Another US 'Secure' Service Shuts Down: CryptoSeal VPN Goes Dark To Protect Against US Surveillance

from the chilling-effects dept

The full details here aren't clear, but it looks like another "secure" service based in the US has felt the need to shut down over fears about US surveillance efforts compromising actual security. VPN provider CryptoSeal has announced that it's shuttered the service (via Hacker News):
CryptoSeal Privacy Consumer VPN service terminated with immediate effect

With immediate effect as of this notice, CryptoSeal Privacy, our consumer VPN service, is terminated. All cryptographic keys used in the operation of the service have been zerofilled, and while no logs were produced (by design) during operation of the service, all records created incidental to the operation of the service have been deleted to the best of our ability.

Essentially, the service was created and operated under a certain understanding of current US law, and that understanding may not currently be valid. As we are a US company and comply fully with US law, but wish to protect the privacy of our users, it is impossible for us to continue offering the CryptoSeal Privacy consumer VPN product.

Specifically, the Lavabit case, with filings released by Kevin Poulsen of Wired.com (https://www.documentcloud.org/documents/801182-redacted-pleadings-exhibits-1-23.html) reveals a Government theory that if a pen register order is made on a provider, and the provider's systems do not readily facilitate full monitoring of pen register information and delivery to the Government in realtime, the Government can compel production of cryptographic keys via a warrant to support a government-provided pen trap device. Our system does not support recording any of the information commonly requested in a pen register order, and it would be technically infeasible for us to add this in a prompt manner. The consequence, being forced to turn over cryptographic keys to our entire system on the strength of a pen register order, is unreasonable in our opinion, and likely unconstitutional, but until this matter is settled, we are unable to proceed with our service.

We encourage anyone interested in this issue to support Ladar Levison and Lavabit in their ongoing legal battle. Donations can be made at https://rally.org/lavabit We believe Lavabit is an excellent test case for this issue.

We are actively investigating alternative technical ways to provide a consumer privacy VPN service in the future, in compliance with the law (even the Government's current interpretation of pen register orders and compelled key disclosure) without compromising user privacy, but do not have an estimated release date at this time.

To our affected users: we are sincerely sorry for any inconvenience. For any users with positive account balances at the time of this action, we will provide 1 year subscriptions to a non-US VPN service of mutual selection, as well as a refund of your service balance, and free service for 1 year if/when we relaunch a consumer privacy VPN service. Thank you for your support, and we hope this will ease the inconvenience of our service terminating.

For anyone operating a VPN, mail, or other communications provider in the US, we believe it would be prudent to evaluate whether a pen register order could be used to compel you to divulge SSL keys protecting message contents, and if so, to take appropriate action.
From this it doesn't sound like the company had been approached by the feds yet, but is doing this in a proactive manner, highlighting the chilling effects of the US government's overreach into online security services.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    Anonymous Coward, Oct 21st, 2013 @ 1:18pm

    -1 for humanity

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Zakida Paul (profile), Oct 21st, 2013 @ 1:24pm

    I do not trust any US hosted VPN or email service no matter how secure they claim to be. I suspect many living in Europe feel the same way.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Oct 21st, 2013 @ 2:50pm

      Re:

      I do not trust any US hosted VPN or email service no matter how secure they claim to be. I suspect many feel the same way.

      FTFY

       

      reply to this | link to this | view in chronology ]

  •  
    icon
    william (profile), Oct 21st, 2013 @ 1:29pm

    some people are questioning why they keep the business service open but closed the personal service.

    My guess is that business portion is more profitable and person service is more likely to get them served. If that's the case, by handing over the key, it would compromised their business service...

    so they had to shut down personal service because of this risk.

    Good job America, the land of the pseudo-free!

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Oct 21st, 2013 @ 3:37pm

      Re:

      you can thank barry and his criminal cohorts

       

      reply to this | link to this | view in chronology ]

    •  
      icon
      Ryan Lackey (profile), Oct 22nd, 2013 @ 12:28am

      Re:

      It's partially that, but it's also that the business system has full monitoring built in (so owners can monitor employees, automatically, with DLP and such).

      It's used in regulated industries which already are subject to much more monitoring than court-ordered pen traps, so the monitoring from pen traps is irrelevant to them.

      We're working on some better solutions to both sets of customers, but it'll be 2014 before they're ready. Privacy-conscious consumers should use non-US services for now.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Oct 21st, 2013 @ 1:44pm

    Well done, US gov! Tech companies are fleeing the US. This will get worse after tonight's EU vote on dataprotection. So, besides pumping ludicrous amounts of money into NSA e.a., you lose more money on businesses fleeing the country. And all of this helped to catch how many terrorists exactly?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Oct 21st, 2013 @ 2:06pm

    We are on the threshold of a chain reaction. Entire industries will pack up and move overseas, all due to our government's ongoing efforts to emulate third-world dictatorships; their desperate seizure of power under the quixotic (when not blatantly fraudulent) banner of "fighting terrorism".

    For all their clamoring about "job creation", it's clear that they care far more about preserving their own power than improving the economy. (As if that hadn't already been proven by over two weeks of petty bickering during a government shutdown and nearly defaulting on the national debt because neither side was mature enough to put the entire nation's wellbeing above their own political maneuverings until the last possible moment.)

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Oct 21st, 2013 @ 2:43pm

      Re:

      absolutely this is all to evident. The whole thing is a disaster. Once the boomers pass on if we do not change fundamentally how campaign finance, lobbying, financial regulation and patent/copyright law works we are totally fucked.

      We will also need to strike down the Patriot Act and the CFAA and any ACTA/CISPA like bills in the future.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Wolfy, Oct 21st, 2013 @ 2:48pm

    Used to be, the Chamber of Commerce would be leaning on Gov't. in this type of situation.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    roarshock44, Oct 21st, 2013 @ 4:08pm

    william: the land of the pseudo-free

    . . . and home of the sort-of brave.  our forefathers and foremothers would be so proud of us.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Oct 21st, 2013 @ 6:48pm

    A lot VPN services are simply pulling their U.S. servers, to avoid US law. As long as they no servers in U.S. datacenters, they are not subject to U.S. wiretap orders.

    I know this becuase I had to move, the only Internet I had for a while was through my 4G cell provider, and I had to use a VPN to bypass the part of the system that detects and blocks any "tethering". However, none of the VPN providers I was using have U.S. servers. Some VPN services are solving the problem by pulling all servers from U.S. datacenters.

    Because of this, I could not watch Netflix, or access U.S.-only web sites for quite a while, since the VPN services I was using pulled all their U.S. servers, to avoid U.S. laws.
    I could not watch Netflix, access my bank accounts. I could not even cancel service from my old ISP, because they block access to certain parts of their network to non-US IP addresses to protect their customers. They are very privacy minded.

    I cannot even find a VPN provider now that does have any servers in U.S. datacenters. I guess the4 Lavabit case means that VPN providers will soon no longer have servers in U.S. datacenters, so they can avoid U.S. wiretapping orders.

    One would think that Cryptoseal would just simply pull their servers out of U.S datacenters, like a few other VPN providers had, that that solved the problem for them. The other VPN providers out there that pulled their US servers made themselves no longer subject to U.S. laws.

    To me, it seems that what Cryptoseal did was a little overkill. They could have just simply pulled all their servers from U.S. datacenters, and that would have been enough. If other VPN providers can do that and avoid U.S. laws, why not Cryptoseal?

     

    reply to this | link to this | view in chronology ]

    •  
      icon
      Ryan Lackey (profile), Oct 22nd, 2013 @ 12:30am

      Re:

      We're all US citizens, working and living in the US, and just setting up our servers offshore wouldn't have protected us from personal jurisdiction for things like civil or criminal contempt. We could potentially have owned/licensed an offshore operator to run the whole thing, but at that point, there's not much value we could add -- just use an entirely offshore business run by non-US-citizens.

      I am not a lawyer, of course.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Oct 22nd, 2013 @ 12:30am

      Re:

      I cannot even find a VPN provider now that does have any servers in U.S. datacenters. I guess the4 Lavabit case means that VPN providers will soon no longer have servers in U.S. datacenters, so they can avoid U.S. wiretapping orders.

      http://www.hidemyass.com/vpn/servers/#us

      One would think that Cryptoseal would just simply pull their servers out of U.S datacenters, like a few other VPN providers had, that that solved the problem for them. The other VPN providers out there that pulled their US servers made themselves no longer subject to U.S. laws.


      Did it? Has this been tested yet? Could be that they only think their problem is solved when it isn't.

       

      reply to this | link to this | view in chronology ]

      •  
        icon
        aldestrawk (profile), Oct 22nd, 2013 @ 11:11am

        Re: Re:

        The experience with LulzSec two years ago show that a VPN service can be subject to a court order (in the UK) or other legal subpoena or warrant despite not having servers, or any presence, in the U.S.
        http://blog.hidemyass.com/2011/09/23/lulzsec-fiasco/

        Law enforcement cooperation between countries may mean you are not necessarily protected although you might be more protected than being subject to U.S. law enforcement (or CIA etc.) activities directly.

         

        reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Oct 22nd, 2013 @ 12:56am

      Re:

      [To me, it seems that what Cryptoseal did was a little overkill. They could have just simply pulled all their servers from U.S. datacenters, and that would have been enough. If other VPN providers can do that and avoid U.S. laws, why not Cryptoseal?]
      That's not enough. As long as their company has U.S. based entities, they have to obey U.S. court orders.

      So while non-U.S. based VPN providers can evade by moving their assets out, native U.S. based VPN providers are cannot. They have to shutdown their copmany and re-register in other countries that is considered "safe".

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Oct 21st, 2013 @ 7:40pm

    StrongVPN

    I ditched StrongVPN post PRISM. One of the leaks XKEYSCORE, mentioned you could query for users in a country that had just started a VPN link.

    If you're in a militarized country, speaking out can get you shot, so VPN's like CryptoSeal are essential.

    One of the other big leaks of that data is msftncsi.com, the Microsoft network awareness URL.

    Your PC queries this & its DNS, on each network startup to report if you have a network connection. I notice it reports outside of the VPN and inside the VPN to see if a connection exists without the VPN and via VPN, which lets an observer of that URL unmask the VPN's alternate IP.

    131.107.255.255 dns.msftncsi.com
    127.0.0.1 www.msftncsi.com

    One of the software packages could report if a new device appears or disappears off the net, and I suspect it's watching the network awareness URLs.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Postulator (profile), Oct 21st, 2013 @ 8:43pm

    Offshore it

    Close the service down, and move it and the company offshore to a country that values privacy.

    Of course, that's basically what will happen over the next five to ten years - and hopefully countries will fall over themselves to show how conscious they are of the need for individual privacy protection.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Oct 21st, 2013 @ 11:23pm

      Re: Offshore it

      Like I said in one other comment, many VPN companies are now pulling out servers from US datacenters, and that, alone, is goo enough for most VPN companies to avoid U.S. laws.

      So if you like to watch Netflix, Hulu, or any other U.S.-only site, by way of a proxy or VPN, that soon may not be an option.

       

      reply to this | link to this | view in chronology ]

    •  
      identicon
      Anonymous Coward, Oct 21st, 2013 @ 11:27pm

      Re: Offshore it

      The USA could still try and make US laws apply. A few years ago, one VPN company, based outside the USA, was bullied into pulling its Cuba, Iran, and North Korea servers. They decided that since the owner was a US citizen, he was still subject to OFAC regulations prohibting him from operating servers in those countries.

      SO if you are going to offshore your VPN service, be sure to move it to a country that will tell the US government to get lost, and no cooperate with the US government in any way.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Miceal Mac an tSaoir, Oct 21st, 2013 @ 11:26pm

    US Government invasion of privacy

    How many people realise though that many of the 'free' email services offered around the world are actually all hosted by the same company in California and the company that owns the hosting company is 45% owned by the US Federal Government? I had two, seemingly separate, email accounts some years back but it turns out they were both hosted by this one company. When I expressed too much interest in the HAARP facility my main account was closed down. I then used my backup account to complain about this and it too was closed down. I believe the Federal involvement in this email hosting company was deliberate in an attempt to offer easy access to and control of worldwide email traffic.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Oct 22nd, 2013 @ 1:26am

    USA and Canada are losing the VPN business.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Oct 22nd, 2013 @ 4:28am

    as it's only the public, basically, that are affected here, no one will give a toss. the whole aim of all this stuff is to stop the public from having any secrets, anywhere. if there were some/one business/es affected, there would be all sorts of backlash going on!

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Ninja (profile), Oct 22nd, 2013 @ 4:28am

    Keep 'em coming. When you hit where it hurts the most (the pockets) things will start changing.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    Mike Raffety (profile), Oct 22nd, 2013 @ 11:57am

    Individual SSL keys per customer?

    Could a privacy service use a separate subdomain for each customer (or group of customers) with a separate SSL key, allowing them to comply with a pen register order for one customer without revealing all customers' traffic?

    Yes, the price of SSL keys could be a factor, but perhaps a different CA would be appropriate for this.

     

    reply to this | link to this | view in chronology ]

  •  
    icon
    jessica p (profile), Nov 2nd, 2013 @ 4:22pm

    vpn

    i personally recomend https://www.waselpro.com/en/ Service. I always have a good experience with it VPN because some time VPN causes on wifi but this VPN support team is available 24/7 for customers assistance.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    AmmarNaeem, Jan 7th, 2014 @ 11:47pm

    Top VPN service that rises in USA

    I have been using VPN for 2 years and now i got good understanding about the nature of VPN. In my opinion people having has two major concerns with VPN specially in USA and these are connectivity and speed. Therefore now I only recommend Hidemyass, ipvanish and Purevpn, because all of them provide excellent services with fast connectivity and speed. Though i still recommend you to go through some other top services for USA that are getting more strong in USA. Source: http://www.vpnranks.com/usa-vpn/

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This