Another Secure Email Service Shuts Down To Avoid Having To Do So Later
from the us-government-destroying-american-businesses dept
When Lavabit announced its sudden decision to shut down yesterday, many of its customers were actually fairly perturbed that they were given no notice, and no way to retrieve their mail before it went away. While I can certainly understand that emotional response to losing your email account like that, it seems rather obvious that there was no real choice here. If Lavabit had alerted customers that they had a day or a week or whatever before the service shut down, it seems quite likely from the hints given that the government would have stepped in with an order to preserve the information it was clearly seeking access to.
Given that, it’s noteworthy that another secure email provider, Silent Circle, chose to announce its own plans to close down its secure email service hours later. Silent Circle isn’t facing the same hidden court orders/government demands, but it recognized that it would likely come some day soon — and thus it was better to shut down ahead of time, before the government forced it to make the same decision. I’m somewhat surprised that Silent Circle didn’t at least give its customers a day or whatever to close out their email, but rather the company flat out destroyed its servers, noting:
“Gone. Can’t get it back. Nobody can.”
The company is still offering other secure tools that feature end-to-end encryption such that there’s nothing they can hand over to the government.
In discussing this, I saw some people point out that another service, CryptoCloud, has actually had it as a part of its privacy policy for over five years that it would shut down rather than let the government get direct access to accounts:
If a court orders us to allow them to secretly place surveillance “sniffers” on a specific account, we will fight this order to the highest judicial authority possible. If we lose, we will shut down the business and call it a day. End of story.
Still, this kind of thing is showing how these ridiculous surveillance policies from the US government are doing massive harm to US businesses, basically making them either lie to their customers and violate their privacy, or to shut down completely. It’s going to drive many, many users to overseas services. Is that really worth it?
Filed Under: email, secure email, shutting down, surveillance
Companies: lavabit, silent circle
Comments on “Another Secure Email Service Shuts Down To Avoid Having To Do So Later”
It's imploding
I wonder if the financial hit is strong enough they’ll reconsider. Then again once you lose the trust it’s incredibly hard to regain it. Right now only the truly alienated and the legacy media parrots still side with the US Government.
What are you going to do Obama? Insist that there’s nothing to worry about?
Re: It's imploding
It will have really imploded when the likes of Google move all their operations and personel out of the USA, and only offer SSL connections.
Re: Re: It's imploding
“It will have really imploded when the likes of Google move all their operations and personel out of the USA…”
Unlikely.
Google is too big to just pack up and leave. Plus, they don’t want to burn bridges (the US is such a huge market, after all). As it stands, Google’s best move (form their point of view) is to stay put, shut up and do as they are told. They have no incentive to act otherwise.
I mean, why would they sacrifice some market share and lucrative connections in the US just for some geek cred?
“…and only offer SSL connections.”
Haven’t you been paying attention? All it takes is a few scary man in suits to show up at a Google office and say “Hand over your SSL keys”, and Google will just hand them over, because – frankly – they have no other choice, and no incentive to push back. From then on, your “secure connection” is compromised.
Re: Re: Re: It's imploding
They can halt development in the US and start building data centers elsewhere. Slowly. And move the headquarters abroad. It would send a powerful message. And if the 30% figure is true (this seems to be the number of Americans that use Google) sacrificing 30% to save the other 70% seems to be a good business decision.
Re: Re: Re: It's imploding
I can see the NSA bullying some start-up in a basement office somewhere that way, but Google can afford some very expensive lawyers, some very large backhanders and probably a private military contractor or two for good measure. If they wanted to make a fight of it, they could.
They probably won’t go beyond a few token gestures as a sop to public opinion, of course, but they do have the option.
Re: Re: Re: It's imploding
Re: Re: Re:2 It's imploding
@ “Which is why Google has been using perfect forward secrecy ciphersuites. As long as both the server (Google’s servers do) and the client (Google’s Chrome browser do) support ECDH ciphersuites, a passive attacker cannot decrypt the connection, even if the attacker has the server’s SSL keys.”
Oh, you’ve fallen for the oldest flaw in security: assuming that you can trust ANYONE. When applied to an amoral mega-corporation, already known to give NSA “direct access” to its servers, it’s worse than naive to trust Google. — You have NO effective way of auditing actual code run or ruling out backdoors! So don’t bother trying to point me to this algorithm or that, because you don’t know what’s actually in use.
Here’s something known that should make any reasonable non-shill question Google:
http://refreshingnews99.blogspot.in/2013/07/nsa-is-quietly-writing-code-for-googles.html
Re: Re: Re:3 It's imploding
So you can review the source code that you were whining about not being able to read a sentence earlier and get back to us.
Re: Re: Re:3 It's imploding
Blue, get off your “Google-is-spying-on-everyone” horse and realize that you can OPT OUT OF GOOGLE’S DATA COLLECTION BY NOT USING THEIR SERVICES!! It’s that simple.
Re: Re: Re:3 It's imploding
No, he hasn’t, at least not in the way you’re talking about. There is no need to trust Google (or anyone) for perfect forward secrecy. That’s the point of perfect forward secrecy. It is easy to confirm the protocol is being used by looking at the data being sent and received from Google.
Where the “trust Google” part comes in is with what happens to the data once it’s left the pipe and entered Google’s servers, and you’re absolutely right. At that point, there is no way of knowing what happens to that data.
But his approach to reducing the risk of MITM attacks is correct and helpful.
Re: Re: Re:4 It's imploding
Not to mention a lot of the code Google uses is right there in the wild to be inspected. So indeed the biggest flaw would be when your data is in their servers.
Re: It's imploding
The impact is already being felt.
Non-US companies are quickly abandoning US-based cloud services and email providers. Businesses are dropping US-based software solutions and are rolling out their own solutions developed in-house instead.
Personal anecdote time: my company is even dropping Windows in favour of an open-source alternative for everything, end-users included (much to the delight of the geeks, myself included). And from what I’ve been hearing around the water cooler, we aren’t the only ones in the business shifting very quickly away form Microsoft.
The credibility of all software companies in the US has been irreparably damaged. Time will tell how extensive the economic damage will be.
Re: Re: It's imploding
Actually, fuck the economy. USians make up only 5% of the world population. You may not be able to sell many Hummers (or $100+ crappy OSes) outside the US, but how many microtransactions with 95% of the planet would it take to allow you to live comfortably?
Re: Re: Re: It's imploding
It’s easy to say that, but there are 300 million people in the US, and huge blows to the economy put many of them out of work.
The US already has high unemployment, and no other countries are stepping up to employ US workers.
The US might be only 5% of the world’s population, but it’s the largest contributer to the GDP. A collapse of the US economy will bring down economies the world over.
The rest of the world is still feeling the effects of a small economic collapse five years ago. You want that again? Or worse even?
Re: Re: Re:2 It's imploding
http://www.silverdoctors.com/while-the-west-ponders-fed-qe-plans-the-chinese-accumulate-gold/
Actually, the rest of the world is quickly figuring out how to mitigate the effects of another such collapse.
This appears to be hostile takeover of the internet by the government.
Think about what they’re doing: going around to e-mail service providers, demanding that they hand over all user data, acting more the order of a mafia cartel. These people truly do not represent the American people.
Re: Re:
“This appears to be hostile takeover of the internet by the government.”
Next, they will make people use the internet with expensive virtual reality gear, and implement those 3D visuals of Willian Gibson Cyberpunk novels, just so that people trying to copy files get also charged with trespassing, since that in order to do that you had to enter the virtual building – and if you do copyright infringiment, it automaticaly becomes theft.
Sorry, i just couldn’t help myself.
Of course it is worth it
“Communicating overseas” means the NSA can then capture it all and keep it forever since it will be “encrypted international traffic”. So what if it kills off a bunch of small US businesses??? If they aren’t big enough to contribute to election campaigns and lobbyist funding sources, they don’t matter anyway.
Re: By Design
This right here. The sooner all the US-based email and internet services shut down, the sooner all traffic goes overseas and is thus subject to the dragnet without even having to file a subpoena.
Re: Of course it is worth it
It’s not just small companies. The US GDP is roughly about 20% of the global economy wikipedia. If enough other countries start leaving Google, Amazon, RackSpace, etc due to privacy concerns, this could very much effect the US economy. The writing is on the wall. I have personally seen companies leaving cloud services to bring those back to a private cloud or hybrid cloud. This isn’t just speculation and it seems to only increasing in pace. link
This is exactly what the government wants: no more secure systems they can’t spy on. Scare these services into closing down.
Re: Re:
Yes, but the government should be careful what they wish for. The only things shutting down are commercial services. Security-minded people will (and the most security-minded already have) simply use security systems that don’t require a third party service to do. The government will then be in a worse position, as they’ll no longer have single points of attack.
Well, just use Gmail!
Google respects and guards your privacy, right? And for free! Such a deal.
Services like MyKolab hosted in places like Switzerland with strong privacy laws will do well from this whole thing. Does anyone actually trust a US based email or cloud service at the moment? I know I don’t.
Kudos to these services for shutting down rather than compromising their values by bending over and accepting a shafting from the US government. Pity Google, Microsoft, Apple et al could not club together and tell the government where to stick it.
Bitmessage
Check out Bitmessage. Encrypted, peer-to-peer, open-source messaging system. It would be very difficult, if not impossible to shut down.
https://bitmessage.org/wiki/Main_Page
Not quite
The company is still offering other secure tools that feature end-to-end encryption such that there’s nothing they can hand over to the government.
Yes, they’re offering tools. No, those tools are not open source, therefore they haven’t been independently audited for functionality and security. Therefore, they shouldn’t be trusted any more than any other piece of closed-source code or third-party service. The promises and assurances of Silent Circle are meaningless self-promoting hype until/unless they publish ALL the source code.
Re: Not quite
True, but the company has demonstrated their commitment by shutting down a product that they deemed at risk.
It’s a lot better than most.
gmail 70%+ of users are outside the US
remember, less than 30% of gmail users are in the US — if a bunch switched to non-US alternatives, it would indeed impact Google’s ability to sell ads, and ultimately, profits.
Numbers from the forthcoming article by Orin Kerr (Volokh Conspiracy) in University of Pennsylvania Law Review pp.36-38
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2302891
Why don’t they just avoid USA, UK, Canada and Australia?
someone is going to get smart and put SSL encryption on something like owncloud.com, and host their own email service.
Lavabit was a US company to
Lavabit was a US company to, located in Texas. So once again, government’s blatantly illegal policies off spying on all Americans kills more American businesses, and who knows how many other businesses it’s cost a ton of money, or caused to not even bother opening shop in the US.
i wonder how far this megalomaniac treatment by the USG is going to stretch? is it going to think and act on the belief that it really is in charge of the world? how long before there is any push back and where will it come from first? if services are already closing down because they believe they will be targeted not for doing anything wrong but because of the accusation of doing something wrong, how is this action by the USG going to impact on all other anonymity services? we know where this started! yet again, it was the USA entertainment industries and Hollywood. not only with this but it was those same industries that started the ‘guilty by accusation’ and ‘guilty unless able to afford to pay to be proven innocent’! they got the ‘innocent unless proven guilty’ law changed on it’s head to what it is now! can anyone else see a pattern here? domination seems to be the aim and look where it started! with a damn industry working with ‘make believe’!
To me, the horror show is that not only is your privacy compromised by the NSA drag net, but that for any reason they deem sufficient, the FBI, CIA, IRS and probably several other agencies will get to share in the haul. In other words — anything you say or send on line might well be perused by literally hundreds of feds of all different stripes.
If you believe that all of those eyeballs are honorable, honest, folks with a need to know, you’re very naive. There’ll be all kinds of breeches. Cabals sharing “interesting” sexting images with each other, folks playing the stock market on the strength of insider information gleaned on the net, etc. Open season.
My paranoid concern about NSA surveillance is that they seem to be trending towards putting in taps and precrypt backdoors when they ‘cooperate’ with service providers. (A LA MS Outlook.com).
This gives them ‘easy mode’ access to the data… They don’t even need to spend CPU cycles cracking.
The problem is that backdoors can be exploited by bad people, be they outside criminals or corrupt employees of the people.
Pen and paper, hand delivery and lock and key are the best available techs for privacy.
Re: Re:
There is no single “best” type of tech for privacy. It’s very situation-dependent. In some cases, you’re right, the old-school is the best school. In other cases, it’s the least secure choice. It all depends.
Case in point: one time pads. These are very old-school, and require nothing more than pen and paper and a way to generate random numbers (during WW2, they used bingo balls to do this). Properly done, encrypting with one-time pads is 100% unbreakable encryption.
Despite this, they are far from the most common kind of encryption, because in most cases, they are one of the most vulnerable for a single reason: you have to transmit the “key” (the OTP itself) to the other end of the communication channel in a secure fashion. And most of the time if you can accomplish that, you could just send the massage itself the same way and don’t need to use the OTP at all.
On the other hand, if you’re fielding an army, you can just give everyone their pads in advance before sending them out into the battlefield. Their use makes a lot of sense in that context (ignoring the possibility that the enemy might be able to obtain the pads by searching bodies.)
Re: Re: Re:
As always good input John. For technical soundness and strength I agree with your assessment…. best tools for the job at hand.
One ‘soft’ factor favoring old fashioned, analog encryption and retention is that these days is that every one has gotten lazy! Govt has the digital firehose and go straight to that every time. I’m not not even sure most of them know how to read cursive….
Anyway they make way fewer housecalls than they used to until the SWAT team comes. Best place to keep something safe is where very few will bother to look.
Re: Re:
Highlighting just how important it is to maintain a strong postal service. The US Mail has historically been very secure from government snooping.
Oh wait. I forgot. They’re trying to kill the USPS too. Then we’ll all have to send “mail” through FedEx and UPS, who uphold no expectation of privacy for their customers…
Re: Re: Re:
Not so much, really. For a long, long time, the post office has had a secret program where mail of interest is diverted and steamed open by spies, the contents recorded, then resealed and delivered as normal. All without a warrant.
Coming Soon
Starting Your Business Outside America…For Dummies
Includes tips such as:
…and many others.
….
Sigh. What started as a joke would probably make a pretty successful book.
Re: Coming Soon
I agree with you.
Right now, Kim Dotcom is smelling like roses near the kind of things that are coming to surface. I’m half expecting that something of the leaked documents from Snowden relates to the Mega Case. And i’m very irritated about the WCIT conference last year in Dubai. Because right now, our worst fears about what would have come to pass are already confirmed.
Quite frankly, the U.S. Government has gone batshit crazy.
I’m rather upset by all of this. Zero trust, zero integrity, zero value.
Escalation is inevitable.
Sounds Good to Me
The $200 billion cost of piracy to the USA will quickly stop if these Internet companies take their business elsewhere and stop lobbying to block anti-piracy measures.
http://luciusonsecurity.blogspot.co.uk/2012/01/cybercrime-state-of-online-piracy.html
Re: Sounds Good to Me
But then you fail to realise just how much incidental economy tech companies’ revenues give. Remember, Google alone is larger than the Big Four media companies (Sony, NBCUniversal, Time Warner and Disney) combined. Apples is bigger even than that. If no-one abroad uses their services, that’s a massive multi-billion-dollar hit to the US economy, in a time that the US cannot afford to take an economic hit.
Is that really worth it?
Only if you want to have secure services.
Here in the USA that will not be allowed.
Turn Key Tyranny, it’s already happened here in the USA.
It's obvious...
Pressure these, and other, sites to shut down in the US. The only offerings will be available overseas and voila!
Contacting foreign personnel and services overseas on an encrypted network connection = Terrorist.
It’s like the government isn’t even trying anymore.
Cutting the cord
The only way the NSA or the government will get the message is is someone in a position of true power (not the fake stuff) told them “Either you stop this, or we’ll stop you.”
The Supreme Court or the President has that power. Not Congress, and not any business. Even then it’s a touch and go situation because the NSA’s best friends will push back hard.
It will take mandated shut downs of the programs to do it. Nothing else. Budget cutting won’t, because the ‘black bag’ operation budget for the military is always accessible.
Throw in the TSA while they’re at it, plus the DEA, the FBI, and a few other alphabet agencies that have been plundering the public’s private information.
Until that happens, watch the sinking of small businesses and destruction of people’s lives.
Brought to you by those who believe that your privacy isn’t worth preserving.
Oh, one note though: the government can do this invasion of privacy stuff without facing penalties. Don’t you try it or else you’ll be in prison pronto. Justice is only for some.
Re: Cutting the cord
There’s no hope the President is going to do anything about it. He’s already denied it’s happening.
SCOTUS can’t do anything until a case is brought to it… After working its way up through all the lower courts for ten years.
The NSA is just following the lead of every other governmental money-spender and information-hijacker – “we meant well!”
Welfare, socially manipulative and heavy-handed programs have been using that excuse for decades. It immunizes them from the lazy grubs currently working in mainstream news. “We meant well!” is their best defense and they’re using it because it works.
If the NSA just says “we mean well,” the press will shrug and look for another rabbit to chase.
Perhaps this should be from the “the-terrorists-have-won” department.
WHAT?
I didn’t even know lavabit shutdown….it was the only e-mail I used. Dammit Americans, get your hand out of our collective world ass already
what about non-US based servers
It is interesting to see how this Lavabit meltdown relates to non-US based email encryption services such as http://salusafe.com and if it we could expect similar abrupt shutdowns of offshore servers?
There are many sites providing services such as these. Other than those mentioned another viable option might be http://www.unspyable.com/offshore_email.htm
the odd life of timothy green^exit been made^.
the odd life of timothy green^exit been made^.
Some Freelance/Firm Idea's Guru Will Think a Loop-Hole
I’m sure it won’t take long for some developer to think of a way to encrypt emails without actually being vulnerable to the U.S Laws, can they ask for Registration Info Based in China or Russia for eg? Where there is a will there is a way. Just because the U.S Govt. can’t read the eMails they shut down these sites = MAKES ME SICK as it shows just shows just what they are reading on GMAIL, YAHOO MAIL, ISP EMAILS ETC using PRISM and other Keyword Sniffers and talking about a “Bomb ass concert where the band’s song ‘Terror In The U,S,A’ really rallied the fans” – for an example of some common kid’s email, IM, FaceBook IM to his mates…. S-C-A-R-Y
SORRY FOR THE RAMBLE and thanks 4 ur guys patience.
I Design for United Worldwide Collaboration to do my part against the ‘splitting’ agenda…Well & to meet like minded individuals from all over, make life long friends and project partners, and of course increase our PORTFOLIO’S 😉 @Code_Collective – Jay (2nd Project Manager)
toko obat kuat herbal
Salam, nice for post article, i like it..
mainan seks wanita
i like article in your post