4 December 2018

GCHQ details how law enforcement could be silently injected into communications

By Chris Duckett

Two of the United Kingdom's highest cyber officers have detailed how they believe law enforcement could access end-to-end encrypted communications.

Written by Technical Director of the National Cyber Security Centre Ian Levy and Technical Director for Cryptanalysis for GCHQ Crispin Robinson, the essay claims that end-to-end encryption remains, but an extra "end" for law enforcement.

"It's relatively easy for a service provider to silently add a law enforcement participant to a group chat or call," the pair said.

"The service provider usually controls the identity system, and so really decides who's who and which devices are involved -- they're usually involved in introducing the parties to a chat or call."


It is claimed that such a solution would be no more intrusive than the crocodile clip-style telephone interception used in the last century, and pointed to early digital exchanges that used the conference calling functionality to allow for lawful interception.

The pair further claimed that the solution would not result in "weakening encryption or defeating the end-to-end nature of the service" and would instead suppress a notification on target devices.

An alternative proposal to rely on cracking into seized devices was dismissed as possibly being harder and not proportionate. It was argued that since software undergoes change more often than hardware, that the former should be the preferred target.

What is being proposed is a discussion starter, the pair wrote, and more work is needed.

"We need to be able to discuss these openly. We also need to be very careful not to take any component or proposal and claim that it proves that the problem is either totally solved or totally insoluble. That's just bad science, and solutions are going to be more complex than that," the pair wrote on Lawfare.

"[More work] needs to happen without people being vilified for having a point of view or daring to work on this as a problem. The alternative will almost certainly be bad for everyone."

The blog post was called "absolute madness" by Edward Snowden on Twitter.

"The British government wants companies to poison their customers' private conversations by secretly adding the government as a third party, meaning anyone on your friend list would become 'your friend plus a spy'," the Russian-dwelling whistleblower wrote.

"No company-mediated identity could be trusted."

Earlier in the day, GCHQ revealed how it chooses which security vulnerabilities to inform technology vendors of.

The spy agency said it would not tell a company if their software is vulnerable to cyber attacks and hacking if it's deemed to be the better option for national security.

No comments: