The Ghost Key Proposal
- June 16, 2019
- Clayton Rice, K.C.
The proposal by Government Communications Headquarters (GCHQ), Britain’s spy agency responsible for signals intelligence (SIGINT), that would silently add a law enforcement participant to digital group chats or calls, has been condemned as posing serious threats to cybersecurity and fundamental human rights.
1. The Proposal
The proposal was first suggested by Ian Levy and Crispin Robinson in a post to Lawfare titled Principles for a More Informed Exceptional Access Debate dated November 29, 2018. Mr Levy is the technical director of the UK’s National Cyber Security Centre, a part of GCHQ. Mr Robinson is the technical director for cryptanalysis at GCHQ. They argued that the technique would not involve breaking encryption but would, instead, require encrypted messaging services like Signal and WhatsApp to add a third recipient. In other words, silent government agents would ride shotgun on encrypted communications.
Levy and Robinson went on to argue that the “solution” would be no more intrusive than “virtual crocodile chips” authorized in “traditional voice intercept solutions” – wiretapping of non-encrypted communications. “We’re not talking about weakening encryption or defeating the end-to-end nature of the service,” they wrote. “In a solution like this, we’re normally talking about suppressing a notification on a target’s device, and only on the device of the target and possibly those they communicate with.” (See also: Alex Hern. Apple and WhatsApp condemn GCHQ plans to eavesdrop on encrypted chats. The Guardian. May 30, 2019)
The authors said that GCHQ would abide by six governing principles including these four: (a) exceptional access would only be sought where there is “legitimate need” and it is the “least intrusive” way of proceeding; (b) targeted exceptional access should not give governments unfettered access to user data; (c) any exceptional access solution should not fundamentally change the trust relationship between a service provider and its users; and, (d) because transparency is essential “the details of any exceptional access solution may well become public and subject to expert scrutiny”.
2. The Response
On May 22, 2019, an open letter was sent to GCHQ by more than fifty civil society organizations, technology companies and cybersecurity experts including Apple, Microsoft, Human Rights Watch and Privacy International. Bruce Schneier of the Berkman Center for Interney & Society at Harvard Law School and Christopher Parsons of Citizen Lab at the Munk School of Global Affairs, University of Toronto, joined in urging GCHQ to abandon the proposal and concentrate on protecting privacy rights and cybersecurity. “[T]he ghost proposal,” the signatories wrote, “would create digital security risks by undermining authentication systems, by introducing potential unintentional vulnerabilities, and by creating new risks of abuse of systems.” They went on to say the proposal would require two changes to systems that would seriously undermine user security and trust:
“First, it would require service providers to surreptitiously inject a new public key into a conversation in response to a government demand. This would turn a two-way conversation into a group chat where the government is the additional participant, or add a secret government participant to an existing group chat. Second, in order to ensure the government is added to the conversation in secret, GCHQ’s proposal would require messaging apps, service providers, and operating systems to change their software so that it would (1) change the encryption schemes used, and/or (2) mislead users by suppressing the notifications that routinely appear when a new communicant joins the chat.”
Here are four takeaways that address concerns of integrity and authentication, abuse or misuse, user trust and transparency.
- Integrity and Authentication: The process of authentication allows users to have confidence that other users they communicate with are who they say they are. Without reliable methods of authentication, users cannot know if their communications are secure, no matter how robust the encryption algorithm, because they have no way of knowing who they are communicating with. This is particularly important for journalists who need secure encryption to guarantee source protection. (p 3)
- Abuse or Misuse: The providers of end-to-end encrypted messaging applications like WhatsApp and Signal cannot see into their users’ chats. By requiring an exceptional access mechanism like the ghost proposal, GCHQ and UK law enforcement officials would require messaging platforms to open the door to surveillance abuses that are not possible today. (p 4)
- User Trust: Users will lose trust in their secure end-to-end messaging applications when they learn that secret participants are allowed to surveil their communications. That loss of trust would be widespread and permanent. (p 6)
- Transparency: Implementation of a ghost key approach would be cloaked in secrecy. The UK Investigatory Powers Act grants officials the power to impose non-disclosure agreements that would prevent service providers from acknowledging they had received a demand to change their systems and the extent of their compliance. (p 7)
The ghost key proposal undermines the security and trust that Levy and Robinson themselves advocate. In a post to Lawfare titled Evaluating the GCHQ Exceptional Access Proposal dated January 17, 2019, Mr Schneier argued that it does exactly what they said it does not – it would fundamentally change the trust relationship between a service provider and its users. It is as dangerous a backdoor as any other that has been proposed. “It exploits a security vulnerability rather than fixing it,” Mr Schneier wrote, “and it opens all users of the system to exploitation of that same vulnerability by others.” (See: Sharon Bradford Franklin and Andi Wilson Thompson. Open Letter to GCHQ on the Threats Posed by the Ghost Proposal. Lawfare. May 30, 2019)
What, then, are the implications of the ghost key proposal under Canadian law? As I mentioned, Levy and Robinson suggested that the proposal “seems to be no more intrusive than the virtual crocodile clips” that are judicially authorized for voice interception in Britain.
The originator and the recipient of a communication on an encrypted messaging service have a reasonable expectation of privacy under s 8 of the Canadian Charter of Rights that their communication would be free from state surveillance. The ghost participant would be a passive listener and not actively engaged in communicating with the other parties as in an undercover police sting operation. These communications thus fall within the broad protections of the Telus category outside the Wells exception. (See: R v Telus Communications Co.,  2 SCR 3 per Abella J, at para 25; R v Marakah,  2 SCR 608 per McLachlin CJ, at paras 13-17; and, R v Wells, 2019 SCC 22 per Brown J, at paras 20-31)
The addition of a silent law enforcement participant would therefore require a wiretap authorization under Part VI of the Criminal Code. Eavesdropping by a passive agent of the state would constitute an intercept under s 183 of the Code that includes “listen to, record or acquire a communication or acquire the substance, meaning or purport thereof”. The definition of intercept focuses on state acquisition of the content of information – the substance, meaning or purport of a private communication. It is not only the encrypted communication itself that is protected but any derivative that conveys its substance or meaning.
The legal regime of prior judicial authorization that requires the state to establish reasonable grounds and investigative necessity does nothing, however, to alleviate the cybersecurity concerns raised in the open letter.