Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Encryption Communications Facebook Google Apple Technology

Apple, Google and WhatsApp Condemn GCHQ Proposal To Eavesdrop on Encrypted Messages 103

Tech giants, civil society groups and Ivy League security experts have condemned a proposal from Britain's eavesdropping agency as a "serious threat" to digital security and fundamental human rights. From a report: In an open letter to GCHQ (Government Communications Headquarters), 47 signatories including Apple, Google and WhatsApp have jointly urged the U.K. cybersecurity agency to abandon its plans for a so-called "ghost protocol." It comes after intelligence officials at GCHQ proposed a way in which they believed law enforcement could access end-to-end encrypted communications without undermining the privacy, security or confidence of other users.

Details of the initiative were first published in an essay by two of the U.K.'s highest cybersecurity officials in November 2018. Ian Levy, the technical director of Britain's National Cyber Security Centre, and Crispin Robinson, GCHQ's head of cryptanalysis (the technical term for codebreaking), put forward a process that would attempt to avoid breaking encryption. The pair said it would be "relatively easy for a service provider to silently add a law enforcement participant to a group chat or call."
This discussion has been archived. No new comments can be posted.

Apple, Google and WhatsApp Condemn GCHQ Proposal To Eavesdrop on Encrypted Messages

Comments Filter:
  • Hwer's an idea (Score:5, Interesting)

    by SuperKendall ( 25149 ) on Thursday May 30, 2019 @09:46AM (#58679230)

    How about this - Ghost Protocol can be implemented - after politicians alone have run it on their equipment for five years or so. After a number of embarrassing leaks from hackers, they can decide how important it is to have a "Ghost Protocol" to be able to monitor everyone's messaging.

    • ...the politicians *and the GHCQ itself*. Let's add wikileaks to *their* group chats for 5 years. What's good for the goose is good for the gander.
    • by Anonymous Coward

      Why do you think Merkel found out her phone was spied on, sent her worthless peon to the US to complain, and afterwards was only seen playing reeeal nice, praising the US as "our friends".

      s/US/five eyes/

      Spying agencies got every dirtly little shit stain on politicians everywhere already. Especially their own.
      So they obey, or else ...

      Tell me if you were a spy, you wouldn't look up politicians at the very first chance you'd get. :)

  • by bradley13 ( 1118935 ) on Thursday May 30, 2019 @09:49AM (#58679254) Homepage

    ...is paved with good intentions. Because this capability will be abused. There will be pre-signed, blank warrants. There will be people who abuse the system to eavesdrop on their partners or ex-partners. There will be security breaches. The minor benefit for law enforcement will come at a huge price for society.

    • We did almost have a successful coup in the US where these surveillance powers were used to target an enemy of the permanent state.

      Everything /. has warned us for 2 decades would happen did happen, and the guy that saved us all is Mike Rogers. Enjoy the fireworks.

    • Shadow Brokers are woke.

      The city of Baltimore US [baltimoresun.com] is shitting their britches because of NSA tools that group released to the wild.

      If the hackers who crippled Baltimore city government computers used a cyberweapon developed by the National Security Agency, as the New York Times reported Saturday, the federal government bears some responsibility in helping to clean up the mess.

      Yes, the city should have updated its Windows systems with a security patch Microsoft released two years ago after a hacking group called Shadow Brokers leaked the tool. But that doesn’t absolve the NSA from blame. In seeking to keep a powerful offensive cyberweapon for itself, it risked national security rather than protecting it.

      • So this is the crux of it, isn't it? Don't bake-in insecure backdoors and groups like the NSA will develop these tools to crack what they can, which then get into the wrong hands...

        • I'm a retired IT guy and my gut says the NSA leaks were an inside job.

          Look at the reaction to Manning, Snowden, and Winner. Rather than be subjected to punishment, those people would have fared better by being anonymous.

    • by gweihir ( 88907 )

      There will not even be minor benefits for law enforcement. All the criminals that this could target are already smart enough to just avoid these channels. There will only be the massive negative effects on society. And it is pretty clear that the, aehm, "people" behind this are well aware of that. What they actually want is a surveillance fascism, where people are afraid to write or say what they think, and conformity is the name of the game. If these people are successful, and unfortunately it seems societ

  • by Anonymous Coward

    It's just that they want to come out of the closet about it.
    Or it's probably cheaper than having all that parallel construction staff costing lots of bucks- lawyers are expensive, even on staff lawyers

  • by rickb928 ( 945187 ) on Thursday May 30, 2019 @10:15AM (#58679504) Homepage Journal

    "they believed law enforcement could access end-to-end encrypted communications without undermining the privacy, security or confidence of other users. "

    Um, in every way, this proposed access WOULD UNDERMINE the privacy, security or confidence of all. That's the point of it.

    And we cannot, anywhere, ever, trust law enforcement in this.

    • by Anonymous Coward

      Key escrow provides for the lawful inspection of content when law enforcement presents a valid search warrant to the device manufacturer. The device manufacturer holds the keys in escrow, not the government. That's why it's called "escrow". The keys will be held in offline storage and are not therefore subject to hacking or compromise or whatever fantasy you cook up in that tiny alleged brain of yours.

      • " lawful inspection of content"

        Which cannot prevent retrieving and keeping that content.

        And that is the undermining. Once they have my encrypted content I have less control of it, actually, no control of it. And key escrow asks me to, still, trust 'them'.

        It does not matter who the 'them' is, they all are untrustworthy, based on past acts alone. And yes, I am paranoid.

        • And even if you, for some reason, trusted that the company and law enforcement wouldn't abuse the key escrow system, then you still have an insecure system. It's only a matter of time before a hacker figures out how to fool the system into thinking that he's law enforcement. Unless you have end-to-end encryption, you have insecure encryption.

        • by gweihir ( 88907 )

          Well, you may be paranoid, but not because of this. If a government fundamentally disrespects you and your integrity by demanding to be able to read anything you write, then you would be stupid not to massively mistrust that government. The whole approach is a fanatical and fundamentally anti-individuality one. It is absolutely no accident that at the core of Fascism is "collectivism" and a complete disregard for the individual. This demand for backdoors and to be able to look at anything you write is a fun

      • by gweihir ( 88907 )

        First, "lawful" has no connection to right or wrong. It is a bureaucratic term. Second, all the chilling effects and all the reduction of freedoms apply. Just remember that you can have this in full-blown fascism, were killing people because of their view, heritage or genetics is also "lawful". This is the same old, fundamentally evil forces pushing for more power.

    • "they believed law enforcement could access end-to-end encrypted communications without undermining the privacy, security or confidence of other users. "

      Um, in every way, this proposed access WOULD UNDERMINE the privacy, security or confidence of all. That's the point of it.

      And we cannot, anywhere, ever, trust law enforcement in this.

      We cannot, ever, trust those in power not to abuse it to spy on political enemies.

      Does anyone think they have an uncorruptible logging system of access and activities that is archived and sent off to several backup sites with MD5 numbers or whatever, and that this is reviewed from time to time by elected officials?

      Anyone? Or is it more like a piece of paper next to 1000 agent consoles, "You did get a warrant, right? Check this box."

    • "they believed law enforcement could access end-to-end encrypted communications without undermining the privacy, security or confidence of other users. "

      Um, in every way, this proposed access WOULD UNDERMINE the privacy, security or confidence of all. That's the point of it.

      I think you misunderstand the proposal, which is to preserve privacy by modifying the official definition of privacy. See, problem solved!

    • by gweihir ( 88907 )

      You cannot trust law enforcement with anything. The people driving it are just too broken. It does serve a useful role in keeping crime on acceptable levels (even if that is mostly not its accomplishment in the first place) and in scaring small children. It has no place at all driving decisions. It is no accident that the pre-stage to full-blown Fascism is called a "police-state".

  • Meanwhile they are openly proposing to backdoor our communications.
    Absolute hypocrites.
  • by sdinfoserv ( 1793266 ) on Thursday May 30, 2019 @10:24AM (#58679620)
    That's funny - Google & WhatsApp (Facebook) crying about privacy.... They're just jealous they lack authority and jurisdiction to create laws to force sharing data with THEM first. After all, if others have the data, it becomes less valuable to to the Social Medial cabal since another market dries up.
    • Do you even think before you post? Pray tell us how a government listening in on private communications could affect them monetarliy, I mean besides the fact that many people including non-criminals will opt to not use their service?
      • The Government is one of Googles biggest customers.... IF the government already has the data, they don't have to contract to be granted access...
        • Cool story bro. Google doesn't sell the kind of data you clearly think it does. It's actually hilarious that you think they would pay for it, or that it would be admissible in court if they did.
  • Service Providers (Score:5, Insightful)

    by Sloppy ( 14984 ) on Thursday May 30, 2019 @10:28AM (#58679662) Homepage Journal

    The pair said it would be "relatively easy for a service provider to silently add a law enforcement participant to a group chat or call."

    And that's exactly why nobody in their right mind ever uses a "service provider" to apply their crypto. You do it on your computer using software under your control, intended to serve your interests above and beyond (and at the expense of, if necessary) any and all other parties. But if you want to use a commodity service provider (e.g. your and everyone else's ISPs) to delivery the ciphertext, that's totally fine.

    Fine, I'll tunnel through an insecure network. That's what everybody always does anyway, it's called The Internet. Oh, you want to make an insecure tunnel through that insecure network? Sure, we can tunnel through that insecure tunnel.

    If people are ever forced to use neo-Clipper Chips (so it's called "ghost protocol" nowdays, huh?), then all of them who care about security are going to be feeding it their ciphertext.

    BTW, "ghost protocol" is a pretty good name, since it implies malicious intent. If I were in charge of making all our communications less secure and vulnerable to snooping by criminals, I would have called it "Titanium SecureLock QuantumArmor Government-Grade Security Protocol" or something. I'm not sure if these people are just really bad liars, or if they actually maybe have a conscience and are trying to be honest with everyone.

    • by Octorian ( 14086 )

      And that's exactly why nobody in their right mind ever uses a "service provider" to apply their crypto. You do it on your computer using software under your control, intended to serve your interests above and beyond (and at the expense of, if necessary) any and all other parties. But if you want to use a commodity service provider (e.g. your and everyone else's ISPs) to delivery the ciphertext, that's totally fine.

      If you apply your own crypto with software entirely under your control, you are almost by definition "someone with something to hide" and of particular interest for further scrutiny. If the service provider's software applies the crypto, especially if its on-by-default, then you basically blend into the background noise of everyone else's chatter.

      Let's face it... Self-applied crypto really doesn't work for normal people. They're never going to know how to set it up, or even think that they should care. But

      • by Sloppy ( 14984 )

        If you apply your own crypto with software entirely under your control, you are almost by definition "someone with something to hide" and of particular interest for further scrutiny. If the service provider's software applies the crypto, especially if its on-by-default, then you basically blend into the background noise of everyone else's chatter.

        So why use crypto at all? If you're worried about the above, use plaintext.

        If someone wants to crack the message where I tell my wife what time I'm getting home, b

        • Re:Service Providers (Score:5, Interesting)

          by Octorian ( 14086 ) on Thursday May 30, 2019 @11:52AM (#58680384) Homepage

          I think I'm going to keep on locking my front door, in the belief that it makes burglars less interested in my house, rather than as you suggest, more interested.

          If you are the only one on your block that locks their front door, then it will make burglars more interested.

          But if everyone on your block locks their front door, with all other factors being equal, then burglars have no reason to find your house any more interesting than all the others.

        • I think I'm going to keep on locking my front door, in the belief that it makes burglars less interested in my house, rather than as you suggest, more interested.

          That's a poor metaphor for how encryption & inspection works in the real world.
          A better one would be if, for years, all houses had glass walls with no blinds. That's basically what email has been since it was started.
          Or, perhaps a better one: imagine all mail was on postcards.
          Suddenly, opaque walls for homes became easy and affordable, as have opaque envelopes for mail.
          Imagine if your home was the only home on the street that people couldn't look into while walking by, or if only some of your letters we

      • by Aqualung812 ( 959532 ) on Thursday May 30, 2019 @11:40AM (#58680282)

        Let's face it... Self-applied crypto really doesn't work for normal people.

        Are you kidding? There are DOZENS of us that successfully exchanged & signed each other's PGP keys and sent encrypted email with each other for a whole year.

    • Deep packet inspection will blow up your tunnel. Also, the service provider can drop all protocols and block all ports that are not in the government approved whitelist. The problem is the "server-client" nature of the connection.

  • I fought with them for 4 months over the implicit cert format for the UK electrical grid. They reversed the order of some fields from the cert used in North America. The problem is the change created a meet in the middle attack and reduced the security from 128 bit to 64 bit. When I finally had a simple proof that most people could understand the new format already had too much inertia to change. The UK government has all incompetence of any other western government but they have an extra layer of arrog
    • by gweihir ( 88907 )

      Sounds about right. Since the UK is now going into deep self-destruction, it also fits the other available evidence. Arrogance and stupidity are very old mates.

  • Yanno (Score:5, Insightful)

    by nehumanuscrede ( 624750 ) on Thursday May 30, 2019 @11:20AM (#58680128)

    The Poster Child of secrets ( The NSA ) couldn't even manage to keep their super-secret hacking toys out of the hands of the masses.
    ( Ask Baltimore what they think about that today )

    Yet, these people still cling to the idea that they can keep access limited only to " Law Enforcement " ?
    ( Which, in reality, is total bullshit. " Law Enforcement " is what they say publicly, " Anyone in a position of power " ( Eg: Not You or I ) is what they mean. )

    Tip: When a means exists to do something, it isn't a matter of IF. It's a matter of WHEN.

    • The more nations in the west do things like this, the easier it is for dictators to do so, too.

      Thus does the iron boot on the neck of billions press a little harder so some police guys can get another notch in their belts.

  • Let them use all the protocols and break all the encryption they want. It's the usual cat and mouse. The real problem to overcome is how to connect to a wide area network without a "service provider".

    • by tmjva ( 226065 )
      No, they shoot traitors, they trade spies.

      Except during wartime, then they go back to shooting them.
  • Either *all* governments have access to our confidential telecommunications, or nobody does, except the intended recipients. You can't have semi-secure/private. It's either strongly encrypted or it isn't. There are no magic keys or magic back doors. Do we really want our commercial & political rivals listening in on all our telecoms? And it's also only a matter of time until such surveillance capabilities become available to corporations and organised crime.
    • Also, once some governments have access, it's only a matter of time before hackers figure out how to get in through the "government officials only" entry point. So even if we could, somehow, set aside concerns over government abuse (a very big IF), a "government/law enforcement backdoor" would be a horrible idea.

  • But it is okay when they do it?
    They just don't like the competition

  • As soon as we have backdoors and weak (i.e. broken) crypto for this, we do know that Fascism had gotten very close. Because it is such a good idea...

  • Power corrupts, absolute power corrupts absolutely.

    I think I'm a pretty good person, try to do right more than wrong. If I had some special power, like say the ability to walk into a bank and walk out again with a duffel bag full of money completely undetected, I don't think that I could resist.

    Don't give people power that they should not have. The good people will probably use it in ways that they should not. The bad people definitely will.

  • If the extremely well funded NSA was unable to keep control of their data, and their cyber weapons for even a few years, how can any organization claim that they are secure enough to be allowed access to this type of information.

    In this case we *can* condemn the entire idea based on a single slip-up. Imagine the damage that could be done by the theft of information that could include extremely valuable corporate insider information, personal information on politicians, sensitive government information, et

"Confound these ancestors.... They've stolen our best ideas!" - Ben Jonson

Working...