Another Secure Email Service Shuts Down To Avoid Having To Do So Later

from the us-government-destroying-american-businesses dept

When Lavabit announced its sudden decision to shut down yesterday, many of its customers were actually fairly perturbed that they were given no notice, and no way to retrieve their mail before it went away. While I can certainly understand that emotional response to losing your email account like that, it seems rather obvious that there was no real choice here. If Lavabit had alerted customers that they had a day or a week or whatever before the service shut down, it seems quite likely from the hints given that the government would have stepped in with an order to preserve the information it was clearly seeking access to.

Given that, it’s noteworthy that another secure email provider, Silent Circle, chose to announce its own plans to close down its secure email service hours later. Silent Circle isn’t facing the same hidden court orders/government demands, but it recognized that it would likely come some day soon — and thus it was better to shut down ahead of time, before the government forced it to make the same decision. I’m somewhat surprised that Silent Circle didn’t at least give its customers a day or whatever to close out their email, but rather the company flat out destroyed its servers, noting:

“Gone. Can’t get it back. Nobody can.”

The company is still offering other secure tools that feature end-to-end encryption such that there’s nothing they can hand over to the government.

In discussing this, I saw some people point out that another service, CryptoCloud, has actually had it as a part of its privacy policy for over five years that it would shut down rather than let the government get direct access to accounts:

If a court orders us to allow them to secretly place surveillance “sniffers” on a specific account, we will fight this order to the highest judicial authority possible. If we lose, we will shut down the business and call it a day. End of story.

Still, this kind of thing is showing how these ridiculous surveillance policies from the US government are doing massive harm to US businesses, basically making them either lie to their customers and violate their privacy, or to shut down completely. It’s going to drive many, many users to overseas services. Is that really worth it?

Filed Under: , , ,
Companies: lavabit, silent circle

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Another Secure Email Service Shuts Down To Avoid Having To Do So Later”

Subscribe: RSS Leave a comment
56 Comments
Anonymous Coward says:

Re: Re: It's imploding

“It will have really imploded when the likes of Google move all their operations and personel out of the USA…”

Unlikely.

Google is too big to just pack up and leave. Plus, they don’t want to burn bridges (the US is such a huge market, after all). As it stands, Google’s best move (form their point of view) is to stay put, shut up and do as they are told. They have no incentive to act otherwise.

I mean, why would they sacrifice some market share and lucrative connections in the US just for some geek cred?

“…and only offer SSL connections.”

Haven’t you been paying attention? All it takes is a few scary man in suits to show up at a Google office and say “Hand over your SSL keys”, and Google will just hand them over, because – frankly – they have no other choice, and no incentive to push back. From then on, your “secure connection” is compromised.

Jake says:

Re: Re: Re: It's imploding

I can see the NSA bullying some start-up in a basement office somewhere that way, but Google can afford some very expensive lawyers, some very large backhanders and probably a private military contractor or two for good measure. If they wanted to make a fight of it, they could.

They probably won’t go beyond a few token gestures as a sop to public opinion, of course, but they do have the option.

Anonymous Coward says:

Re: Re: Re: It's imploding

All it takes is a few scary man in suits to show up at a Google office and say “Hand over your SSL keys”, and Google will just hand them over, because – frankly – they have no other choice, and no incentive to push back. From then on, your “secure connection” is compromised.

Which is why Google has been using perfect forward secrecy ciphersuites. As long as both the server (Google’s servers do) and the client (Google’s Chrome browser do) support ECDH ciphersuites, a passive attacker cannot decrypt the connection, even if the attacker has the server’s SSL keys.

An active MITM attacker with the server’s SSL keys can still decrypt the connection. However, active attacks are more costly, risk detection (with huge repercussions if detected), and from what we know, NSA’s XKeyscore is completely passive.

out_of_the_blue says:

Re: Re: Re:2 It's imploding

@ “Which is why Google has been using perfect forward secrecy ciphersuites. As long as both the server (Google’s servers do) and the client (Google’s Chrome browser do) support ECDH ciphersuites, a passive attacker cannot decrypt the connection, even if the attacker has the server’s SSL keys.”

Oh, you’ve fallen for the oldest flaw in security: assuming that you can trust ANYONE. When applied to an amoral mega-corporation, already known to give NSA “direct access” to its servers, it’s worse than naive to trust Google. — You have NO effective way of auditing actual code run or ruling out backdoors! So don’t bother trying to point me to this algorithm or that, because you don’t know what’s actually in use.

Here’s something known that should make any reasonable non-shill question Google:
http://refreshingnews99.blogspot.in/2013/07/nsa-is-quietly-writing-code-for-googles.html

John Fenderson (profile) says:

Re: Re: Re:3 It's imploding

Oh, you’ve fallen for the oldest flaw in security: assuming that you can trust ANYONE

No, he hasn’t, at least not in the way you’re talking about. There is no need to trust Google (or anyone) for perfect forward secrecy. That’s the point of perfect forward secrecy. It is easy to confirm the protocol is being used by looking at the data being sent and received from Google.

Where the “trust Google” part comes in is with what happens to the data once it’s left the pipe and entered Google’s servers, and you’re absolutely right. At that point, there is no way of knowing what happens to that data.

But his approach to reducing the risk of MITM attacks is correct and helpful.

Anonymous Coward says:

Re: It's imploding

The impact is already being felt.

Non-US companies are quickly abandoning US-based cloud services and email providers. Businesses are dropping US-based software solutions and are rolling out their own solutions developed in-house instead.

Personal anecdote time: my company is even dropping Windows in favour of an open-source alternative for everything, end-users included (much to the delight of the geeks, myself included). And from what I’ve been hearing around the water cooler, we aren’t the only ones in the business shifting very quickly away form Microsoft.

The credibility of all software companies in the US has been irreparably damaged. Time will tell how extensive the economic damage will be.

akp says:

Re: Re: Re: It's imploding

It’s easy to say that, but there are 300 million people in the US, and huge blows to the economy put many of them out of work.

The US already has high unemployment, and no other countries are stepping up to employ US workers.

The US might be only 5% of the world’s population, but it’s the largest contributer to the GDP. A collapse of the US economy will bring down economies the world over.

The rest of the world is still feeling the effects of a small economic collapse five years ago. You want that again? Or worse even?

Brazilian Guy says:

Re: Re:

“This appears to be hostile takeover of the internet by the government.”

Next, they will make people use the internet with expensive virtual reality gear, and implement those 3D visuals of Willian Gibson Cyberpunk novels, just so that people trying to copy files get also charged with trespassing, since that in order to do that you had to enter the virtual building – and if you do copyright infringiment, it automaticaly becomes theft.

Sorry, i just couldn’t help myself.

TheResidentSkeptic says:

Of course it is worth it

“Communicating overseas” means the NSA can then capture it all and keep it forever since it will be “encrypted international traffic”. So what if it kills off a bunch of small US businesses??? If they aren’t big enough to contribute to election campaigns and lobbyist funding sources, they don’t matter anyway.

Anonymous Coward says:

Re: Of course it is worth it

It’s not just small companies. The US GDP is roughly about 20% of the global economy wikipedia. If enough other countries start leaving Google, Amazon, RackSpace, etc due to privacy concerns, this could very much effect the US economy. The writing is on the wall. I have personally seen companies leaving cloud services to bring those back to a private cloud or hybrid cloud. This isn’t just speculation and it seems to only increasing in pace. link

John Fenderson (profile) says:

Re: Re:

Yes, but the government should be careful what they wish for. The only things shutting down are commercial services. Security-minded people will (and the most security-minded already have) simply use security systems that don’t require a third party service to do. The government will then be in a worse position, as they’ll no longer have single points of attack.

Zakida Paul (profile) says:

Services like MyKolab hosted in places like Switzerland with strong privacy laws will do well from this whole thing. Does anyone actually trust a US based email or cloud service at the moment? I know I don’t.

Kudos to these services for shutting down rather than compromising their values by bending over and accepting a shafting from the US government. Pity Google, Microsoft, Apple et al could not club together and tell the government where to stick it.

Anonymous Coward says:

Not quite

The company is still offering other secure tools that feature end-to-end encryption such that there’s nothing they can hand over to the government.

Yes, they’re offering tools. No, those tools are not open source, therefore they haven’t been independently audited for functionality and security. Therefore, they shouldn’t be trusted any more than any other piece of closed-source code or third-party service. The promises and assurances of Silent Circle are meaningless self-promoting hype until/unless they publish ALL the source code.

Anonymous Coward says:

gmail 70%+ of users are outside the US

remember, less than 30% of gmail users are in the US — if a bunch switched to non-US alternatives, it would indeed impact Google’s ability to sell ads, and ultimately, profits.

Numbers from the forthcoming article by Orin Kerr (Volokh Conspiracy) in University of Pennsylvania Law Review pp.36-38
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2302891

Anonymous Coward says:

i wonder how far this megalomaniac treatment by the USG is going to stretch? is it going to think and act on the belief that it really is in charge of the world? how long before there is any push back and where will it come from first? if services are already closing down because they believe they will be targeted not for doing anything wrong but because of the accusation of doing something wrong, how is this action by the USG going to impact on all other anonymity services? we know where this started! yet again, it was the USA entertainment industries and Hollywood. not only with this but it was those same industries that started the ‘guilty by accusation’ and ‘guilty unless able to afford to pay to be proven innocent’! they got the ‘innocent unless proven guilty’ law changed on it’s head to what it is now! can anyone else see a pattern here? domination seems to be the aim and look where it started! with a damn industry working with ‘make believe’!

Adam Bell (profile) says:

To me, the horror show is that not only is your privacy compromised by the NSA drag net, but that for any reason they deem sufficient, the FBI, CIA, IRS and probably several other agencies will get to share in the haul. In other words — anything you say or send on line might well be perused by literally hundreds of feds of all different stripes.

If you believe that all of those eyeballs are honorable, honest, folks with a need to know, you’re very naive. There’ll be all kinds of breeches. Cabals sharing “interesting” sexting images with each other, folks playing the stock market on the strength of insider information gleaned on the net, etc. Open season.

Anonymous Coward says:

My paranoid concern about NSA surveillance is that they seem to be trending towards putting in taps and precrypt backdoors when they ‘cooperate’ with service providers. (A LA MS Outlook.com).

This gives them ‘easy mode’ access to the data… They don’t even need to spend CPU cycles cracking.

The problem is that backdoors can be exploited by bad people, be they outside criminals or corrupt employees of the people.

Pen and paper, hand delivery and lock and key are the best available techs for privacy.

John Fenderson (profile) says:

Re: Re:

Pen and paper, hand delivery and lock and key are the best available techs for privacy.

There is no single “best” type of tech for privacy. It’s very situation-dependent. In some cases, you’re right, the old-school is the best school. In other cases, it’s the least secure choice. It all depends.

Case in point: one time pads. These are very old-school, and require nothing more than pen and paper and a way to generate random numbers (during WW2, they used bingo balls to do this). Properly done, encrypting with one-time pads is 100% unbreakable encryption.

Despite this, they are far from the most common kind of encryption, because in most cases, they are one of the most vulnerable for a single reason: you have to transmit the “key” (the OTP itself) to the other end of the communication channel in a secure fashion. And most of the time if you can accomplish that, you could just send the massage itself the same way and don’t need to use the OTP at all.

On the other hand, if you’re fielding an army, you can just give everyone their pads in advance before sending them out into the battlefield. Their use makes a lot of sense in that context (ignoring the possibility that the enemy might be able to obtain the pads by searching bodies.)

Anonymous Coward says:

Re: Re: Re:

As always good input John. For technical soundness and strength I agree with your assessment…. best tools for the job at hand.

One ‘soft’ factor favoring old fashioned, analog encryption and retention is that these days is that every one has gotten lazy! Govt has the digital firehose and go straight to that every time. I’m not not even sure most of them know how to read cursive….

Anyway they make way fewer housecalls than they used to until the SWAT team comes. Best place to keep something safe is where very few will bother to look.

akp (profile) says:

Re: Re:

Highlighting just how important it is to maintain a strong postal service. The US Mail has historically been very secure from government snooping.

Oh wait. I forgot. They’re trying to kill the USPS too. Then we’ll all have to send “mail” through FedEx and UPS, who uphold no expectation of privacy for their customers…

Baldaur Regis (profile) says:

Coming Soon

Starting Your Business Outside America…For Dummies

Includes tips such as:

The Megaupload Lesson: Just contracting services with a U.S. company can get you arrested. Other countries offer better protection of your valuable data.

What’s in a name? Choosing a Top-level domain the US government probably won’t seize.

…and many others.

….

Sigh. What started as a joke would probably make a pretty successful book.

Brazilian Guy says:

Re: Coming Soon

I agree with you.

Right now, Kim Dotcom is smelling like roses near the kind of things that are coming to surface. I’m half expecting that something of the leaked documents from Snowden relates to the Mega Case. And i’m very irritated about the WCIT conference last year in Dubai. Because right now, our worst fears about what would have come to pass are already confirmed.

Anonymous Coward says:

Re: Sounds Good to Me

But then you fail to realise just how much incidental economy tech companies’ revenues give. Remember, Google alone is larger than the Big Four media companies (Sony, NBCUniversal, Time Warner and Disney) combined. Apples is bigger even than that. If no-one abroad uses their services, that’s a massive multi-billion-dollar hit to the US economy, in a time that the US cannot afford to take an economic hit.

FM Hilton (profile) says:

Cutting the cord

The only way the NSA or the government will get the message is is someone in a position of true power (not the fake stuff) told them “Either you stop this, or we’ll stop you.”

The Supreme Court or the President has that power. Not Congress, and not any business. Even then it’s a touch and go situation because the NSA’s best friends will push back hard.

It will take mandated shut downs of the programs to do it. Nothing else. Budget cutting won’t, because the ‘black bag’ operation budget for the military is always accessible.

Throw in the TSA while they’re at it, plus the DEA, the FBI, and a few other alphabet agencies that have been plundering the public’s private information.

Until that happens, watch the sinking of small businesses and destruction of people’s lives.

Brought to you by those who believe that your privacy isn’t worth preserving.

Oh, one note though: the government can do this invasion of privacy stuff without facing penalties. Don’t you try it or else you’ll be in prison pronto. Justice is only for some.

ShellMG (profile) says:

The NSA is just following the lead of every other governmental money-spender and information-hijacker – “we meant well!”

Welfare, socially manipulative and heavy-handed programs have been using that excuse for decades. It immunizes them from the lazy grubs currently working in mainstream news. “We meant well!” is their best defense and they’re using it because it works.

If the NSA just says “we mean well,” the press will shrug and look for another rabbit to chase.

Collaborative United (user link) says:

Some Freelance/Firm Idea's Guru Will Think a Loop-Hole

I’m sure it won’t take long for some developer to think of a way to encrypt emails without actually being vulnerable to the U.S Laws, can they ask for Registration Info Based in China or Russia for eg? Where there is a will there is a way. Just because the U.S Govt. can’t read the eMails they shut down these sites = MAKES ME SICK as it shows just shows just what they are reading on GMAIL, YAHOO MAIL, ISP EMAILS ETC using PRISM and other Keyword Sniffers and talking about a “Bomb ass concert where the band’s song ‘Terror In The U,S,A’ really rallied the fans” – for an example of some common kid’s email, IM, FaceBook IM to his mates…. S-C-A-R-Y

I’ve nothing to hide, but I Encrypt everything… Why? I HAVE A RIGHT TO PRIVACY IN MY OWN HOME, if that home is online or not… simple/ PLUS I’m Not a U.S Citizen and dread what u guys are going through, especially Police States etc in the next few years, and total satellite lookouts in the next few years on U.S within just ‘above’ head distance… OUCH. AND WHY? TO SHOW THEY CAN.

WAR ON TERROR?? HMMM, Bit Old Mate. Ain’t been a Legit Attack for over 10yrs… Staged & FOREIGN POWER STRUGGLES AGAINST THEIR OWN = Like ANY OTHER WAR EVER where we don’t get involved, until Oil & Diamonds started running low that is.

SORRY FOR THE RAMBLE and thanks 4 ur guys patience.

I Design for United Worldwide Collaboration to do my part against the ‘splitting’ agenda…Well & to meet like minded individuals from all over, make life long friends and project partners, and of course increase our PORTFOLIO’S 😉 @Code_CollectiveJay (2nd Project Manager)

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...