The secure mail dilemma: If it's useable, it's probably insecure

Mail providers must choose: Silent compliance or shutdown

Lavabit boasts en estimated 400,000 users. Many of its users were left frustrated by the speed of unfolding events, with some using its official Facebook page to ask for the re-opening of its servers to recover data while many more (not necessarily customers) express support for the decision.

Lavabit and Silent Circle's actions reveal the stark choice with which service providers are faced: silent compliance to secret government orders or oblivion. In a statement, the Electronic Frontier Foundation (EFF) urged service providers of all sizes the push back against overly broad US government surveillance and interception requests.

The EFF said in a blog post.

Lavabit’s ominous note and the lack of information about this case is especially concerning for users of large communication service providers like Facebook and Google that may well have been subject to similar pressure, and we hope they will continue to fight for the user in the face of government demands, even if not recognized for years.

We need more transparency so the public can know and understand what led to a ten-year-old business closing its doors and a new start-up abandoning a business opportunity. Hopefully Congress will get concerned, especially when there are American jobs at stake.

Meanwhile, sysadmin-in-hiding Snowden told The Guardian's Glenn Greenwald, his chief collaborator in the leak of details of the NSA's controversial and wide-ranging surveillance programmes, that he found Lavabit's stand "inspiring". He told Greenwald:

Ladar Levison and his team suspended the operations of their 10 year old business rather than violate the Constitutional rights of their roughly 400,000 users. The President, Congress, and the Courts have forgotten that the costs of bad policy are always borne by ordinary citizens, and it is our job to remind them that there are limits to what we will pay.

America cannot succeed as a country where individuals like Mr Levison have to relocate their businesses abroad to be successful. Employees and leaders at Google, Facebook, Microsoft, Yahoo, Apple, and the rest of our internet titans must ask themselves why they aren't fighting for our interests the same way small businesses are. The defence they have offered to this point is that they were compelled by laws they do not agree with, but one day of downtime for the coalition of their services could achieve what a hundred Lavabits could not.

When Congress returns to session in September, let us take note of whether the internet industry's statements and lobbyists - which were invisible in the lead-up to the Conyers-Amash vote - emerge on the side of the Free Internet or the NSA and its Intelligence Committees in Congress.

Put it in the cloud... but make your own backups

Antivirus industry expert Paul Ducklin said the suspension of services by Lavabit had broader lessons for uses of cloud services.

"Lots of people seem to think that cloud services remove the need for you to keep your own backups, on the principle that 'you don't buy a dog and bark yourself'," Ducklin said in a post on Sophos's Naked Security blog. "But even if your cloud provider has impeccable credentials in respect of integrity and confidentiality, the availability of your data may be threatened by circumstances outside the control of either of you."

Privacy-conscious users have been left short of choices for secure email alternatives with the suspension of services from Lavabit and Silent Mail.

Hushmail, which offers web-based email service offering PGP-encrypted email and file storage, is based in Canada, but users with long memories will recall that Hush Communications was obliged to turn over clear text copies of email messages associated with several addresses back in 2007. This was the result of a court order under a Mutual Legal Assistance Treaty between Canada and the US, as a part of a drug trafficking investigation.

Hushmail's marketing claims at the time stated that not even its own staff could access encrypted email, but in reality, its server-side encryption option did create a means to recover plain-text versions of scrambled communication. Hushmail updated its terms of service soon after the incident became public knowledge in November 2007 to clarify that encrypted emails sent through the service can still be turned over to law enforcement officials, providing said officials obtain a court order in Canada.

PGP creator Phil Zimmermann, who helped to found the service, defended Hushmail's compliance with court orders at the time, arguing that users who pick web-based products for their ease of use can't expect absolute security.

Long-term collaborator Callas, who first worked with Zimmerman at PGP Corporation, expanded on the reasons for Silent Mail's decision to drop its secure email service, less than four months after its launch in April.

Silent Mail has thus always been something of a quandary for us. Email that uses standard Internet protocols cannot have the same security guarantees that real-time communications has. There are far too many leaks of information and metadata intrinsically in the email protocols themselves. Email as we know it with SMTP, POP3, and IMAP cannot be secure.

And yet, many people wanted it. Silent Mail has similar security guarantees to other secure email systems, and with full disclosure, we thought it would be valuable.

Despite these inherent drawbacks, Snowden is rumoured to have used the Hushmail service at least at recently as March 2013, at least according to this investigation of his online footprint.

Several firms produce Firefox extensions that allow users to encrypt Gmail or other webmail, listed in an informative article by Computerworld here. These services might be a good option for some people – however we can't say for sure that they're bulletproof.

So what SHOULD we use?

The best option available to individuals who are concerned about privacy is probably to secure their own email using PGP rather than relying on any web mail service, say the experts.

If you want to go even more secure than that, then secure instant messaging alternatives such as OTR (Off-the-Record Messaging, a secure IM protocol) or Silent Text might be a preferable option.

Infosec and opsec experts on Twitter are coming up with some alternatives but are nowhere near any kind of consensus, while many of them note that losing the usability of email would be a bitter pill to swallow.

Difficult-to-use systems are inherently less secure, not least because it's human nature to look for shortcuts. What's needed might be a secure version of Skype, according to some experts.

Those that still believe in secure email were offered a champion in the larger-than-life shape of Kim Dotcom, who promised to launch a service next year.

"‪#Mega‬'s open encrypted email service outside of ‪#NSA‬ reach will change the way people use email forever. You'll see. Coming 2014," he said in an update on Twitter, before adding, "‪#Mega‬ encrypted services will put an end to mass surveillance. Where politicians fail us & laws won't protect us, innovation will save us."

"‪#Mega‬ plans to move privacy operations away from New Zealand to Iceland if the new ‪#GCSB‬ & ‪#TICS‬ spy laws are becoming reality," he added. ®