> Prima facie the GCHQ Ghost Protocol only breaks the field model by dint of being invisible to the participants; one solution to this is obvious: the ghost should be made into a real and obvious full participant. Each and every chat – however small, even those which are E2E Notes To Self for one user only – would be seen to include GCHQBot, or LawEnforcementBot, or similar.
This actually a brilliant idea for a malicious compliance approach that some messenger could implement (perhaps with an option to disable it, before they actually receive any warrants to make it actually hand over any data).
I suppose the danger of doing that is that politicians say "See! I knew it would be cheap to implement!", in which case it has to be made clear that the expensive part is hiding the bot and securing the access to that bot (since the company can't just hand over the bot's private key to GCHQ and trust them to only use it when they have a warrant, right?).
This actually a brilliant idea for a malicious compliance approach that some messenger could implement (perhaps with an option to disable it, before they actually receive any warrants to make it actually hand over any data).
I suppose the danger of doing that is that politicians say "See! I knew it would be cheap to implement!", in which case it has to be made clear that the expensive part is hiding the bot and securing the access to that bot (since the company can't just hand over the bot's private key to GCHQ and trust them to only use it when they have a warrant, right?).