[liberationtech] Lavabit, Silent Circle both shut down

Fri Aug 9 09:34:11 PDT 2013

This suggests that we need a firm based perhaps in Iceland to offer
encryption services to have any chance of being secure. The story also
notes that US agencies are allowed to keep any encrypted messages they
intercept indefinitely.

http://www.informationweek.com/security/privacy/lavabit-silent-circle-shut-down-crypto-i/240159746

Lavabit, Silent Circle Shut Down: Crypto In Spotlight

Mathew J. Schwartz

Two encrypted email services shut the doors; gag order clouds details of
apparent U.S. government interest related to Snowden case.

Mathew J. Schwartz	| August 09, 2013 10:51 AM

(click image for larger view) Encrypted email service provider Lavabit
is shutting down, but a gag order prevents the company from detailing
exactly what triggered that business decision.

Ladar Levison, the owner and operator of Texas-based Lavabit, said in a
statement that his hand was forced after six weeks of legal wrangling
and two attempts by him to squash the gag order, both of which were
rejected by a judge. As a result, he's not at liberty to publicly reveal
exactly what's going on.

"I have been forced to make a difficult decision: to become complicit in
crimes against the American people or walk away from nearly 10 years of
hard work by shutting down Lavabit," he said. "After significant soul
searching, I have decided to suspend operations. I wish that I could
legally share with you the events that led to my decision. I cannot."

Lavabit had promised that it would be an "e-mail service that never
sacrifices privacy for profits" and "only release private information if
legally compelled by the courts in accordance with the U.S.
Constitution." The service backed up those claims by storing only
encrypted versions of emails on its servers, which could only then be
decrypted using a user's passphrase, which the service didn't store.

Lavabit's closure led startup company Silent Circle to announce Thursday
that it would shutter Silent Mail, which is its encrypted email service.
"We see the writing [on] the wall, and we have decided that it is best
for us to shut down Silent Mail now. We have not received subpoenas,
warrants, security letters, or anything else by any government, and this
is why we are acting now," said Silent Circle CTO Jon Callas in a blog
post.

Privacy rights advocates slammed the secret legal maneuvers by the
government that lead to the closures. "We need more transparency so the
public can know and understand what led to a ten-year-old business
closing its doors and a new start-up abandoning a business opportunity,"
said Kurt Opsahl, a senior staff attorney at the Electronic Frontier
Foundation (EFF), in a blog post.

In response to the two services being shuttered, the team behind the
free, open source GPG Suite offered their software as an alternative.
"We're sorry to hear that lavabit and silent mail shutdown [sic]. OS X
users wanting to protect your mails, have a look at
https://gpgtools.org," they tweeted.

But in his blog post, Silent Circle's Callas suggested that
technologically speaking, any type of crypto email may offer less
security than it seems. "Email that uses standard Internet protocols
cannot have the same security guarantees that real-time communications
has. There are far too many leaks of information and metadata
intrinsically in the email protocols themselves," he said. "Email as we
know it with SMTP, POP3, and IMAP cannot be secure."

Furthermore, leaked National Security Agency (NSA) operating guidelines
suggest that simply using encryption tools draws extra scrutiny from the
agency's analysts. Encrypted communications, when intercepted, are also
exempt from protections afforded to Americans' regular communications.
While ordinary communications can legally only be retained by the NSA
for six months, unless they contain evidence of a crime, encrypted
communications may be retained indefinitely.

Lavabit's Levison sounded a further ominous note for anyone storing any
type of sensitive data with a third party. "This experience has taught
me one very important lesson: without congressional action or a strong
judicial precedent, I would _strongly_ recommend against anyone trusting
their private data to a company with physical ties to the United
States," he said.

What lead to the U.S. government -- or intelligence services -- taking
an apparent interest in Lavabit? The most likely answer is that NSA
whistleblower Edward Snowden used the service. That was revealed last
month when Tanya Lokshina, a senior Russia researcher for Human Rights
Watch in Moscow, published a copy of an emailed invitation asking her to
attend a meeting at the local Sheremetyevo airport to discuss Snowden's
bid for asylum, sent from "edsnowden at lavabit.com." Snowden also used
Hushmail and PGP encryption.

The closure of two well-regarded crypto email services is the latest
chapter in the ongoing saga kicked off by Snowden's leaking of documents
-- not all of which have been published -- that detail secret NSA
programs, including the agency's wide-ranging digital dragnet that
captures and stores the everyday communications of millions of
Americans. That state of massive surveillance is aided by a secretive
Foreign Intelligence Surveillance Court that in recent years has
apparently compelled technology providers -- including Facebook, Google
and Microsoft -- to provide the NSA with easy access to their users'
communications.

The Interop New York Conference and Expo -- Sept 30-Oct 4, 2013 --
provides the knowledge and insight to help IT and corporate
decision-makers bridge the divide between technology and business value.
Through three days of educational conference sessions, two days of
workshops, real-world demonstrations on the Expo Floor and live
technology implementations in its unique InteropNet program, Interop
provides the forum for the most powerful innovations and solutions the
industry has to offer. Save $200 off Conference & All Access Passes or
get a Free Expo Pass when you register with discount code MPIWK for
Interop New York today.	

Frank SmythExecutive DirectorGlobal Journalist
Securityfrank at journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202
352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.net.