UK Secure Email Provider Shut Down His Service In January To Prevent GCHQ From Obtaining Encryption Keys
from the the-fallout-before-the-fallout dept
Shutting down secure email services because of surveillance agency interference apparently isn’t just a local phenomenon. Lavabit, Snowden’s email provider, shut down earlier this year to prevent being forced by the NSA to sabotage its own encryption. Silent Circle, another secure communications service, shut down its email product only hours later (but not its main messaging product). Silent Circle hadn’t yet been pressured by the government, but obviously felt it was only a matter of time.
International Business Times is reporting a similar incident occurred in the UK earlier this year.
PrivateSky was shut down at the beginning of the year after introducing a web-based version in beta and for Outlook and had “tens of thousands of heavily active users”.
Brian Spector, CEO of CertiVox, told IT Security Guru: “Towards the end of 2012, we heard from the National Technical Assistance Centre (NTAC), a division of GCHQ and a liaison with the Home Office, [that] they wanted the keys to decrypt the customer data. We did it before Lavabit and Silent Circle and it was before Snowden happened.
Even before the leaks made the Five Eyes’ covert surveillance programs public, PrivateSky got an inside peek at the intelligence community’s thirst for data. Unfortunately for Spector and his company, complying with GCHQ’s request would mean destroying the security it promised to its customers.
[W]e had the choice to make – either architect the world’s most secure encryption system on the planet, so secure that CertiVox cannot see your data, or spend £500,000 building a backdoor into the system to mainline data to GCHQ so they can mainline it over to the NSA.
“It would be anti-ethical to the values and message we are selling our customers in the first place.”
I suppose GCHQ is satisfied either way. While having the encryption key would have been nice, it’s just as simple to gather up communications and metadata from less secure services — services some of PrivateSky’s customers would have resorted to instead. National intelligence agencies seem all too willing to deploy scorched earth policies that destroy companies that don’t immediately cave in to their demands. And why not? It does no harm to the government to force secure services out of business. The users of these services have to go somewhere and many of the available options have been compromised already.
Spector hasn’t completely given up on the thought of offering a secure email service. He says PrivateSky is still up and running but is currently only used internally by CertiVox. But he does have a plan for another secure email offering based on the internal PrivateSky service.
He said that from the technology it has implemented a split of the root key in the M-Pin technology so it has one half and the user has the other.
“So as far as I know we are the first to do that so if the NSA or GCHQ says ‘hand it over’ we can comply as they cannot do anything with it until they have the other half, where the customer has control of it.”
This could throw up some obstacles for intelligence agencies, the sort of thing they do everything in their power to avoid. The path of least resistance is also the one most frequently traveled. These agencies hate being told “no” almost as much as they hate being inconvenienced. PrivateSky’s split key will do both. It should be interesting to see GCHQ’s response if Spector takes the service live again.