Not going dark: personal data from the Internet of Things ushers in a golden age for law enforcement

A new report from the Brennan Center of Justice highlights how much information that law enforcement is able to siphon from the “smart” internet of things connected devices that are increasingly everywhere. While individual devices might only provide a snippet of information, combining the information from many devices can provide very intimate looks at personal activity. As bad as the issue is now, the ability for law enforcement to use personal data from IOT devices is only anticipated to grow.

More Privacy News This Week:

Facial recognition identifies people wearing masks

A Japanese company called NEC has developed a system that can identify people with 99.9% accuracy even when they’re wearing face masks. The system is called NeoFace Live Facial Recognition and improves on previous facial recognition algorithms that could only identify 20-50% of masked individuals.  While many people viewed the increased anonymity from the newfound ubiquity of face masks as a silver lining of the last year, that relative peace of mind can now be discarded.

WhatsApp is forcing users to share personal data with Facebook, and Elon Musk is urging people to switch to Signal, a smaller encrypted messaging app

WhatsApp has made the long awaited move of changing its privacy policy to share personal data from WhatsApp users to its parent company Facebook. According to Facebook, the change in the privacy policy is to bring business cross chat functionality from WhatsApp to Facebook. The change will officially happen on February 8th, and WhatsApp users have until then to stop using WhatsApp. Spurred on by celebrity endorsements, many users are moving over to apps like Signal instead

Leaked Location Data Shows Another Muslim Prayer App Tracking Users

A second popular Muslim prayer time reminder app with over ten million downloads has been revealed to sell personal information of users to government agencies such as the FBI and ICE. The app, Salaat First, entered into a data sharing arrangement with a French firm called Predicio which then passes on the information to the now infamous American firm Venntel. The information – which includes precise location – is then passed on from Venntel to law enforcement and government agencies.

A new cross-platform remote access tool, ElectroRAT, has been caught infecting Windows, Linux, and macOS systems

ElectroRAT arrives as a Trojan horse claiming to be a cryptocurrency management and trading app. However, in reality, it attempts to steal cryptocurrency from the victim. The malware has apparently been around for a whole year, but most antivirus software offered little to no defense against ElectroRAT until this month.

Brought to you by Private Internet Access

Privacy News Online is brought to you by Private Internet Access, the world’s most trusted VPN service.

Special thanks to Intego

Thank you to Josh Long, our cybersecurity correspondent from Intego, makers of award-winning security software.

The post Privacy News Online | Weekly Review: January 15, 2021 appeared first on Privacy News Online by Private Internet Access VPN.

Apple has revealed to the world just how information hungry Facebook is

9 to 5 Mac illustrated the sharp contrast between the data harvesting footprints of Facebook Messenger vs WhatsApp vs iMessage vs Signal in an infographic that has been making its rounds on the internet. The image shows the full spectrum – on the full blast side of the personal information siphon is none other than Facebook Messenger which shares everything from purchases and financial info to browsing history, search history, and even something called sensitive info. Apple’s privacy labels even categorize what the personal information is used for. In Facebook Messenger’s case, the information is used for everything from third party advertising, to analytics, product personalization, app functionality, and even something called “other purposes.” Facebook has called these privacy labels misleading and “anti-competitive.” On the privacy preserving end of the spectrum is Signal, which collects none of that information.

While those that consider themselves privacy experts have long known the stark differences in the privacy offered by different apps, depending on company philosophy, Apple’s privacy labels are bringing that sentiment to the masses finally. Since the release of the privacy labels, thousands if not millions of users have updated their end to end encrypted messaging app of choice. Public figures such as Elon Musk, the newly minted richest man in the world, have now publicly endorsed Signal. At the same time, many continue to lament the use of phone numbers by the Signal app – though the privacy labels confirm that Signal does not attempt to correlate your phone number with any other information. On their end, Signal has stated that they are working on allowing Signal use without a phone number.

The post Apple’s new privacy labels show how data hungry Facebook Messenger and WhatsApp are appeared first on Privacy News Online by Private Internet Access VPN.

Featured: Privacy News Online – Week of December 18th, 2020

WhatsApp calls Apple’s new privacy nutrition labels for iOS 14 anti-competitive

Facebook’s WhatsApp messenger has taken a public stance against Apple’s new privacy nutrition labels. WhatsApp provided the requested privacy information to Apple by the required deadline, but the messaging company also took to the internet to reassure users that the app doesn’t use as much personal information as the labels will make it seem. WhatsApp called Apple’s privacy labels too broad, and noted that users may never check privacy labels for pre-installed apps like iMessage.

A new report shows Google tracks 80% of the Web, with Amazon likely to overtake Facebook as second-worst privacy threat

The new report, titled Tracking the Trackers, examined what trackers were embedded on websites around the world and which companies received the tracking information. The results showed that in 1st place is still Google, with Google trackers found on 80% of the web. Coming in 2nd and 3rd are Amazon with about 30% coverage and Facebook with about 23% coverage. While Google grew from 60% to 80% between 2017 and 2020, Amazon has nearly tripled its web tracking coverage in the same timeframe.

Reviewers call the Amazon Halo wearable the “most invasive we’ve ever tested”

The Amazon Halo is a new health tracking band that reviewers are concerned about. To use the Amazon band, you’ll need to submit nearly naked pictures or body scans to the accompanying app so it can judge your body’s fat levels. Additionally, the band uses AI to check on the tone of your voice and will tell you if it thinks you’re feeling annoyed or opinionated. Wonder if Amazon Halo could tell that I feel… violated.

More Privacy News This Week:

Cloudflare and Apple design a new privacy-friendly internet protocol

Engineers from Apple and Cloudflare have designed a more private way to do DNS, called Oblivious DNS-over-HTTPS – or oDoH (oh doh) for short. DNS has traditionally been used by internet service providers and governments to surveill and censor internet use. oDoH would make such DNS based tracking obsolete.

Apple Could Ban Apps That Don’t Follow iOS 14 Anti-Tracking Rules, Says Software Chief Craig Federighi

Apple is deadly serious about its new rules that will require app makers to acquire opt-in permission from users before collecting their random advertising identifier for tracking purposes. This unique identifier is crucial to the advertising industry’s real time tracking abilities, and Apple is taking the unpopular move to limit its use. If apps don’t comply, they will be banned.

Microsoft, FireEye confirm SolarWinds supply chain attack

The SolarWinds Orion Platform, which is used to manage endpoints at many U.S. companies and government agencies, was apparently compromised by foreign threat actors around March of this year. U.S. security firm FireEye, the U.S. Treasury Department, and the U.S. Commerce Department’s National Telecommunications and Information Administration are among the organizations that seem to have been targeted. All users of SolarWinds’ Orion Platform should quickly install the hotfix released this week, and check for the existence of “Sunburst” malware.

Brought to you by Private Internet Access

Privacy News Online is brought to you by Private Internet Access, the world’s most trusted VPN service.

Special thanks to Intego

Thank you to Josh Long, our cybersecurity correspondent from Intego, makers of award-winning security software.

The post Privacy News Online | Weekly Review: December 18, 2020 appeared first on Privacy News Online by Private Internet Access VPN.

WhatsApp protests new privacy nutrition labels on multiple fronts

The crux of WhatsApp’s “privacy nutrition labels are anticompetitive” argument is that Apple preinstalls iMessage, which means pretty much all users won’t ever see iMessage’s privacy nutrition label – even though Apple does provide it. A WhatsApp spokesperson told Axios:

“We think labels should be consistent across first and third party apps as well as reflect the strong measures apps may take to protect people’s private information. While providing people with easy to read information is a good start, we believe it’s important people can compare these ‘privacy nutrition’ labels from apps they download with apps that come pre-installed, like iMessage.”

On Apple’s end, they have emphasized that privacy nutrition label information will be available even for preinstalled apps like iMessage.

WhatsApp is also upset that the privacy nutrition labels are too broad, and is essentially worried that those looking at the privacy nutrition label for WhatsApp might be put off by the seemingly large amount of information that WhatsApp is collecting. A spokesperson from WhatsApp told Axios:

“Our teams have submitted our privacy labels to Apple but Apple’s template does not shed light on the lengths apps may go to protect sensitive information. While WhatsApp cannot see people’s messages or precise location, we’re stuck using the same broad labels with apps that do.”

WhatsApp is worried that the privacy nutrition labels will “spook” users and give first party apps like iMessage a competitive edge over WhatsApp – and hopes to even the playing field with their protest.

The post WhatsApp calls Apple’s new privacy nutrition labels for iOS 14 anti-competitive appeared first on Privacy News Online by Private Internet Access VPN.

Current contact discovery implementations have a lot of privacy flaws – even in otherwise private apps

The paper highlights the privacy flaws of contact discovery APIs utilized by most messaging apps – including ones recommended for privacy such as Signal, Telegram, and WhatsApp.  When you sign up for a messaging service like WhatsApp, an entire list of your contacts is sent to the centralized service unencrypted which has the side effect of leaking your social graph. Some messaging services, like Signal, have improved on that archaic model and send hashed copies of contacts to evaluate; however, said hashes are likely reversible by the service provider. Of course, it’s possible for the apps to infer this information just from metadata, and it’s naive to think they don’t.

All American Signal users enumerated due to contact discovery privacy flaws

The authors described their enumeration process which highlights the most glaring privacy flaw from current contact discovery implementations:

“Using an accurate database of mobile phone number prefixes and very few resources, we have queried 10 % of US mobile phone numbers for WhatsApp and 100 % for Signal.”

Some implementations of contact discovery are better than others. The researchers noted that Telegram seemingly leaked additional contact information – even for those contacts that don’t use Telegram:

“For Telegram we find that its API exposes a wide range of sensitive information, even about numbers not registered with the service.”

Through their research, the paper’s authors were even able to gather data on how many phone numbers use both Signal and WhatsApp or Telegram and Signal or any combination of the three. Some people might not see the privacy implications of leaking your social graph, or being enumerated as a user of a service; however, the potential for damage is there.

The researchers explained:

“The simple information whether a specific phone number is registered with a certain messaging service can be sensitive in many ways, especially when it can be linked to a person. For example, in areas where some services are strictly forbidden, disobeying citizens can be identified and persecuted.”

Persecution for using encryption and privacy apps is a very real threat in multiple jurisdictions in the world. All hope isn’t lost, though, the paper points out novel techniques for mitigating contact discovery’s privacy flaws and hopefully we see them implemented by otherwise very privacy forward companies. Not tying phone numbers to encrypted messaging apps would be nice, too.

The post Researchers were able to figure out which American phone numbers use Signal appeared first on Privacy News Online by Private Internet Access VPN.

Perhaps more interesting are some other cases involving well-known Internet names. One concerns WhatsApp, and how information about its users is shared with Facebook, which bought WhatsApp for $19 billion in 2014. Three others are cases brought by the privacy expert Max Schrems, discussed on this blog two years ago. Schrems says that top Internet services like Facebook, WhatsApp and Instagram are guilty of “forced consent”. This is the practice of offering two basic choices to users of an online service: agree to be tracked for the purposes of serving up ads, or be thrown off the service. It’s a crucially important issue, since many Web sites adopt the same approach. If the DPC rules against it, the impact on the digital sector in the EU would be huge.

With its public statement, the Irish DPC is trying to signal that it is working hard on these big cases, but Schrems doesn’t think it is making enough progress. In an open letter to the EU’s data protection bodies, the European Commission, and the European Parliament, Schrems writes:

These three cases, in which the DPC acts as the lead authority, show that the cooperation mechanism under Chapter 7 of the GDPR becomes fundamentally dysfunctional if involved Data Protection Authorities (DPAs) do not cooperate in a swift and efficient manner. In a parallel procedure, the French [data protection agency] CNIL was able to single-handedly issue a €50 million fine against Google within seven months. In contrast, after two years, the DPC has completed the first of six steps last week in the cases against Instagram and WhatsApp

He points out that at the current speed, these cases could easily take more than ten years until all appeals are decided and a final decision is reached. Moreover, he says that two of the draft inquiry reports share most of their text – a plagiarism app found an overlap of 82% – which suggests the real pace of the inquiry is even slower. It’s not just about speed. Schrems claims that the DPC had “confidential” meetings with Facebook about how to bypass some of the GDPR’s protection. He’s not the only GDPR expert that thinks there’s a big problem with the enforcement side of things. Johannes Caspar, a leading German regulator for data protection, told Politico:

“I’m completely critical of the enforcement structure of the GDPR,” said Caspar, whose office is in charge of overseeing the German activities of several Silicon Valley firms. “The whole system doesn’t work.”

Against that troubled background Access Now has produced a useful report reviewing the general progress in implementing the GDPR. It too notes the slow pace of enforcement, but also underlines a worrying trend for the law to be misused to silence journalists and NGOs. It warns that an official review of the GDPR, currently underway, is being used by opponents of the law in an attempt to water down its stringent privacy protections.

Finally, marking the second anniversary of the GDPR, the Security Research group at the University of Cambridge has picked out three interesting studies that look at particular aspects of the GDPR. “Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence” looks at how users are manipulated into giving their consent to being tracked online, and how Web sites make it hard for people to protect their privacy. “Do Cookie Banners Respect my Choice? Measuring Legal Compliance of Banners from IAB Europe’s Transparency and Consent Framework” is an updated version of research discussed on Privacy News Online in December last year. The academics tested the cookie banners used on 560 Web sites, and found at least one GDPR violation on 54% of them. The final paper explores “The Commodification of Consent“, and how the legal concept of “consent” has become an asset that can be traded:

Users interact with a consent dialogue offered by one coalition member. The default setting allows any other coalition member, including both publishers and third-party vendors, to use this consent as a legal basis for processing personal data. This paper considers how this legal innovation could change the distribution of revenues among firms.

As the above indicates, the GDPR has become a rich and complex area, touching many different aspects of privacy, not just in the EU, but globally. Pressure is building on the Irish DPC in particular to demonstrate that the GDPR has real teeth, and that infringements will be pursued and punished with serious fines. That means that we are likely to see some very interesting new developments in the field of enforcement in the not-too-distant future.

Featured image by waldryano.

The post Top EU data protection agency under pressure to act against Internet giants as GDPR turns 2 years old appeared first on Privacy News Online by Private Internet Access VPN.

Your WhatsApp groups may not be as secure as you think they are.

The "Invite to Group via Link" feature allows groups to be indexed by Google and they are generally available across the internet. With some wildcard search terms you can easily find some… interesting… groups. pic.twitter.com/hbDlyN6g3q

— Jordan Wildon (@JordanWildon) February 21, 2020

That means that many private groups on WhatsApp actually had their doors wide open. When someone enters the group, all phone numbers of group members and previous messages are all laid bare to the newcomer and no permission from existing members is needed.

Why are there search-able WhatsApp private groups?

WhatsApp says they aren’t going to do anything about it because the functionality of private groups works as intended,still. What’s happening here is that private WhatsApp groups have invite links – that’s often how new users are added. However, if that private WhatsApp group’s private invite link gets posted somewhere that Google crawls (which is everywhere online). Essentially, if a member of your group leaks the invite link by posting it on the public internet somewhere, A search engine will find it, and new users will eventually be able to enter your private group.

A WhatsApp spokesperson emphasized to The Independent that this was normal functionality:

“Like all content that is shared in searchable, public channels, invite links that are posted publicly on the internet can be found by other WhatsApp users. Links that users wish to share privately with people they know and trust should not be posted on a publicly accessible website.”

Facebook has actually known about this issue since November, 2019 – when they received a bug report about it from HackrzVijay.

https://twitter.com/hackrzvijay/status/1230853118490857478

Within a day of media coverage about the lack of privacy surrounding private WhatsApp groups, WhatsApp finally decided to use Google’s -noindex tag for invite links to keep them from being indexed, While Google has stopped indexing these links, other search engines still are indexing them.

What can you do to protect your WhatsApp private group?

Members of private groups should check their members list to see if anyone has snuck in via this method. It’s also wise for group members of any group that’s supposed to be private to have a frank conversation about this possible attack vector. Better yet, consider using a better software that isn’t closed source and owned by a megalithic, privacy-disregarding, advertising company. In case your invite link is already out there, WhatsApp does let you reset the invite link which invalidates the old link. Really paranoid people could even regularly destroy and recreate the private group. However, at that point, they should really just get back to the main point: Don’t use WhatsApp in the first place.

The post Many WhatsApp private groups are indexed in Google and open to the public appeared first on Privacy News Online by Private Internet Access VPN.

In some situations, is isn’t the use of the WhatsApp application that is blocked; however, the ability to download WhatsApp is blocked. In such scenarios, it is still possible to download WhatsApp. One shouldn’t default to using unofficial WhatsApp knockoff apps, as there are security risks associated with that. Instead, you should use a VPN like Private Internet Access to download and use the official app without being blocked.

How to use Private Internet Access to unblock WhatsApp?

Private Internet Access encrypts your internet traffic and routes it through our servers so that your internet service provider (or the government over their shoulder) has no idea what apps you are using and your privacy is protected. If you’re unable to use WhatsApp, simply turn on Private Internet Access and you’ll have unrestricted access to the open internet, as it was meant to be.

1. Download Private Internet Access from the Google Play Store, the Apple iTune App Store, or the APK file (for advanced users) if you haven’t already.
2. Connect to Private Internet Access with your username and password.
3. Select a server in a country that is not blocking WhatsApp (I recommend the United States).
4. Enjoy unrestricted access to WhatsApp.

How to unblock WhatsApp download from the iTunes App Store?

If your country has convinced Apple to remove WhatsApp from the locally available app store, you can still access the full App Store by changing your country settings in your phone preferences. Do so by following the below instructions

1. Navigate to the Settings icon on your Home screen.
2. Select iTunes & App Store with your finger.
3. Select Apple ID with your finger.
4. Authenticate with whatever security measure you have set (Password or Touch ID).
5. Select Country/Region with your finger.
6. Select Change Country or Region with your finger.
7. Choose a new country or region (I suggest the United States).
8. Tap on Next.
9. Restart your phone to access a less restrictive App Store

How to unblock WhatsApp download from the Google Play Store?

If your country has convinced Google to remove WhatsApp from the locally available app store, you can still access the full Google Play App Store by changing your country settings in your phone preferences. Do so by following the below directions.

1. Open the Google Play Store app on your Android phone or tablet.
2. Select Menu Account Country and profiles. You should see two countries – your currently selected Google Play country and the country that Google thinks you’re currently in.
3. Select the country you want to change to.

How to unblock WhatsApp in Brazil

WhatsApp has been blocked in Brazil several times as a result of court battles between Facebook and the Brazilian government. WhatsApp refused to, and said they were unable to by design, decrypt messages as requested by the Brazilian court. WhatsApp users in Brazil should keep Private Internet Access installed in case the government blocks WhatsApp again.

How to unblock WhatsApp in Turkey

Turkey has blocked WhatsApp several times since 2016. WhatsApp, along with other apps such as YouTube or Twitter have been blocked by Turkey’s government and internet service providers for long periods of time to offset political turmoil. WhatsApp users in Turkey should use Private Internet Access to access an open and unrestricted internet.

How to unblock WhatsApp in Kazakhstan

Kazakhstan most recently cracked down on some social media platforms also during a period of political turmoil. Specifically, Kazakhstan blocked streaming services and other social media services. In fact, they even went so far as to tamper with internet services as a whole. The government has attempted on multiple occasions to get all Kazakh netizens to install a man-in-the-middle (MITM) certificate so that the government could intercept communications from social media apps. Whatsapp users in Kazakhstan should use Private Internet Access to access an open and unrestricted internet.

The post How to unblock WhatsApp appeared first on Privacy News Online by Private Internet Access VPN.

Does this force a backdoor to WhatsApp?

The wording has caused some to worry that the language can be used to force WhatsApp to add a backdoor – or share an existing backdoor with the UK. The Times in London first reported this story with titles that left room for interpretation that messages would somehow be decrypted before being sent across the border, and that the sharing would happen without US court oversight.

WhatsApp’s Will Cathcart responded to the story in a Hacker News comment. He clarified WhatsApp’s official stance on this treaty forcing WhatsApp to build a backdoor for UK use:

“We were surprised to read this story and are not aware of discussions that would force us to change our product. We believe people have a fundamental right to have private conversations. End-to-end encryption protects that right for over a billion people every day.

We will always oppose government attempts to build backdoors because they would weaken the security of everyone who uses WhatsApp including governments themselves. In times like these we must stand up both for the security and the privacy of our users everywhere. We will continue do so.”

Is there an existing backdoor to WhatsApp?

The UK has claimed since earlier this year that they have a way to break WhatsApp’s encryption – though most range from suspicious to incredulous regarding that claim. This claim was reported by The Independent, which asked about the specifics of their decryption technique, and was only able to share this answer with the world:

“Details of the method used cannot be disclosed for security reasons, but sources said they now have the technical expertise to repeat the process in future.”

The Cloud ACT will likely lead to sharing of WhatsApp metadata

Even in the status quo scenario where WhatsApp’s encryption isn’t broken by the UK, the metadata that will be shared will still satisfy some of the wants and needs of law enforcement. When Facebook first bought WhatsApp, the thought of WhatsApp’s data on such a large number of users would fall into the unscrupulous hands of Facebook was alarming enough by itself. While this has long since inevitably happened, the further inevitable next step, that any account data – including metadata and potentially-crackable-now-or-in-the-future would then be shared with government(s) is now upon us.

Just metadata alone is enough to break someone’s privacy. For a more in depth look at why the metadata about end to end encrypted messages is still valuable to law enforcement agencies, check out Rick Falkvinge’s 2014 article on the Private Internet Access blog that highlights the value of metadata – for Facebook, not just law enforcement. The fact that law enforcement around the world continually targets this metadata clues in internet users that they need to up their OpSec game.

The post New treaty will allow UK to request data, not backdoor, from US social media companies like WhatsApp appeared first on Privacy News Online by Private Internet Access VPN.

One reason the legislation was rushed through in its present dangerous form is that the main opposition party in Australia thought it would be able to improve things afterwards. Indeed, 12 days after the encryption law was passed, Australia’s Parliamentary Joint Committee on Intelligence and Security announced it would begin a review of the law. Even though leading technology companies and civil liberties organizations are all strongly against the law, it’s not clear the review will lead to any radical changes. Australia’s Digital Rights Watch group wants the entire law repealed:

Encryption is not a barrier to a safe society – quite the opposite – it is a form of protection against criminal acts, including state-sponsored hacking. Encryption plays a role in protecting our digital infrastructure, such as the banking system, the electricity grid and mass transit systems. This is the future of warfare and encryption is one of our few defences against criminal and aggressive acts. It is an important line of defence against bad actors, and we weaken it at our peril.

While Australia continues to argue about the use of “traditional” encryption backdoors, two senior officers from the UK’s signals intelligence agency, GCHQ, have published an interesting proposal that takes a different approach. It contains some welcome statements, such as: “Targeted exceptional access capabilities should not give governments unfettered access to user data.” They say they don’t propose that governments should have access to some kind of “global key” that can unlock any user’s data. They point out that “Government controlled global key escrow systems would be a catastrophically dumb solution in these cases.” They go on to propose what they see as an alternative to weakening strong encryption: silently adding law enforcement agents to otherwise encrypted conversations:

The service provider usually controls the identity system and so really decides who’s who and which devices are involved – they’re usually involved in introducing the parties to a chat or call. You end up with everything still being end-to-end encrypted, but there’s an extra ‘end’ on this particular communication.

They say this is no more intrusive than the technique used in traditional voice intercept solutions – clipping on extra wires to circuits – that it doesn’t give any government power they shouldn’t have, and does not require backdoors that weaken security. That all sounds promising, but experts have criticized the idea for various reasons. For example, Susan Landau, a professor in the Department of Computer Science, Tufts University, says:

alligator clips, as they’re called on this side of the Atlantic, intercept communications, but they do so for communications for which the service provider has not made a commitment of providing end-to-end encryption. The difference between alligator clips and the proposed virtual crocodile clips [of GCHQ’s suggestion] is that in the latter, the service provider is being asked to change its communication system to provide exactly what the end-to-end encryption system was designed to prevent: access by a silent listener to the communication.

The Electronic Frontier Foundation is also unconvinced. A post on its site points out that for a system involving these kind of “ghost” participants to work would require client software to lie:

In WhatsApp’s UX [user experience], users can verify the security of a conversation by comparing “security codes” within the app. So for the ghost to work, there would have to be a way of forcing both users’ clients to lie to them by showing a falsified security code, as well as suppress any notification that the conversation’s keys had changed. Put differently, if GCHQ’s proposal went into effect, consumers could never again trust the claims that our software makes about what it’s doing to protect us.

Fiddling with the code in this way would increase the risk that new vulnerabilities would be introduced, and that other actors could use the same ghost function to eavesdrop on supposedly secure conversations. That’s obviously bad for users and society in general. But the EFF is right to emphasize the fundamental problem with the GCHQ proposal: that it would undermine trust in an application and the company that made it – hardly a desirable result. As well-known security expert Bruce Schneier puts it: “Communications companies could no longer be honest about what their systems were doing, and we would have no reason to trust them if they tried.”

Matthew Green, a professor at Johns Hopkins University, says providers of messaging software are aware that this is a potential weakness, and are already working to prevent users being misled by client software. The GCHQ proposal therefore amounts to a government agency ordering a software company not to harden their systems against that kind of attack. Green warns that this could be just the start of governments vetting software: “In the worst-case outcome, we’ll be appointing agencies like GCHQ as the ultimate architect of Apple and Facebook’s communication systems.”

The author of the EFF post mentioned above has co-written another, more technical critique of the GCHQ proposal. The analysis sees four likely routes for detecting when the ghost is present: binary reverse engineering, cryptographic side channels, network-traffic analysis, and crash log analysis. The post also points out a different kind of flaw in the idea:

There’s another pretty glaring problem with the ghost proposal that we’re not going to examine here – it only works with text or asynchronous protocols. It’s not immediately clear to us how it could be adapted to real-time audio or video communications.

As the various critiques above make clear, however superficially attractive the GCHQ proposal might seem, it is problematic from multiple viewpoints. It certainly doesn’t resolve the long-standing tension between a desire for the authorities to have access to communications protected with strong encryption, and the requirement for the public, businesses and government to be able to use the Internet as safely as possible.

Featured image by Max Pixel.

The post The latest twist on adding backdoors to encryption is spooky – and dangerous appeared first on Privacy News Online by Private Internet Access VPN.