Debunking "ghost users": MI5's plan to backdoor all secure messaging platforms

When lawmakers and cops propose banning working cryptography (as they often do in the USA), or ban it outright (as they just did in Australia), they are long on talk about "responsible encryption" and the ability of sufficiently motivated technologists to "figure it out" and very short on how that might work — but after many years, thanks to the UK's spy agency MI5, we have a detailed plan of what this system would look like, and it's called "ghost users."

MI5's idea is for secure messaging platforms to create a backdoor in their systems that allows law enforcement to be an invisible part of every encrypted chat.

Eminent cryptographer Matthew Green (previously) has written an excellent explainer describing exactly how this plan would work — and also, the risks it would expose users to, and finally, why it will not actually work.

Even though it's a debunking of a daffy, unworkable idea, it's a really important read: though the idea is daffy and unworkable, it stands a good chance of being made into law.

The real problem with the GCHQ proposal is that it targets a weakness in messaging/calling systems that is well known to providers, and moreover, a weakness that providers have been working to close — perhaps because they're worried that someone just like GCHQ (or much worse) might try to exploit it. GCHQ making this proposal virtually guarantees that those providers will move much, much faster.

And they have quite a few options at their disposal. Over the past several years there have been several proposed designs that offer transparency to users regarding which keys they're obtaining from a provider's identity service. These systems operate by having the identity service commit to the keys that are associated with individual users, such that it's very hard for the provider to change a user's keys (or to add a device) without everyone noticing.

Similarly, advanced messengers like Signal have "submerged" the group chat management into the encrypted communications, so that the server cannot add new users without the digitally authenticated approval of one of the existing participants. This design, if implemented in more popular service, would seem to kill the GCHQ proposal dead.

Of course, these solutions highlight the tricky nature of GCHQ's proposal. Note that in order to take advantage of existing vulnerabilities, GCHQ is going to have to require that providers make changes to their system. But once you've opened the door to forcing providers to change their system, where do you stop? What stops the UK government from, say, taking things a step farther, and using the force of law to compel providers not to harden their systems against this type of attack?

On Ghost Users and Messaging Backdoors [Matthew Green/A Few Thoughts on Cryptographic Engineering]