Spooked off the Net: Owner of Lavabit email blames US surveillance for closure
“Our government can order us to do things that are morally and ethically wrong, order us to spy on other Americans and then order us — using the threat of imprisonment — to keep it all secret.”
Ladar Levison has more to say about Uncle Sam nowadays than what you can fit in your inbox. The 32-year-old owner and operator behind the email service Lavabit has spent practically a decade putting together a product so highly encrypted and secure that its customers included privacy-minded clientele like human rights workers and NSA leaker Edward Snowden. At least it did up until last week.
Levison never quite made a name for himself over Lavabit, or anything else in the realm of tech for that matter. All of that changed on Thursday, however, when he announced abruptly on Lavabit.com that he had shut down the site without notice, sending around 410,000 customers scrambling to create new accounts elsewhere.
“I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit,” he wrote on the website.
And just like that, Levison turned the lights off and walked away
from the homegrown business that has been his brainchild since he
drafted up an idea for a super-encrypted email provider in the
wake of the post-9/11 PATRIOT Act. Nine years ago, Levison
launched Lavabit to help keep the government from encroaching on
the communications of concerned Americans. Almost a decade down
the road, though, Uncle Sam has stepped down on Levison’s throat
so hard that now he can’t speak at all.
“Let’s be clear,” Levison told RT’s Andrew Blake in a phone interview this week. “I would love to tell you everything that’s happened to me over the last six weeks. I’m just legally prevented from doing so.”
Levison may have likely violated that rule already, and said he’s gotten into hot water with his lawyer over last week’s public statement. The very predicament he has found himself in is so peculiar, though, that watching his words with that regard is likely the least of his worries.
Although he can’t comment on it — not to confirm, deny or admit anything — Levison is likely involved in what could be the biggest privacy case of a generation. Nowhere has he officially said that he’s entwined in any sort of litigation, but on his Lavabit statement last week he wrote, “We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals.” That sentence, he said, was likely more than he was supposed to admit.
“Contrary to popular belief, I am not trying to go to
jail,” he told RT. “I’m trying to make a difference, but
I’m not trying to do it from behind bars.”
* * * * * * * * * * * * * * * * * *
Levison can’t admit he’s received a gag-order preventing him from discussing why he voluntarily shut down his site, because doing so what admit such a gag-order — and the legal justification behind it — even exists.
What is known, however, is that Levison and anyone with a secure email account is in the midst of what has been called the New Crypto Wars. The Federal Bureau of Investigation and other agencies have insisted that encrypted communications are increasingly keeping them from solving crimes and catching terrorists, and the recent disclosures attributed by Edward Snowden made it clear that Uncle Sam isn’t unopposed to learning more about Americans. In fact, one recently leaked NSA document attributed to Snowden revealed that the federal government has given itself the power to legally intercept and indefinitely hold onto emails solely because they are encrypted. In recent weeks privacy advocates have increasingly made calls for email users to start using encryption to evade surveillance, meanwhile a just unearthed legal brief filed by Google gives the indication that anything ever sent to or from a Gmail account isn’t private.
Those same Snowden disclosures helped spark a domestic, then worldwide debate about online privacy, and Levison said his site saw a huge surge in traffic after a leaked email tied the former NSA contractor to a Lavabit account. After a mysterious six weeks he can only allude to, however, Levison pulled the plug last Thursday and is now insisting everyone reconsider where they go for email.
Levison won’t admit that the government can decrypt even highly secure emails. He doesn’t rule out the possibility that the National Security Agency has developed the technology necessary to do such, though, and has made repeated pleas for American email users to take their accounts of the US.
“I think the amount of information that they’re collecting on people that they have no right to collect information on is the most alarming thing,” he told RT. “I mean, the Fourth Amendment is supposed to guarantee that our government will only conduct surveillance on people in which it has a probable suspicion or evidence that they are committing some crime, and that that evidence has been reviewed by a judge and signed off by a judge before that surveillance begins. And if there’s anything alarming, it’s that now that’s all being done after the fact. Everything’s being recorded, and then a judge can after the fact say it’s okay to go look at the information.”
“What people want is to know that the government isn't snooping on their email,” Levison told RT.
* * * * * * * * * * * * * * * * * *
Within eight hours of Lavabit’s shut-down, competing encryption
providers Silent Circle announced it was closing its email service effective
almost immediately. In Silent Circle’s case, its administrators
say it didn’t receive a subpoena or a National Security Letter
and its often-attached gag-orders. “We saw the writing in the
wall,” they announced Thursday night on their own website.
We made the business decision to end our Silent Mail Service - See our Blog post by CTO Jon Callas for more details http://t.co/8Ed8rRA6rX
— Silent Circle (@Silent_Circle) August 9, 2013
“We made a deliberate decision. It was a difficult one, but with the threats that are out there towards email, the process itself is just inherently not as secure as our standards require,” Silent Circle COO Vic Hyder told RT earlier this week.
Lavabit “are the ones who got the knock on the door,”
Hyder said, but Silent Circle decided to cease operations
“before that knock came to us.”
“We decided to do it before that knock came to us. Before we
received a letter and were forced to either be complicit in what
we say is an invasion of privacy or shut-down. So we did it
preemptively.”
National Security Letters like what Levison is rumored to have
received compel third-party companies such as banks, telephone
companies and Internet Service Providers to give the government
the private data of its customers while mandating that they never
one speak of the matter to the very parties involved. The PATRIOT
Act expanded the ability for the FBI to hand these letters out,
and just in recent time has only a few high-level recipients have
even revealed vague statistics about NSLs. Last year the FBI
issued 15,229 NSLs, and Google admitted they received anywhere
from zero to 999 of them.
“You’ll notice that we’re reporting numerical ranges rather than exact numbers,” Google legal director Richard Salgado wrote in a blog post when the info came out in April. “This is to address concerns raised by the FBI, Justice Department and other agencies that releasing exact numbers might reveal information about investigations.”
Earlier this year the US District Court of Northern California said the FBI must stop issuing NSLs, but that’s not the only way personal emails can wind up on a server in Washington and not a warehouse owned by Google or, say, Lavabit. The Foreign Intelligence Surveillance Court can also sign off on letters compelling third-parties to hand over information, and like NSLs there is little oversight in how those decisions are made. Snowden’s disclosures have helped rekindle a conversation about that judiciary panel that has previously been more of a fringe debate held only by civil libertarians. Even as information about these policies go mainstream, though, Levison said they’re still largely secretive.
“No protections in our current body of law to keep the government from compelling us to provide the information necessary to decrypt,” Levison told CNET shortly before speaking to RT. When asked by Andrew Blake if he’d like to elaborate, he suggested any further comment could be crossing the line of what he legally can and can’t say.
“I don't think Obama’s administration has admitted the whole and complete truth about its surveilling methods to the American public or Congress,” Levison told RT, “and i think any sort of oversight by a kangaroo court is exactly that: a rubber stamp.”
* * * * * * * * * * * * * * * * * *
In the wake of Lavabit’s shut-down and the shuttering of Silent
Circle, other encryption services have already suggested they’d
call it quits too if the government gives them no other ethical
option. The Riseup.net email service issued a statement saying,
“We would rather pull the plug than submit to repressive
surveillance by our government, or any government,” and
encrypted chat client Cryptocat said, “If we receive a
surveillance or backdoor order that we are unable to legally
fight, we will shut down Cryptocat rather than implement it.”
If we receive a surveillance or backdoor order that we are unable to legally fight, we will shut down Cryptocat rather than implement it.
— Cryptocat (@cryptocatapp) August 9, 2013
Now as options begin to dry up and the New Crypto Wars intensify, Levison said there aren’t many routes to take. In fact, with regards to protecting against email interference, he said the best solution would be that everyone “use an email provider that isn't in the US and knows what they’re doing.”
“I no longer feel like I’m in an ethically compromising position, but yet at the same time, you know, my biggest fear in shutting down the service would be that no good would come of it,” he said. “I’ve effectively walked away from my livelihood here. I’ve given up my business; I walked away from ten years of hard labor and nothing to show for it. It’s unfortunate, but like I said many times, I felt like that was the lesser of two evils.”
For now, Levison is gearing up for what could be a long legal fight, but technically can’t say what it exactly involves or even if it exists. Meanwhile, others are already looking to find a way to fill the void of encrypted email providers when companies are being pressured to comply with the US government’s requests or keep from expanding.
Smári McCarthy is part of the team behind Mailpile, an in-progress web-mail client that says it providers “user-friendly encryption and privacy features” while still keeping other perks like an API-based search interface and the ability to tag emails under a specific taxonomy, similar to what Google offers with Gmail. Unlike other services, though, Mailpile doesn’t run on any centralized server and instead operates off of whatever device its user operates it from.
“Hosting any data with any US-registered company means subjecting that data to the whims of the US government,” McCarthy told RT. “More generally, hosting data in any country means subjecting it to the legal framework of that country. The US is clearly the greatest offender in terms of surveillance at the moment, but by no means the only offender. Hosting data outside the US is a good idea. Picking small democratic countries with modern legal environments, functional courts and low corruption levels helps. If they have a good human rights record, all the better. All of that is good, but it's not going to be enough, as most email passes through large countries that don't respect fundamental rights at one point or another.”
McCarthy said Mailpile isn't aiming to be just “another Hotmail or Gmail,” and says the Lavabit experience shows that “secure hosting,” even one with ultra-encryption, is never quite secure. With other options few and far between, though, for many people that’s seemingly the way to go.
Silent Circle is now working on a new project too, and Hyder told RT it’s because no email is truly safe in the way it’s processed right now. Right now, he said, the metadata — or basic header information included in emails — is never encrypted. And although that data is limited in scope, in nonetheless can give any peering eye a rather precise perspective into who they’re trying to surveill.
“The peripheral information that’s coming across in the subject line and the IP addresses, the date, the geolocation — those kinds of things. But if you put all of that together, it really tells a story. So that is the piece that encrypted mail doesn’t cover. It encrypts the message but not that peripheral data. So we wanted to extricate ourselves from that conversation. Allow ourselves to honestly tell our members of Silent Circle that we don't hold our data. We’re not able to give anything because we don't have it.”
“The perception of encryption has completely changed in the last 15 years,” added Hyder. In the early 90s, he said, “the perception was that if you have encryption and you weren’t a nation state, that you were hiding something; that you were some sort of criminal. These days, with all the information that you have on your phone, on your devices, on your computer, if you’re not protecting yourself you’re being maybe a little bit ignorant about the threats. And if you are, you’re seeing maybe a more responsible user.”
To the government, though, that user relying on encryption is now considered fair game for surveillance, and companies like Lavabit, Silent Circle and Mailpile want to provide a way for anyone wanting to stay private to do just that. According to Levison, though, it’s about much more than just one court case, and he is urging people around the globe to ensure they don’t lose the latest round of battles in the newest incarnation of the Crypto Wars.
“I’m going to keep fighting and doing everything that i can to try and get some positive to come from this. And by positive, i mean perhaps a judicial victory; perhaps a legislative victory. But the ultimate goal is to win the war, and ensure that once again Americans have a right to privacy when it comes to their online communications,” he said.
Within hours of announcing Lavabit’s shut-down, a defense fund set-up by Levison raised over $40,000. By the next day, he told RT, that number had climbed to $100,000. He has since hopped on a plane to Washington, DC to meet with his attorney in an effort to begin fighting in a battle that could very well pave the way for the future of communication.