Two officers at Britain's Government Communications Headquarters (GCHQ) signals intelligence agency have devised a proposal to solve that seemingly intractable problem, namely how to intercept end-to-end encrypted communications - without breaking or weakening the encryption.
Governments around the world, including Australia, are currently trying to figure out how to avoid bad actors and people of interest "going dark", with messaging and other internet-borne communications employing strong and in practice, undefeatable encryption.
Legally forcing providers and developers to weaken or break encryption risks introducing systemic weakness and putting everyone's communications as well as financial systems in danger, security researchers have warned.
Now however, Ian Levy and Crispin Robinson, both technical directors at GCHQ, believe they might have a come up with a solution that leaves encryption alone while allowing government agencies to listen in on conversations.
Levy and Robinson propose going back to the days of clamping crocodile clips on phone lines for interception, with some modern tweaks to make it work over the internet.
"In a world of encrypted services, a potential solution could be to go back a few decades. It’s relatively easy for a service provider to silently add a law enforcement participant to a group chat or call.
The service provider usually controls the identity system and so really decides who’s who and which devices are involved - they’re usually involved in introducing the parties to a chat or call. You end up with everything still being end-to-end encrypted, but there’s an extra ‘end’ on this particular communication," the GCHQ officers wrote.
To make this work, notifications that a law enforcement listener has been added to a conversations have to be supressed on targets' devices and if necessary, those they communicate with.
Because that's the only thing required, Levy and Robinson said "you don't even have to touch encryption".
This would appear to solve the problem of accessing communications without breaking encryption and that way, introducing dangerous system weakness - and the UK government is committed to the use of commodity encryption to secure communications.
Former National Security Agency contractor and leaker of top secret spy agency information Edward Snowden panned the proposal immediately, saying no provider or company mediated identity could be trusted if it goes ahead.
Absolute madness: the British government wants companies to poison their customers' private conversations by secretly adding the government as a third party, meaning anyone on your friend list would become "your friend plus a spy." No company-mediated identity could be trusted. https://t.co/8CwoZfBM3K
— Edward Snowden (@Snowden) November 29, 2018
Security researcher Mustafa al-Bassam pointed out that the proposal exploits the fact that users don't verify each other's public keys, and bad encryption keys would be injected.
To prevent listeners being quietly added to users' conversations, Al-Bassam user friendly key verification will become increasingly important.
Making systems such as Key Transparency, used for looking up public keys, more user friendly so as to detect server misbehaviour while managing encryption credentials even when users don't verify the keys will also help to foil the GCHQ's proposal, al-Bassam said.
.jpg&h=140&w=231&c=1&s=0)
