The U.K.’s GCHQ, a parallel agency like the United States N.S.A., recently proposed a Ghost Protocol solution. They could finally use it to spy on encrypted conversations. GCHQ has been attempting to fight this battle for years. They have repeatedly argued that law enforcement needs access to personal discussions to conduct investigations. GCHQ’s original stance has been that users don’t need encrypted channels to speak on.
After that argument failed, they proposed the idea of adding back doors to encryption algorithms that would almost certainly weaken those encryption algorithms and leave communication apps subject to hacks. After receiving the mass industry push back on that argument, the GCHQ proposes what is being dubbed as ‘The Ghost Protocol’ to snoop on private conversations. This proposal could potentially impact everyone globally, though, and not just citizens in the United Kingdom.
Table of Contents
What is the Ghost Protocol, and how does it work?
It’s important to note that the Ghost Protocol isn’t formalized in the same sense that the TCP/IP protocol is. Instead, it’s a framework of how law enforcement might listen to encrypted communications. It would be impossible to build a standard protocol around messaging systems as most messaging systems, like Apple Message and WhatsApp, all use different encryption schemes to protect conversations.
Most messaging systems work by using public and private critical methods of encryption, though this varies between communication platforms. For instance, Apple stores keys on their servers while other platforms like Threema use very traditional encryption methods like PGP.
In a public/private key scheme, a message is encrypted using someone’s public key. Only the person possessing the matching private access to that public key can decrypt and read that encrypted message. If multiple people are included in that conversation, that same message needs to be encrypted multiple times with each different public key.
The Ghost Protocol states that another account should be included in those messages. That account would be owned by law enforcement. The people communicating within that message thread wouldn’t see that copies of their statements are also being sent to GCHQ.
The Cost Incurred by App Platforms
First, it needs to be stated that implementing a system like this for app platforms will not be cheap. A lot of code will have to be re-written and tested to make this work. That means special development teams need to be created within each app platform to make these changes. Each messaging platform will need to hire extra developers or pull talent away from other projects. An entirely new IT toolchain would need to be created and deployed at each company to make this work.
There’s also the cost of storage. Storing a single message on an information system isn’t expensive, but the Ghost Protocol would require that a duplicate copy of every single message sent on that app’s platform would need to be stored. Storage and database costs will double overnight if the Ghost Protocol is implemented.
Helpful Systems
Messaging systems will have to figure out how to deploy two different apps in both the U.K. and the rest of the world — one that includes the Ghost Protocol and one that doesn’t. There’s a lot of questions they will need to answer. For instance, would WhatsApp need to create a different app for the U.K., the United States, and Canada? If they do, what happens if one of their users travels to and from the U.K.?
Would that person be required to install the U.K. version of that app? If that person does, would that Ghost Protocol feature continue to work after that user left the U.K.? If it does, how is that app platform going to handle local laws?
An excellent example of this is GDPR. If someone outside of the U.K. visits the United Kingdom, but lives within the EU, is the app platform subject to GDPR laws? If they are, that could mean huge fines and costs for that app platform for violating GDPR once that user returns home. It’s going to cost a lot of money to figure out these answers.
How could the Ghost Protocol affect the rest of the world?
If the Ghost Protocol is implemented within the U.K., it won’t be long before other countries start requesting that same access. The United States has been pushing for similar laws requiring that law enforcement should be allowed to access encrypted, private communication for some time now. If the U.K. implements this as law, that will give the United States precedent to enforce similar laws.
It could be assumed that messaging services would implement the code to handle the Ghost Protocol in all versions of their apps deployed worldwide. App developers would likely implement some geofencing form within the app to either enable or disable that functionality. Once this functionality is implemented within messaging apps, nothing prevents nation-states, like China or Russia, from allowing this functionality within their borders. What kind of implications does that have for business travelers? Businesses will need to analyze these risks and create solutions for them.
Should the Ghost Protocol be implemented, there will be many costs and support issues that businesses will need to figure out worldwide. Companies within the United States are going to have to determine new security policies for traveling employees. That might mean revising already costly policies and implementing new loaner devices that can be easily sanitized. There are many other issues that businesses may need to handle, primarily if similar laws are enforced within the United States.
For more information about the Ghost Protocol, please send us a message or call 480-493-5999.