2013-08-08 "Encrypted email Lavabit used by Snowden shuts to avoid 'complicity in crimes against Americans'" [http://rt.com/usa/lavabit-email-snowden-statement-247/]:
The highly encrypted email service reportedly used by NSA leaker Edward Snowden has gone offline - and its administrator claims the company is legally barred from explaining why.
On Thursday, the homepage of Lavabit.com was changed to a letter from the company’s owner announcing that the site’s operations have ceased following a six-week long ordeal that has prompted the company to take legal action in the Fourth Circuit Court of Appeals.
Now in the midst of an escalating fight from the federal government aimed at cracking down on encrypted communications, one of the last free and secure services has thrown in the towel under mysterious circumstances.
“I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations,” owner and operator Ladar Levison of Dallas, Texas wrote in the statement. “I wish that I could legally share with you the events that led to my decision. I cannot.”
“I feel you deserve to know what’s going on--the First Amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise,” wrote Levison. “As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.”
Levison’s statement comes two months after Snowden - a former analyst at intelligence contractor Booz Allen Hamilton - revealed himself to be the source of leaked NSA documents disclosing vast surveillance programs operated by the United States government. A month later, the Global Post published an article in which a Lavabit.com email address thought to be registered to Snowden was revealed.
The Global Post wrote on July 12 [http://www.globalpost.com/dispatch/news/regions/europe/russia/130712/edward-snowden-meeting-moscow-airport] that the Sheremetyevo Airport press conference hosted by Snowden later that day was announced to human rights groups under the email address "edsnowden@lavabit.com" and signed by “Edward Joseph Snowden.” Washington Post foreign affairs blogger Max Fisher and Guardian journalist Glenn Greenwald have both since reported that Lavabit is indeed Snowden's email provider.
During a Q&A session hosted by The Guardian last month, Snowden wrote, “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”
Although Lavabit’s website is now almost entirely inaccessible, a cached version hosted by Google provides background on why and how the service provided highly secure encryption to its users.
“In an era where Microsoft and Yahoo’s e-mail services sell access past their spam filters, Google profiles user’s inboxes for targeted advertising, and AT&T allows the government to tap phone calls without a court warrant; we decided to take a stand,” one page reads. “Lavabit has developed a system so secure that it prevents everyone, including us, from reading the e-mail of the people that use it.”
By combining three different encryption schemes with Elliptical Curve Cryptography, Lavabit provided a service purposely designed to provide protection against government surveillance.
“The result is that once a message is stored on our servers in this fashion, it can’t be recovered without knowing a user's password. This provides a priceless level of security, particularly for customers that use e-mail to exchange sensitive information,” the company wrote.
“The key element of the PATRIOT Act is that it allows the FBI to issue National Security Letters (NSLs). NSLs are used to force an Internet Service Provider, like Lavabit, to surrender all private information related to a particular user. The problem is that NSLs come without the oversight of a court and can be issued in secret. Issuing an NSL in secret effectively denies the accused an opportunity to defend himself in court. Fortunately, the courts ruled NSLs unconstitutional in 2005; but not before illustrating the need for a technological guarantee of privacy,” the cached page reads.
“Lavabit believes that a civil society depends on the open, free and private flow of ideas. The type of monitoring promoted by the PATRIOT Act restricts that flow of ideas because it intimidates those afraid of retaliation. To counteract this chilling effect, Lavabit developed its secure e-mail platform. We feel e-mail has evolved into a critical channel for the communication of ideas in a healthy democracy. It’s precisely because of e-mail’s importance that we strive so hard to protect private e-mails from eavesdropping.”
Lavabit noted that brute force attacks could theoretically allow a third-party to see password-protected emails but said that such attacks shouldn't be happening anytime soon.
“In practice, the key lengths Lavabit has chosen equal enough possible inputs that a brute-force attack shouldn’t be feasible for a long time to come.”
According to Snowden’s Q&A with The Guardian last month, “endpoint security is so terrifically weak that NSA can frequently find ways around it.”
Now as Levison and crew prepare for a fight in appeals court, he suggests that very few are safe from having even secure emails stolen by the US government.
“This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States,” Levison said in the statement.
On a since removed page from Lavabit.com, the company wrote, “Like insurance, we hope our secure e-mail platform is something you’ll never need. However, should the issue ever arise, like insurance, you’ll be glad you have it.”
Earlier this year, Federal Bureau of Investigation general counsel Andrew Weismann said the US Justice Department wants to be able to decrypt all messages sent over the internet in real-time by the end of 2014.
“The problem with not having [that ability in America] is that we’re making the ability to intercept communications with a court order increasingly obsolete,” Weissman said. “Those communications are being used for criminal conversations, by definition…and so this huge legal apparatus that many of you know about to prevent crimes, to prevent terrorist attacks is becoming increasingly hampered and increasingly marginalized the more we have technology that is not covered” under current law.
According to a cached page of the company's history, Lavabit was launched in 2004 and most recently handled service for upwards of 60,000 individuals at a rate of around 200,000 emails a day.
“How many Lavabit users have just been impacted by the hand of attempted government oppression in secret?” security researcher Jacob Appelbaum tweeted on Thursday. “The path chosen by Lavabit is an honorable choice. It is also horrible that they must now ruin their company to try to keep their integrity.”
In an email to RT, Appelbaum said, “It seems rather obvious that the US government surveillance agenda is out of control.”
“This isn't a matter of 'a surveillance program' - the issue isn't just passive wiretapping, it include[s] actively breaking into people's computers, as well as storing the data for retroactive policing,” added Appelbaum. “Welcome to the United States of American Total Surveillance. A State over all other States.”
Appelbaum himself is no stranger to the government’s surveillance policies and has had his own personal data thrown under Uncle Sam’s magnifying glass in the past. A known volunteer with the anti-secrecy website WikiLeaks, Appelbaum was the subject of federal subpoenas served to both Google and a small-time Internet Service Provider that compelled them to hand over private emails. Twitter was also served with a subpoena for Mr. Appelbaum’s user info.
Lavabit representatives did not immediately return requests for comment.
2013-08-09 "Email service used by Snowden shuts itself down, warns against using US-based companies; Edward Snowden - 'Google, Facebook, Microsoft, Yahoo, Apple, and the rest of our internet titans must ask themselves why they aren't fighting for our interests the same way'"
by Glenn Greenwald from "theguardian.com" [http://www.theguardian.com/commentisfree/2013/aug/09/lavabit-shutdown-snowden-silicon-valley]:
A Texas-based encrypted email service recently revealed to be used by Edward Snowden - Lavabit - announced yesterday it was shutting itself down in order to avoid complying with what it perceives as unjust secret US court orders to provide government access to its users' content. "After significant soul searching, I have decided to suspend operations," the company's founder, Ladar Levinson, wrote in a statement to users posted on the front page of its website. He said the US directive forced on his company "a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit." He chose the latter.
CNET's Declan McCullagh smartly speculates that Lavabit was served "with [a] federal court order to intercept users' (Snowden?) passwords" to allow ongoing monitoring of emails; specifically: "the order can also be to install FedGov-created malware."
[https://plus.google.com/112961607570158342254/posts/EujgUYbrEwv]:
After challenging the order in district court and losing - all in a secret court proceeding, naturally - Lavabit shut itself down to avoid compliance while it appeals to the Fourth Circuit.
This morning, Silent Circle, a US-based secure online communication service, followed suit by shutting its own encrypted email service [http://gigaom.com/2013/08/09/another-u-s-secure-email-service-shuts-down-to-protect-customers-from-authorities/]. Although it said it had not yet been served with any court order, the company, in a statement by its founder, internet security guru Phil Zimmerman, said: "We see the writing on the wall, and we have decided that it is best for us to shut down Silent Mail now."
What is particularly creepy about the Lavabit self-shutdown is that the company is gagged by law even from discussing the legal challenges it has mounted and the court proceeding it has engaged. In other words, the American owner of the company believes his Constitutional rights and those of his customers are being violated by the US Government, but he is not allowed to talk about it. Just as is true for people who receive National Security Letters under the Patriot Act, Lavabit has been told that they would face serious criminal sanctions if they publicly discuss what is being done to their company.
[ ... ]
Snowden, who told me today that he found Lavabit's stand "inspiring", added:
"Ladar Levison and his team suspended the operations of their 10 year old business rather than violate the Constitutional rights of their roughly 400,000 users. The President, Congress, and the Courts have forgotten that the costs of bad policy are always borne by ordinary citizens, and it is our job to remind them that there are limits to what we will pay.
"America cannot succeed as a country where individuals like Mr. Levison have to relocate their businesses abroad to be successful. Employees and leaders at Google, Facebook, Microsoft, Yahoo, Apple, and the rest of our internet titans must ask themselves why they aren't fighting for our interests the same way small businesses are. The defense they have offered to this point is that they were compelled by laws they do not agree with, but one day of downtime for the coalition of their services could achieve what a hundred Lavabits could not.
"When Congress returns to session in September, let us take note of whether the internet industry's statements and lobbyists - which were invisible in the lead-up to the Conyers-Amash vote - emerge on the side of the Free Internet or the NSA and its Intelligence Committees in Congress."
No comments:
Post a Comment