Apple, Google and others say spy agency’s ‘ghost’ proposal to eavesdrop on encrypted services is a threat to security.

Technology giants Apple, Google, Microsoft and WhatsApp have condemned a proposal by the UK‘s intelligence agency to eavesdrop on encrypted communication as a “serious threat to cybersecurity” and a “violation of human rights”.

In an open letter published on Thursday, an international coalition of 47 signatories jointly urged GCHQ, the country’s security organisation, to abandon its plan to add a silent third-party “ghost” user to messaging applications as a way to monitor end-to-end encrypted services.

“The ghost proposal would create digital security risks by undermining authentication systems, by introducing potential unintentional vulnerabilities, and by creating new risks of abuse or misuse of systems,” the letter signed by tech companies and civil society organisations said.

This comes after two of the country’s spy chiefs, in a November blog, suggested “silently adding a law enforcement participant to a group chat or call” without undermining user security or privacy.

190214005329678

The “ghost key” proposal would enables a third party to see the plain text of an encrypted conversation without notifying the participants.

Dismissing the surveillance method, the companies argued that service providers would have to “surreptitiously inject a new public key into a conversation in response to a government demand”, which would turn a two-way conversation into a group chat.

The letter added that the proposal, if implemented “will undermine the authentication process that enable users to verify that they are communicating with the right people”.

Security concerns

Ian Levy, the technical director of National Cyber Security Centre and a co-author of the original blog post, welcomed the response.

“We will continue to engage with interested parties and look forward to having an open discussion to reach the best solutions possible,” he told TechCrunch and the Financial Times.

The UK government has been pressurising digital companies for greater access to clamp down on “terror” suspects.

An updated surveillance bill was passed in 2016, giving security and intelligence agencies expansive powers to disrupt “terrorist” attacks.

Facebook-owned messaging service WhatsApp introduced full end-to-end-encryption in 2016, meaning all messages, file transfers and voice calls are scrambled between users’ phones.

Encryption is also used by Apple’s iMessage and the Signal app.

Earlier this month, WhatsApp revealed that it had fixed a bug after spyware crafted by an “advanced cyber actor” infected multiple targeted mobile phones through in-app voice calls.