May 30, 2019
Today, an international coalition of 47 signatories publicly released an open letter to GCHQ (the United Kingdom’s NSA), explaining how its “ghost” proposal undermines encryption and poses serious threats to cybersecurity and fundamental human rights, including privacy and free expression. In addition to New America’s Open Technology Institute, the coalition is comprised of 22 additional civil society organizations who work to protect civil liberties, human rights, and innovation online; seven tech companies and trade associations, including providers who offer leading encrypted messaging services; and 17 individual experts in digital security and policy.
The letter, which was shared with GCHQ officials on May 22, 2019, responds to a proposal by two GCHQ officials for “silently adding a law enforcement participant to a group chat or call.” This proposal would allow intelligence or law enforcement agents to secretly join encrypted chats as “ghost” users, and would require providers to suppress normal notifications to users.
The letter explains how the ghost proposal would threaten cybersecurity and human rights, including privacy and free expression by:
- undermining the authentication process that enables users to verify that they are communicating with the right people, which poses particular threats to users like journalists who need to be able to guarantee protection for their sources;
- introducing potential unintentional vulnerabilities into otherwise secure messaging systems;
- increasing the risks that communications systems could be abused or misused;
- damaging user trust in encrypted messaging services; and
- proposing an approach that would be cloaked in secrecy, further undermining authentication systems and user trust.
The following quote can be attributed to Sharon Bradford Franklin, Director of Surveillance & Cybersecurity Policy, New America’s Open Technology Institute:
“Our international coalition calls on GCHQ to abandon its ghost proposal, which would threaten digital security, privacy, and free expression. If users cannot be sure that they are talking to the people they intend to reach, the encryption that protects their messages while in transit will be useless in safeguarding their cybersecurity and individual rights. Although we appreciate the invitation for open dialogue, policymakers and the public should recognize that the ghost proposal is not a viable solution for providing law enforcement with access to digital evidence. Rather, this ghost is one that we should fear, because it would create new digital security risks and undermine user trust.”