Security firm CertiVox forced to pull its PrivateSky secure email product after GCHQ forced its hand over users' data.

Certivox had to pull support for PrivateSky in January 2013
Security firm Certivox has said that it was forced to pull its PrivateSky product after request from GCHQ. (Reuters)

PrivateSky was shut down at the beginning of the year after introducing a web-based version in beta and for Outlook and had "tens of thousands of heavily active users".

Brian Spector, CEO of CertiVox, told IT Security Guru: "Towards the end of 2012, we heard from the National Technical Assistance Centre (NTAC), a division of GCHQ and a liaison with the Home Office, [that] they wanted the keys to decrypt the customer data. We did it before Lavabit and Silent Circle and it was before Snowden happened.

"So they had persons of interest they wanted to track and came with a Ripa warrant signed by the home secretary. You have to comply with a Ripa warrant or you go to jail.

"It is the same in the USA with FISMA, and it is essentially a national security warrant. So in late 2012 we had the choice to make - either architect the world's most secure encryption system on the planet, so secure that CertiVox cannot see your data, or spend £500,000 building a backdoor into the system to mainline data to GCHQ so they can mainline it over to the NSA.

"It would be anti-ethical to the values and message we are selling our customers in the first place."

Catastrophic invasion of privacy

Spector claimed that if CertiVox had complied with the warrant, it would be a "catastrophic invasion of privacy" of users.

"Whether or not you agree or disagree with the UK and US government, this is how it is and you have to comply with it," he added.

"We still have PrivateSky and run it internally for own use but we don't allow anyone to access it."

He said that from the technology it has implemented a split of the root key in the M-Pin technology so it has one half and the user has the other.

"So as far as I know we are the first to do that so if the NSA or GCHQ says 'hand it over' we can comply as they cannot do anything with it until they have the other half, where the customer has control of it."

Lavabit and Silent Circle

Earlier this year, both Lavabit and Silent Circle closed their secure email services. Lavabit said it was not able to offer the same security for email as it did for phone, video and text services.

Lavabit owner and operator Ladar Levison confirmed that its email service was being suspended after ties with NSA whistleblower Edward Snowden forced his hand into becoming "complicit in crimes against the American people or walk[ing] away from nearly 10 years of hard work by shutting down Lavabit".

Spector said: "The stock answer is that it is complicated. It was a smattering of businesses and consumers who used it and you don't have any recourse on it or let the subject know that you have been approached to monitor their communications, as that is also against the law.

"It was all too heavy, and all too cloak and dagger for what we wanted to do, and the worst thing was we could have built a backdoor in but we are selling out our customers and the security of the service.

"We are business people but we believe in privacy, internet freedom and responsible government."

Dan Raywood is editor of IT Security Guru

IT Security Guru