Forty-seven tech companies, civil society organisations and international experts - including Apple, Microsoft, Google, WhatsApp, Human Rights Watch, ISOC and Privacy International - jointly raised concerns over the idea, dubbed ‘Ghost proposal’, raised by the UK intelligence agency GCHQ to eavesdrop on encrypted communications. In an open letter to GCHQ published on Lawfare, they explained how the proposal would work in practice, and warned that it would ‘undermine the authentication process that enables users to verify that they are communicating with the right people, introduce potential unintentional vulnerabilities, and increase risks that communications systems could be abused or misused.’ ‘Ghost proposal’ was presented by the two GCHQ officials in the article also published on Lawfare, in which they argue that law enforcement should be added as a ‘ghost’ participant in every encrypted messaging conversation, which would allow it to monitor communications without inserting backdoors into encryption protocols. The proposal, however, is currently not part of the GCHQ agenda, but rather served as part of a series of essays for discussions, The Verge underlines.
In the beginning of May, WhatsApp discovered that the service was used to install a sophisticated surveillance malware on an unknown number of smartphones. The hackers used the security flaw in WhatsApp’s voice calling function that enabled them to run ‘a remote code execution via specially crafted series of secure real-time transport protocol (SRTCP) packets sent to a target phone number’. The infection by the malicious code would happen even if the call had not been answered. The vulnerability enabled hackers to read messages on the target's device with interception tools bypassing the end-to-end encryption used in WhatsApp.
The scale of infected devices is unknown yet, but researchers claim the attack targeted a small number of human rights activists. The surveillance software was attributed by the Financial Times to the Israeli NSO Group, famous for its Pegasus program used by some governments to intercept the communications of human rights activists. However, the NSO Group denied its involvement in the attack. WhatsApp encouraged people to upgrade to the latest version of the app on Android, iOS, and Windows phone devices.
A Norway Nokia 7 Plus user notified the Norwegian media about batches of data being sent to a server in China upon powering on. Data such as the phone’s IMEI numbers, SIM card numbers, the cell ID of the base station the phone is connected to, and its network address (the MAC address), were sent unencrypted. Norway’s data protection ombudsman has launched an investigation. Although Norway is not an EU member state, the GDPR is still applicable to Norway as a member of the European Economic Area
The Australian Parliament has adopted the Telecommunications and Other Legislation Amendment (Miscellaneous Amendments) Bill 2019. The Bill replaced the definitions of systemic weaknesses and vulnerabilities, which are now defined only as affecting ‘a whole class of technology’, and don’t include those ‘selectively introduced to one or more target technologies that are connected with a particular person’, thereby possibly creating space for those selectively introduced to be exploited by the law enforcement agencies. In addition, the new section (317ZG) introduces certain limitations to law enforcement measures, by specifying that technical assistance requests and notices, and technical capability notices, cannot have the effect of creating new decryption capabilities or weakening existing authentication or encryption mechanisms, or create a risk that otherwise secure information be compromised by unauthorised third parties.
Popular messaging service WhatsApp has stated that Indian government’s proposal to force tech companies to hand over encrypted messages is “over-broad” and “not possible”. The Indian government has been asking WhatsApp to share origin of messages in order to track fake news ahead of national elections. However, WhatsApp communication head reiterated that WhatsApp will not break end-to-end encryption.
According to India Today, Indian authorities are working on amending the IT Act in parts related to liabilities of intermediaries, to allow the government to monitor and remove user content and messages, including encrypted ones. These steps are being justified as a need to monitor unlawful content, and in particular, fake news and inflammatory messages via messenger apps, such as WhatsApp, which resulted in a series of lynch mobbings. WhatsApp and Twitter, both announced that they will respond to consultations opened by the Indian the government, and criticised the new rules as being against privacy and leading to censorship, Financial Times reports.
In the proposed amendments to the Information Technology Act 2000, the Indian government recommended modifications on the rules regarding the liability of online intermediaries. The proposal requires that intermediaries, including social media networks, e-commerce platforms and Internet providers, should be expected to proactively remove unlawful third-party content, or face liability for the illegal content. The rules would change the intermediary liability landmark set by the Shreya Singhal case of 2015, which clarified that companies were only expected to remove content when ordered by a court to do so.
Australia passed a controversial law, the Assistance and Access Bill, designed to compel technology companies to grant law enforcement agencies access to encrypted messages. According to the Guardian, the law intends to ‘co-opt technology companies, device manufacturers and service providers into building the functionality needed for police to do their spying’ and ‘give to Australian agencies the ability to install key logging software to enable them to see, keystroke by keystroke, what users type into a message’. The law was adopted despite strong criticism from civil society organisations and leading tech companies, such as Apple, Cisco, Mozilla, Google, and Facebook.
The Global Commission on the Stability of Cyberspace (GCSC) has released its 'Singapore package' with the six new proposed norms for state and non-state behaviour. The norms focus on tampering with products, vulnerability disclosure and responsibility, botnets, cyber-hygiene, and conduct of offensive cyber operations by non-state actors. According to its Commissioners, the GCSC may still work on development of few additional norms, but will now put more focus on exploring the ways to steer other processes with its proposed norms.
Freedom House's report Freedom on the Net 2018: The Rise Of Digital Authoritarianism shows key findings that:
- Declines outnumber gains for the eighth consecutive year, with almost half of these being election-related.
- China trains the world in digital authoritarianism.
- Internet freedom declined in the United States (mostly due to a decline in net neutrality protections).
- Citing fake news, governments curbed online dissent (17 countries).
- Authorities demand control over personal data (18 countries increased surveillance).
In his introduction to the report, Fake news, data collection, and the challenge to democracy, Adrian Shahbaz said 'Events this year have confirmed that the internet can be used to disrupt democracies as surely as it can destabilize dictatorships' [...] 'With or without malign intent, the internet and social media in particular can push citizens into polarized echo chambers and pull at the social fabric of a country, fueling hostility between different communities.'