Snowden's privacy-oriented email provider shuts down under U.S.

government pressure | ZDNet

9/16/13 4:09 PM

Snowden's privacy-oriented email provider shuts down under U.S. government pressure
An American company that specialized in private e-mail announced today that it is shutting down, effective immediately. Normally, that wouldnt be a big dealafter all, small tech companies fail all the time. But this companys different. Lavabit, which had been in operation since 2004, was outed last month as Edward Snowdens email provider. And today the companys owner and operator, Ladar Levison, announced that he was walking away from nearly ten years of hard work rather than become complicit in crimes against the American people. Visitors to Lavabits website, including paying customers, now see this message:

What happened? The details are cryptic, but here are a few essential facts.

http://www.zdnet.com/snowdens-privacy-oriented-email-provider-shuts-down-under-u-s-government-pressure-7000019185/

Page 1 of 4

Snowden's privacy-oriented email provider shuts down under U.S. government pressure | ZDNet

9/16/13 4:09 PM

On Friday, July 12, Edward Snowden, who had used his position as a trusted contractor at the NSA to steal thousands of classified documents, held a press conference at Moscows Sheremetyevo Airport to complain about an unlawful campaign against him by the United States government. In a liveblog of the event, the Boston-based GlobalPost.com reported this crucial detail: Sergei Nikitin, the head of Amnesty Internationals Moscow office, and Vladimir Lukin, the Kremlin-appointed human rights ombudsman, are among those who confirmed to Russian news agencies that they would accept the invitation to Moscows Sheremetyevo Airport, reportedly sent Thursday from an email address supposedly belonging to Snowden. The note, which could not be verified, requested the attendance of a slew of well-known rights workers and lawyers for a brief statement and discussion regarding the next steps forward in my situation, according to a copy of the invitation posted Lokshina. It was sent from the email address edsnowden@lavabit.com, according to Lokshinas post, and signed Edward Joseph Snowden. [emphasis added] Before and after Edward Snowden engineered the NSA document heist, he had been in touch via e-mail with several journalists scattered around the world. As part of the communication process, Snowden insisted on encrypting his correspondence using PGP software. He also used Lavabit, which offered Security Through Asymmetric Encryption as a key part of its service. In a white paper explaining its technology, Lavabit said Lavabit has developed a system so secure that it prevents everyone, including us, from reading the e-mail of the people that use it. (The whitepaper is no longer available online, but a copy is still available in the Internet Archive.) According to that whitepaper, heres what happened to messages stored at Lavabit: [I]ncoming e-mail messages are encrypted before theyre saved onto our servers. Once a message has been encrypted, only someone who has the achttp://www.zdnet.com/snowdens-privacy-oriented-email-provider-shuts-down-under-u-s-government-pressure-7000019185/ Page 2 of 4

Snowden's privacy-oriented email provider shuts down under U.S. government pressure | ZDNet

9/16/13 4:09 PM

count password can decrypt the message. Like all safety measures, encryption is only effective if its used. To ensure privacy, Lavabit has developed a complex system that makes the entire encryption and decryption process transparent to the end user. [] We should note that this encryption process is only secure if you select a strong password. If your password is weak, an attacker would only need to brute force the password to crack our encryption. We should also note that this feature only protects messages on the Lavabit servers. Messages can always be intercepted before they reach Lavabit or between Lavabits servers and your personal computer, if SSL is not used. Finally, messages can be retrieved from your local hard drive if encryption software isnt used on your computer to protect the files. These vulnerabilities are intentional. Our goal was to make invading a users privacy difficult, by protecting messages at their most vulnerable point. That doesnt mean a dedicated attacker, like the United States government, couldnt intercept the message in transit or once it reaches your computer. And this section is inadvertently prescient: Our hope is the difficulty associated with those strategies means they will only be used by governments on terrorists and scammers, not on honest citizens. If youre intent on hiding your communications from the government, we recommend you investigate systems that secure messages throughout the entire e-mail system and not just at one particular point along that journey. Levisons note says, I wish that I could legally share with you the events that led to my decision. I cannot. That suggests he and his company were served with a warrant whose terms included a gag order prohibiting any disclosure of the orders contents. That warrant could have been a National Security Letter, but it could just as easily have been a court order requiring the company to cooperate with an interception of Snowdens correspondence as well as those of other Lavabit subscribers who might have been allegedly conspiring with Snowden. The outrage over overly broad surveillance of U.S. citizens by the NSA doesnt seem
http://www.zdnet.com/snowdens-privacy-oriented-email-provider-shuts-down-under-u-s-government-pressure-7000019185/ Page 3 of 4

Snowden's privacy-oriented email provider shuts down under U.S. government pressure | ZDNet

9/16/13 4:09 PM

to apply here. Snowden freely admitted that he had broken the law in an act of civil disobedience. He has been indicted on three counts of espionage, theft, and conversion of government property. The criminal complaint was filed not in the secret Foreign Intelligence Surveillance Court but in the United States District Court in Virginia. In a post on Google+, CNETs Declan McCullagh speculated that Lavabit had been served with a court order to intercept passwords and possibly encryption keys, that they had fought the order for six weeks and lost, and had shut down the service rather than comply. Thats certainly a reasonable scenario, but those who know the details arent talking. In a closing note, Levison offered a warning about anyone doing business with U.S. tech companies: This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States. So far, no other U.S. companies have reported similar orders. Ed Bott is an award-winning technology writer with more than two decades' experience writing for mainstream media outlets and online publications.

http://www.zdnet.com/snowdens-privacy-oriented-email-provider-shuts-down-under-u-s-government-pressure-7000019185/

Page 4 of 4