Government Communications Headquarters (GCHQ), the UK’s counterpart to the National Security Agency (NSA), has fired the latest shot in the crypto wars. In a post to Lawfare titled Principles for a More Informed Exceptional Access Debate, two of Britain’s top spooks introduced what they’re framing as a kinder, gentler approach to compromising the encryption that keeps us safe online. This new proposal from GCHQ—which we’ve heard rumours of for nearly a year—eschews one discredited method for breaking encryption (key escrow) and instead adopts a novel approach referred to as the “ghost.”
But let’s be clear: regardless of what they’re calling it, GCHQ’s “ghost” is still a mandated encryption backdoor with all the security and privacy risks that come with it.
Note that this proposal would be unconstitutional were it proposed in the United States, which has strong protections against governments forcing actors to speak or lie on its behalf. Give Up the Ghost: A Backdoor by Another Name by Nate Cardozo
The next question then becomes: just what local network services? What’s the architecture going to look like so we can grow a big industry ecosystem around it, all without screwing the users? I don’t think anybody has all the answers yet, but this is going in the right direction! I will have some more thoughts in a future post.
Sounds great. Currently, poor security is the bane of IoT devices. I would suggest the industry put all effort into efforts to improved security and privacy features of their products. Security is the number one reason I am reluctant to have internet accessible devices in my home.
Does restricting IoT traffic to the local network mean we lose the ability to leverage the analytics or the analytics become too simplistic to be useful? Will the majority of consumers, the mass market of consumers who we need to make any product category viable, want or need to have a mini data centre in the home to manage all of this? I don’t know.
“The reason we focused on Facebook, and not Google or any of the other tracking companies, is because the very fact that apps – like a period tracker or an LED flashlight [app] – share data with Facebook will come as a surprise to many people. And, especially for those who have made a conscious decision not to be on Facebook,” said Frederike Kaltheuner, researcher with Privacy International, during her talk on Saturday.
I would have thought the Android OS privacy feature would mitigate this risk. I guess not.