CertiVox has admitted that it chose to take its secure email encryption service PrivateSky offline after a warrant was issued by a division of GCHQ.
CEO Brian Spector told IT Security Guru that despite having “tens of thousands of heavily active users”, it was served with a RIPA warrant from the National Technical Assistance Centre (NTAC), a division of GCHQ and a liaison with the Home Office, who were seeking the keys to decrypt the customer data.
He said that this was at the end of 2012, ahead of the same action by Lavabit and Silent Circle and it was before Snowden happened. “So they had persons of interest they wanted to track and came with a Ripa warrant signed by the home secretary. You have to comply with a Ripa warrant or you go to jail,” he said.
“It is the same in the USA with FISMA, and it is essentially a national security warrant. So in late 2012 we had the choice to make – either architect the world’s most secure encryption system on the planet, so secure that CertiVox cannot see your data, or spend £500,000 building a backdoor into the system to mainline data to GCHQ so they can mainline it over to the NSA.”
Spector said that complying with the warrant would have been a “catastrophic invasion of privacy” of its users, so instead it chose to withdraw the product from public use and run it internally. “Whether or not you agree or disagree with the UK and US government, this is how it is and you have to comply with it,” he said.
However some of the technology has been implemented into its M-Pin authentication options, where rather than hold the data, it is split in two so CertiVox has one half and the user has the other, and law enforcement would need both to access the data.
“So as far as I know we are the first to do that so if the NSA or GCHQ says ‘hand it over’ we can comply as they cannot do anything with it until they have the other half, where the customer has control of it,” he said.