Two of British spying agency GCHQ’s top staff have suggested one way authorities could access encrypted messaging services is to covertly add spies to private conversations.
Writing in Lawfare, a blog dedicated to national security issues published by the Lawfare Institute in cooperation with the Brookings Institution, Ian Levy, technical director of the National Cyber Security Center, and Crispin Robinson, cryptanalysis director at GCHQ, say it is “relatively easy” for a service provider to “silently add a law enforcement participant to a group chat or call.”
“The service provider usually controls the identity system and so decides who’s who and which devices are involved. You end up with everything still end-to-end encrypted, but there’s an extra ‘end’ on this particular communication. This sort of solution seems to be no more intrusive than virtual crocodile clips our democratically elected representatives and judiciary authorise today in traditional voice intercept solutions,” they suggest.
‘Better Way’
The gruesome twosome suggest such a remedy to the long-running issue of authorities demanding access to encrypted communication systems “certainly doesn’t give any government power they shouldn’t have”. The US government was recently unsuccessful in its attempts to compel Facebook to allow law enforcement to spy on conversations conducted via its ‘Messenger’ app, and bids by many countries to break into WhatsApp’s encrypted system are ongoing.
Such efforts have typically foundered due to intense public opposition, and resistance from cybersecurity experts and the firms involved — as a ‘back-door’ in any communications platform can likely not only be exploited by authorities but hostile actors too, and would apply to all user accounts at a particular service, rather than merely criminal elements’.
However, Levy and Robinson suggest their solution is a “better way” as it wouldn’t involve “laywers, philosophers and PR departments shout[ing].”
“We’re not talking about weakening encryption or defeating the end-to-end nature of the service. We’re talking about suppressing a notification on a target’s device, and only on the device of the target and possibly those they communicate with. That’s a very different proposition. The apps and services we’re talking about are usually just software and they’re updated often to add features and fix defects and vulnerabilities. We collectively need to decide whether hardware changes are a reasonable thing to ask a vendor to do,” they explain.
The last question posed by the duo is a potentially problematic one — for beyond the quandary of whether it’s “reasonable” to ask messaging service providers to structure hardware changes specifically around agencies’ surveillance needs, there’s also the question of whether tech firms would acquiesce without a big fight, which recent history suggests is highly unlikely.
In addition to this, even if tech firms do allow spies to invisibly sit in on conversations in real-time, there’s the issue of how to retrieve any incriminating data thrown up during a chat — which even the devilish tech wizards concede would be “hard”. Nonetheless, they suggest “getting access to cloud backups” could be a solution. If those backups are encrypted, “maybe we can do password guessing on big machines” they speculate. Evidently, British spying agencies will stop at nothing, and leave no stone unturned, in their eternal quest to know everything about everyone all the time.
Sourse: sputniknews.com