Christopher Bing, Joel Schectman, ""