Writing in Lawfare, a blog dedicated to national security issues published by the Lawfare Institute in cooperation with the Brookings Institution, Ian Levy, technical director of the National Cyber Security Center, and Crispin Robinson, cryptanalysis director at GCHQ, say it is "relatively easy" for a service provider to "silently add a law enforcement participant to a group chat or call."
"The service provider usually controls the identity system and so decides who's who and which devices are involved. You end up with everything still end-to-end encrypted, but there's an extra ‘end' on this particular communication. This sort of solution seems to be no more intrusive than virtual crocodile clips our democratically elected representatives and judiciary authorise today in traditional voice intercept solutions," they suggest.
The gruesome twosome suggest such a remedy to the long-running issue of authorities demanding access to encrypted communication systems "certainly doesn't give any government power they shouldn't have". The US government was recently unsuccessful in its attempts to compel Facebook to allow law enforcement to spy on conversations conducted via its ‘Messenger' app, and bids by many countries to break into WhatsApp's encrypted system are ongoing.
Absolute madness: the British government wants companies to poison their customers' private conversations by secretly adding the government as a third party, meaning anyone on your friend list would become "your friend plus a spy." No company-mediated identity could be trusted. https://t.co/8CwoZfBM3K— Edward Snowden (@Snowden) November 29, 2018
Such efforts have typically foundered due to intense public opposition, and resistance from cybersecurity experts and the firms involved — as a ‘back-door' in any communications platform can likely not only be exploited by authorities but hostile actors too, and would apply to all user accounts at a particular service, rather than merely criminal elements'.
However, Levy and Robinson suggest their solution is a "better way" as it wouldn't involve "laywers, philosophers and PR departments shout[ing]."
"We're not talking about weakening encryption or defeating the end-to-end nature of the service. We're talking about suppressing a notification on a target's device, and only on the device of the target and possibly those they communicate with. That's a very different proposition. The apps and services we're talking about are usually just software and they're updated often to add features and fix defects and vulnerabilities. We collectively need to decide whether hardware changes are a reasonable thing to ask a vendor to do," they explain.
The conversation on exceptional access is a non-starter until the pro- side actually can come up with schemes that work that would satisfy them… this is weak sauce: https://t.co/rYGBizvr9J— Joseph Lorenzo Hall (@JoeBeOne) November 29, 2018
The last question posed by the duo is a potentially problematic one — for beyond the quandary of whether it's "reasonable" to ask messaging service providers to structure hardware changes specifically around agencies' surveillance needs, there's also the question of whether tech firms would acquiesce without a big fight, which recent history suggests is highly unlikely.
This proposal for an encryption backdoor by Ian Levy and Crispin Robinson is deeply troubling. Among other concerns, it will severely undermine trust in the services that are subject to any such order — an equity the authors claim to prioritize. https://t.co/zovrsXJFm6— Robyn Greene (@Robyn_Greene) November 29, 2018
In addition to this, even if tech firms do allow spies to invisibly sit in on conversations in real-time, there's the issue of how to retrieve any incriminating data thrown up during a chat — which even the devilish tech wizards concede would be "hard". Nonetheless, they suggest "getting access to cloud backups" could be a solution. If those backups are encrypted, "maybe we can do password guessing on big machines" they speculate. Evidently, British spying agencies will stop at nothing, and leave no stone unturned, in their eternal quest to know everything about everyone all the time.