Feeds

How Dark Mail Alliance hopes to roll out virtually NSA-proof email next year

El Reg chats to cofounder Jon Callas

The Power of One eBook: Top reasons to choose HP BladeSystem

The Dark Mail Alliance has revealed more details of plans to build a secure, encrypted email system that's surveillance-proof, provided the user's machine isn’t already pwned.

Jon Callas, CTO of Silent Circle and cofounder of the Dark Mail Alliance, told The Register that the idea for the service came when he met up with Ladar Levison, founder of the now-defunct encrypted email service Lavabit, at a conference last month – and they started discussing the current state of government eavesdropping and what to do about it.

"It's got to be better to start from a position of near total security and then work down as needed, rather than starting with no security and then add on code to try and make it more secure," Callas said.

Both have the skills needed to set up such a system. Callas, and fellow Silent Circle partner Phil Zimmermann, were members of PGP, the firm that brought encryption to the masses in the early 1990s, and recently set up secure communications biz Silent Circle.

For nearly a decade Levison ran Lavabit (formerly Nerdshack) to make sure that email users could encrypt their messages and store them safely, before shutting the service down rather than compromise his users' security.

The full details on the Dark Mail Alliance system will be published in a white paper shortly, but in a nutshell the system uses SMTP and Extensible Messaging and Presence Protocol (XMPP) systems. The user generates a private key on their device and has public keys on an open server; sent emails are encrypted and stored in the cloud for pickup as needed.

'It's as secure as it can be, we think'

"Anyone monitoring the email would be able to see the size of the message but that's about it," Callas explained. "Of course, if the owner's device has already been subverted by malware then the private key can be found, but it's as secure as it can be, we think."

The team will open source all of the code and invite the community to poke holes in it and find weaknesses. The first version of the basic code will be out next year, Callas said, but the team also wants to build components that would allow companies and email providers to easily add the technology to their systems.

So far interest in the system has been high, Callas said, with many people in the security industry getting in touch wanting either more details or offering to help. However, no one from the government has been in contact at this time.

Services such as this are bound to bring up the accusation that the Dark Mail Alliance is aiding the four horsemen of the infocalypse: terrorists, organized crime, pedophiles, and drug dealers. Callas refuted this, pointing out that there are already many existing laws for getting access to an individual suspect's emails that would work just fine and that the group is "not fond of bad guys."

He pointed out that in the case of Lavabit, Levison was happy to help with law enforcement requests for assistance. But he shut down the email service because federal investigators looking into Edward Snowden's account wanted full access to everyone's email on the site, not just their target's.

As for the name of the group, it has been reported that the inspiration for Dark Mail Alliance is somewhat Star Wars-based. But Callas pointed out that "dark" also means hidden or secret, as well as complex and rich, as in "a dark voice."

"We had a discussion among ourselves about what to call Dark Mail, and we one of the reasons that we decided we liked it was that it is a complex word," he said.

"Moreover, one of the the major corrosive effects of mass surveillance is that it causes people self-edit, to fear to do things unseemly, to be safe. We didn't want to call it 'Shiny Happy Mail.' Dark Mail for us reflects our dark humor as well as the dark humors that surveillance puts us in," he said.

"I think it's sad that there's been a flutter over 'dark' because it can mean only some things to some people. That is, however, the sort of thing that isn't unexpected. These are dark times, and it's hard to have a dark laugh." ®

Designing a Defense for Mobile Applications

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.