
CertiVox confirms it withdrew PrivateSky after GCHQ issued warrant - atlantic
http://www.itsecurityguru.org/node/4780
======
spindritf
_we had the choice to make - either architect the world 's most secure
encryption system on the planet, so secure that CertiVox cannot see your data,
or spend £500,000 building a backdoor into the system_

So, just like Lavabit as 'moxie keeps pointing out[1][2], it wasn't actually
secure. Still, I like the principled stand they took.

[1]
[https://news.ycombinator.com/item?id=6672442](https://news.ycombinator.com/item?id=6672442)

[2] [http://www.thoughtcrime.org/blog/lavabit-
critique/](http://www.thoughtcrime.org/blog/lavabit-critique/)

~~~
_mhp_
There is no _actually secure_ \- that's the problem. The best you can do is
secure against specific threat models. Up until recently, most people didn't
necessarily view government intrusion as a particularly credible threat, so
didn't spend the extra time/effort/money mitigating against it.

One of the best things to come out of all these revelations, in my opinion, is
a revised view of what threats we should consider which were previously
dismissed as paranoid ramblings.

~~~
maffydub
You're right that we may have been naive about trusting our governments.

What I don't understand is why anyone trusted businesses (such as CertiVox and
Lavabit) to keep their emails secure?

If the businesses themselves couldn't decrypt these emails, there's nothing
the government could usefully ask them for.

~~~
rhizome
_What I don 't understand is why anyone trusted businesses (such as CertiVox
and Lavabit) to keep their emails secure?_

Because they didn't consider "because terrorism" to be a security threat that
could penetrate privacy and property laws. Lavabit has proven that the Third-
Party Doctrine means that once you give data to a business, you're giving it
to the government.

~~~
maffydub
Sorry, maybe I wasn't clear.

I have an email I want to be secure.

Why am I giving this data to Lavabit in a form that they can decrypt? (Forget
the government for the moment.)

Why aren't these systems engineered to mean that only _I_ have the key to
decrypt them?

~~~
rhizome
I don't know. Why aren't you running your own email server?

~~~
maffydub
Me personally? Because I don't actually need secure email (and so didn't use
Lavabit or CertiVox).

My point is that if I did want secure email, I wouldn't trust a company whose
email system architecture meant that they could read my email.

A personal email server might be a good solution, but then you have to
maintain it. It seems as though it should be possible for a company to build
an email system (and offer it as a service to customers) whereby they
_couldn't_ read user's email.

This seems like a good thing. (And as a nice side-effect, the government can't
then issue them with a warrant to read your email. Although that's not to say
they can't read your email in other ways.)

~~~
rhizome
I'm not aware of any companies providing double-blind encrypted email
services, but they may be out there. Certainly they would eventually be
accused of providing harbor to terrorists and other unsavories. At best, it
sidesteps the problem of the lack of legal privacy protections when using a
service provider of any kind.

[http://www.legaltechnology.com/latest-news/data-security-
in-...](http://www.legaltechnology.com/latest-news/data-security-in-the-
snowden-era-1-double-blind-encryption/)

------
7952
There are some details of the legislation in question here[1]. It allows the
UK to monitor "in the interests of the economic well-being of the United
Kingdom" which seems a little broad!

It would be interesting to know if this warrant targeted all users or a
specific subset?

I wonder how they decide whether to issue a warrant or just break into the
site in question. A warrant could imply that they are unable to attack the
provider, or that they want to have a chilling effect.

[1][http://wiki.openrightsgroup.org/wiki/Regulation_of_Investiga...](http://wiki.openrightsgroup.org/wiki/Regulation_of_Investigatory_Powers_Act_2000/Part_I)

~~~
dingaling
RIPA was strongly opposed by the IT and communications community during its
'consultation' period, but was passed largely intact. It was so intrusive a
proposal that even people like me who often say 'I'll write and complain'
actually did write a letter.

Predictions of its misuse have been borne out, particularly as the authorized
users of communication data were never enumerated or restricted. So we have
the situation today where local Councils use RIPA to obtain communication data
regarding individual citizens' activities.

~~~
jackgavigan
> ..local Councils use RIPA to obtain communication data...

It's worth noting that legislation introduced during 2012 limited the
circumstances under which councils could use RIPA powers [1] and required
judicial approval for the exercise of those powers [2].

[1]:
[http://www.legislation.gov.uk/uksi/2012/1500/article/2/made](http://www.legislation.gov.uk/uksi/2012/1500/article/2/made)

[2]:
[http://www.legislation.gov.uk/ukpga/2012/9/part/2/chapter/2/...](http://www.legislation.gov.uk/ukpga/2012/9/part/2/chapter/2/enacted)

~~~
csmuk
This only happened after various scandals about privacy invasion by councils.

~~~
jackgavigan
And after a Tory-led government came to power...

~~~
csmuk
What's that got to do with it? (genuinely interested).

~~~
jackgavigan
I think it's ironic that those who are in favour of personal liberties are
often on the left of the political spectrum whereas, in this instance, it was
the Tories who rolled back aspects of surveillance legislation that was
introduced by Labour.

~~~
csmuk
I think that the left/right distinction is silly myself. A typical red vs blue
flag waving exercise rather than solving anything.

Both labour and conservatives seem to mix the tenets of the two freely based
on whim rather than manifesto.

On one hand we have Big Society and smash socialism.

On the other hand we have Big Society and smash socialism.

Same turds, different coloured glitter.

All parties have sold out to their corporate sponsors and are as bent as
anything.

~~~
jackgavigan
Whilst I don't agree 100%, I don't disagree strongly enough to make an
argument of it. :-)

------
lnanek2
Wow, shows a lot of integrity closing the product instead of still keeping it
up in a compromised state to comply with the warrant. We've seen some other
providers here in the US even changed functionality to retain keys used in web
clients of secure email at the behest of government orders.

This does mean that the UK is now on the list, along with the US, of places
where no credible crypto startup is possible, though.

~~~
rayiner
> This does mean that the UK is now on the list, along with the US, of places
> where no credible crypto startup is possible, though.

I can think of very few developed countries that, when the rubber hits the
road, will let you do what you want. Taking measures to aid official police or
court investigations is simply an implied obligation in most countries with
developed legal systems. Very few countries will tolerate service providers
whose raison d'etre is "we won't cooperate with the authorities" except in
limited situations like off-shore banking when the primary purpose is to hide
assets or information from people in _other_ countries.

This isn't specific to crypto or police investigations either. Say you want to
start an accounting firm that guarantees it will never share your records if
subpoenaed in a civil lawsuit. This would never fly in the U.S., not now or
one hundred years ago, and while I'm not super familiar with European law, I
can't imagine it would fly in any western European country either.

~~~
rdl
I think it falls into three groups for communications providers:

1) Laws like CALEA, which (if applicable) require a provider to develop and
expose backdoors to the government in advance of a request

2) Building systems where an operator doesn't have access, but where a court
order can compel changes to the system, including ultimately shutting it down.

3) Being able to build a system where operator doesn't have access to data,
and upon a request, if no data can be turned over, continues operating. Must
turn over any data which you do have.

4) No requirement to cooperate, or something equiv to 4th/5th A protections
for the end user being extended to service providers.

I used to think the US was #3. I don't believe #4 exists anywhere, at least
outside specific kinds of data (medical, legal). The US is at least #2 now,
and might actually be #1 in more and more domains.

------
jackgavigan
The headline attached to this submission is sensationalist and misleading.
GCHQ did not force CertiVox to shut down PrivateSky. CertiVox decided to close
PrivateSky after they were served with a notice issued under section 49 of the
Regulation of Investigatory Powers Act (RIPA) which required that they hand
over the key(s) required to decrypt one (or more) of their customer's data.

The underlying legislation can be found here:
[http://www.legislation.gov.uk/ukpga/2000/23/contents](http://www.legislation.gov.uk/ukpga/2000/23/contents)

The relevant section is 49 but sections 53 (Failure to comply with a notice)
and 54 (Tipping off) are also of particular interest.

~~~
kintamanimatt
I disagree. The headline is reasonable because you can be put in a position in
which you're not _forced_ to do something, but it's extremely unreasonable not
to do that thing. They weren't forced to close down per se, but their other
options were extremely infeasible or reprehensible.

~~~
jackgavigan
> They weren't forced to close down per se...

That's the crux of the issue. They weren't forced to close down, they chose
to.

End of discussion.

EDIT: Actually, why don't we see what the CEO of CertiVox has to say on the
matter?

"The headline strongly infers our friends at GCHQ “forced” us to take
PrivateSky down. That’s hogwash."

Source:
[https://news.ycombinator.com/item?id=6894316](https://news.ycombinator.com/item?id=6894316)

~~~
kintamanimatt
End of discussion? No, sir, it is not!

Your interpretation is extremely naïve. I could hold a gun to your head, for
example. You wouldn't be forced per se to meet my demands, but you probably
would because it would be extremely unreasonable not to. In the same way, the
consequences for not complying are: an extremely expensive and possibly
unaffordable rewrite, going to jail for a few years, or giving up their
customers data in violation of their principles. The GHCQ order effectively
put a gun to their head.

~~~
jackgavigan
> I could hold a gun to your head, for example. You wouldn't be forced per se
> to meet my demands, but you probably would because it would be extremely
> unreasonable not to.

GCHQ never demanded that CertiVox shut down their service. That is the bottom
line and, no matter what sort of ridiculous "gun against your head" rationale
you come up with or how firmly you plug your ears while shouting "LALALA!" at
the top of your voice; you cannot refute that fact.

EDIT: Actually, why don't we see what the CEO of CertiVox has to say on the
matter?

"The headline strongly infers our friends at GCHQ “forced” us to take
PrivateSky down. That’s hogwash."

Source:
[https://news.ycombinator.com/item?id=6894316](https://news.ycombinator.com/item?id=6894316)

~~~
teamgb
Sir Ian, nice try, but we know it's you!

[https://en.wikipedia.org/wiki/Iain_Lobban](https://en.wikipedia.org/wiki/Iain_Lobban)

------
wavefunction
So now our legal economic activities depend on the say-so of a shadowy,
unelected cabal. I guess we're "destroying the village to save it."

------
jzzskijj
"or spend £500,000 building a backdoor into the system"

A nice round number... They had good motive to protect their customers and
close the service. Why start talking about this kind of ridiculous development
costs, that sound like it got pulled out of the air?

At least I'd be more sympathetic, if they sticked to the facts. I could even
support their cause by posting and tweeting that this is terrible. Now I just
feel, that cut the BS already, even they apparently were treated wrong and
intimidated to shut down their business.

</rant>

~~~
elemeno
Since a comment claiming to come from the CEO of PivateSky is dead, it seems
worth re-posting so that more people can read it :-

" This is Brian, the CEO. Yea, it was a nice round number out of the air. But
it probably wasn't far off the mark.

For all the other comments, below is a blog post on the matter which is going
to go live shortly:

With the story about our PrivateSky takedown now public, I want to take the
opportunity to clarify a few points in various articles that have appeared
since yesterday covering the story.

The headline strongly infers our friends at GCHQ “forced” us to take
PrivateSky down. That’s hogwash. In fact, the headline contradicts the
article, which becomes clear as you read it.

Secondly, a very important point wasn’t printed. GCHQ couldn’t, by law,
request a blanket back door on the system. There are a very rigid set of
controls that mean only specific individuals can come under surveillance. The
legal request for such surveillance has a due process that must be stridently
followed. At no time did I or anyone at CertiVox talk about CertiVox in
relation to any RIPA warrant, only the generic process by which these warrants
are served.

By saying “our friends at GCHQ”, there is no facetiousness intended. The team
at CertiVox have the upmost respect for the folks we interacted with at GCHQ.
They took the due process I outlined in the previous point very seriously. We
found that as an organisation, and every individual involved there, were as
worried about a breach of public trust as much as we are.

Finally, I believe very strongly the following should be a larger part of the
public discourse of these subjects. What everyone needs to understand is that
every developed democracy in the world, even where privacy rights are
enshrined to the maximum efficacy by statute, has laws on the books that
mandate that Internet Service Providers have facilities to work with law
enforcement for the purposes of legal intercept, to enforce public safety and
security.

Being L.I. capable is a very important set features and functions that must be
in place for any credible, commercial service on the Internet. In endeavouring
to make PrivateSky as secure as possible, we overlooked this critical
requirement when we built PrivateSky.

When CertiVox positioned PrivateSky as the easiest to use and most secure
encrypted messaging service, we really had two significant points of
differentiation. First, even though we held the root encryption keys to the
system, it was architected in such as way that it would have been all but
impossible for our internal staff to snoop on our customer’s communications,
or for the service to leak any of our customer’s data. Secondly, our
possession of the root keys, and our use of identity based encryption, made
the system incredibly easy to use. For the user, there were no private or
public keys to manage, every workflow was handled for the user in an easy to
grasp pure HTML5 interface, no hardware or software required, just an HTML5
browser.

We boxed ourselves into a feature set and market position that when called
upon to comply with legal statues, we simply had no alternative but to shut
the service down. We built it, but we couldn’t host it.

Why? Because as you can probably surmise, there is an inherent impedance
mismatch between being able to host a commercial communications service that
gives the upmost in privacy to its users, against any breach, whilst at the
same time being able to operate safely within the confines of the law as it is
on the books in most countries on the planet.

Is this wrong? Actually, I don’t think it is. This may be an unpopular
viewpoint, but I cannot argue against having a well regulated legal intercept
function as being necessary to have in place for a society that prizes law and
order and the safety of its citizens. This is speaking as someone who lived in
NYC during 9/11.

In summary, it’s the abuse of the communications interception in the Snowden
revelations that has everyone up in arms, as so it should. But that’s not what
happened with PrivateSky.

What is our next move?

Watch this space.

\-----"

------
at-fates-hands
Just confirmation of another vendor who said no to the government intrusions
on their customer data.

I"ll say it again since it bears repeating. How many more companies are
complying and giving their keys to the government so they can track people
that we won't hear about??

Makes me sketchy on using any "encrypted" email service right now.

------
pistle
Drop shadows in all the directions!

I like the idea obfuscating the location of the containers of the data as well
as the content.

Shred, encrypt, disperse. You send a token to the recipient and they are able
to use that to build location requests for the containers. Once they have the
parts, they can assemble and decrypt.

So, in which country can this be developed?

------
create28
CertiVox have released a blog on their site explaining more about PrivateSky
shut down: [http://www.certivox.com/blog/bid/359788/The-real-story-on-
th...](http://www.certivox.com/blog/bid/359788/The-real-story-on-the-
PrivateSky-takedown)

------
billpg
My eyes!

~~~
yoran
Same here. I'm sure the content is really interesting but the design is awful!
Plus the logo doesn't fit at all the topic of computer security.

