Feeds

Snowden's secure email provider Lavabit shuts down under gag order

Won't be 'complicit in crimes against the American people'

Choosing a cloud hosting partner with confidence

Lavabit, the security-conscious email provider that was the preferred email service of NSA leaker Edward Snowden, has closed its doors, citing US government interference.

"I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit," founder Ladar Levison said in a statement posted to the company's homepage on Thursday. "After significant soul searching, I have decided to suspend operations."

Prior to its closure, Lavabit was a dedicated email service that offered subscribers "the freedom of running your own email server – without the hassle or expense."

In addition to a variety of flexible configuration options, the service boasted that all email stored on its servers was encrypted using asymmetric elliptical curve cryptography, in such a way that it was impossible to discern the contents of any email without knowing the user's password.

As a whitepaper posted to the company's website (now removed, but available from the Internet Archive) observed:

Our goal was to make invading a user's privacy difficult, by protecting messages at their most vulnerable point. That doesn't mean a dedicated attacker, like the United States government, couldn't intercept the message in transit or once it reaches your computer.

Our hope is the difficulty associated with those strategies means they will only be used by governments on terrorists and scammers, not on honest citizens.

It now seems, however, that Levison's hope was just wishful thinking. Without going into details, his statement on Thursday made plain that pressure from the US government was behind his decision to shutter Lavabit.

"I feel you deserve to know what's going on – the first amendment is supposed to guarantee me the freedom to speak out in situations like this," Levison wrote. "Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests."

Under current US law, requests for information by US intelligence agencies often carry a gag order that forbids the party receiving the request from disclosing what information was requested, or even that a request was made at all.

The gag orders can be challenged by appealing to the shadowy Foreign Intelligence Surveillance Court (FISC), which operates in complete secrecy, but such appeals are seldom granted.

Not even Google or Microsoft – each of which, it must be said, has far deeper pockets than Lavabit – has managed to challenge the surveillance orders. Both companies were named by Snowden as having turned over user data to government spies under the secretive PRISM program, but the FISC won't allow them to reveal to the public what they may or may not have actually disclosed.

Little wonder, then, that Levison's "appropriate requests" have similarly been denied.

The Lavabit founder says he next plans to challenge the government's ruling in the US Fourth Circuit Court of Appeals. A favorable ruling, he says, would allow him to "resurrect Lavabit as an American company" – though he doesn't appear to hold out much hope.

"This experience," Levison wrote, "has taught me one very important lesson: without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States." ®

Beginner's guide to SSL certificates

More from The Register

next story
Azure TITSUP caused by INFINITE LOOP
Fat fingered geo-block kept Aussies in the dark
NASA launches new climate model at SC14
75 days of supercomputing later ...
Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!
Weekend woe for BT as telco struggles to restore service
You think the CLOUD's insecure? It's BETTER than UK.GOV's DATA CENTRES
We don't even know where some of them ARE – Maude
DEATH by COMMENTS: WordPress XSS vuln is BIGGEST for YEARS
Trio of XSS turns attackers into admins
Cloud unicorns are extinct so DiData cloud mess was YOUR fault
Applications need to be built to handle TITSUP incidents
BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
Don't worry about that cable, it's part of the config
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The Heartbleed Bug: how to protect your business with Symantec
What happens when the next Heartbleed (or worse) comes along, and what can you do to weather another chapter in an all-too-familiar string of debilitating attacks?