One consequence of the recent NSA revelations is that it has piqued my interest in the whole issue of encryption and internet confidentiality and security, topics about which I had at best a very hazy idea. For example, I had never even heard of Lavabit, the encrypted email service provider that apparently has attracted over 400,000 users in its ten years in operation. After word got out that Edward Snowden used it, the number of new monthly subscribers surged to three times its normal value.
Ladar Levinson, the head of Lavabit, said that he chose to shut down the company that he founded and nurtured from its infancy and that provided him with his income because he felt it would be wrong to comply with government demands that would force him to “become complicit in crimes against the American people”. In this news report, he explains that he was not entirely opposed to cooperating with the government.
Levison isn’t an privacy absolutist. He has cooperated in the past with government investigations. He says he’s received “two dozen” requests over the last ten years, and in cases where he had information, he would turn over what he had. Sometimes he had nothing; messages deleted from his service are deleted permanently.
“I’m not trying to protect people from law enforcement,” he said. “If information is unencrypted and law enforcement has a court order, I hand it over.”
In this case, it is the government’s method that bothers him. “The methods being used to conduct those investigations should not be secret,” he said.
So clearly the government was going well beyond what he considered reasonable and he hints at what it might be.
He says his customers’ encrypted data is secured with a public key and private key, and that the private key is protected by a password. He doesn’t have the technological capability to decrypt his customer’s data but if someone could intercept the communication between the Lavabit’s Dallas-based servers and a user, they could get the user’s password and then use that to decrypt their data.
Levinson says that he is taking a break from email, adding “If you knew what I know about email, you might not use it either.” What also bothers him is the gagging. “The fact that I can’t talk about this is as big a problem as what they asked me to do.” His lawyer echoes that sentiment.
Levison’s lawyer, Jesse Binnall, who is based in Northern Virginia — the court district where Levison needed representation — added that it’s “ridiculous” that Levison has to so carefully parse what he says about the government inquiry. “In America, we’re not supposed to have to worry about watching our words like this when we’re talking to the press,” Binnall said.
Meanwhile Phil Zimmerman, creator of the PGP encryption system and who also preemptively shut down his Silent Mail encrypted mail service, had a Q/A with Forbes magazine in which explains in more detail the security deficiencies of encrypting email and what the government can do.
At the very least they would be able to see the plain text headers of the e-mails, [which] would say who the mail is front, who it’s to, the date it’s sent, time stamp, and subject line. If the message body is encrypted to a key that we hold on our server, they could ask for the key, or ask us to decrypt it, or ask for the key so they could decrypt it. That’s what we were afraid could happen.
We didn’t have a PGP client that could run on a smartphone, and our market is primarily smartphone users. So how [could] we get it? Get a server side implementation of PGP, a Symantec product called PGP Universal, meant for enterprise customers who want to manage keys on the servers. So that’s what we were using. But if someone comes to us and forces us to hand over the keys, [we’re in trouble.]
There is no way to do encrypted e-mail where the content is protected. No way where the metadata is protected. Assuming that the e-mail is based in the country that can apply pressure to the mail provider… Almost any government has the ability to pressure a mail provider in that country to hand over what it has.
It looks like we need the equivalent of a Cayman Islands for email service providers. Just like that country profits from the secrecy and security it grants wealthy people, on the surface it looks like a country that protected its internet service providers could make a killing as a haven for such companies.
But of course the reason that the Cayman Islands can get away with being a tax haven for wealthy people is because the US government is in the pockets of those same wealthy people and has little interest in shutting it down.
In the case of countries that provide internet security, you can be sure that the US government will apply all the pressure it has at its disposal, so only a very determined and independent country will be willing to do that.