GCHQ details how law enforcement could be silently injected into communications

A crocodile clip for the 21st century would see cops and spies silently added to chats and calls.
Written by Chris Duckett, Contributor
(Image: Microsoft)

Two of the United Kingdom's highest cyber officers have detailed how they believe law enforcement could access end-to-end encrypted communications.

Written by Technical Director of the National Cyber Security Centre Ian Levy and Technical Director for Cryptanalysis for GCHQ Crispin Robinson, the essay claims that end-to-end encryption remains, but an extra "end" for law enforcement.

"It's relatively easy for a service provider to silently add a law enforcement participant to a group chat or call," the pair said.

"The service provider usually controls the identity system, and so really decides who's who and which devices are involved -- they're usually involved in introducing the parties to a chat or call."

It is claimed that such a solution would be no more intrusive than the crocodile clip-style telephone interception used in the last century, and pointed to early digital exchanges that used the conference calling functionality to allow for lawful interception.

The pair further claimed that the solution would not result in "weakening encryption or defeating the end-to-end nature of the service" and would instead suppress a notification on target devices.

SEE: What is cyberwar? Everything you need to know about the frightening future of digital conflict

An alternative proposal to rely on cracking into seized devices was dismissed as possibly being harder and not proportionate. It was argued that since software undergoes change more often than hardware, that the former should be the preferred target.

What is being proposed is a discussion starter, the pair wrote, and more work is needed.

"We need to be able to discuss these openly. We also need to be very careful not to take any component or proposal and claim that it proves that the problem is either totally solved or totally insoluble. That's just bad science, and solutions are going to be more complex than that," the pair wrote on Lawfare.

"[More work] needs to happen without people being vilified for having a point of view or daring to work on this as a problem. The alternative will almost certainly be bad for everyone."

The blog post was called "absolute madness" by Edward Snowden on Twitter.

"The British government wants companies to poison their customers' private conversations by secretly adding the government as a third party, meaning anyone on your friend list would become 'your friend plus a spy'," the Russian-dwelling whistleblower wrote.

"No company-mediated identity could be trusted."

Earlier in the day, GCHQ revealed how it chooses which security vulnerabilities to inform technology vendors of.

The spy agency said it would not tell a company if their software is vulnerable to cyber attacks and hacking if it's deemed to be the better option for national security.

Related Coverage

GCHQ: We don't tell tech companies about every software flaw

UK intelligence service details when it won't tell vendors that their software is vulnerable to attack and why that is.

GCHQ's latest startup picks aim at small business security

UK intelligence agency picks the next set of companies to go through its startup accelerator programme.

DHS and GCHQ join Amazon and Apple in denying Bloomberg chip hack story

US and UK officials stand by Amazon and Apple's statements regarding Bloomberg chip hack story.

Cyber security: Nation-state cyber attacks threaten everyone, warns ex-GCHQ boss

Citing Russian cyber attacks and WannaCry, ex-GCHQ director Robert Hannigan says nation-state campaigns have become "a problem for everybody"

Ransomware: A cheat sheet for professionals (TechRepublic)

This guide covers Locky, WannaCry, Petya, and other ransomware attacks, the systems hackers target, and how to avoid becoming a victim and paying cybercriminals a ransom in the event of an infection.

Editorial standards