The highly encrypted email service reportedly used by NSA leaker Edward Snowden has gone offline – and its administrator claims the company is legally barred from explaining why.
On Thursday, the homepage of Lavabit.com was changed to a letter from the company’s owner announcing that the site’s operations have ceased following a six-week long ordeal that has prompted the company to take legal action in the Fourth Circuit Court of Appeals.
Now in the midst of an escalating fight from the federal government aimed at cracking down on encrypted communications, one of the last free and secure services has thrown in the towel under mysterious circumstances.
“I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations,” owner and operator Ladar Levison of Dallas, Texas wrote in the statement. “I wish that I could legally share with you the events that led to my decision. I cannot.”
“I feel you deserve to know what’s going on–the First Amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise,” wrote Levison. “As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.”
Levison’s statement comes two months after Snowden – a former analyst at intelligence contractor Booz Allen Hamilton – revealed himself to be the source of leaked NSA documents disclosing vast surveillance programs operated by the United States government. A month later, the Global Post published an article in which a Lavabit.com email address thought to be registered to Snowden was revealed.
The Global Post wrote on July 12 that the Sheremetyevo Airport press conference hosted by Snowden later that day was announced to human rights groups under the email address “firstname.lastname@example.org” and signed by “Edward Joseph Snowden.” Washington Post foreign affairs blogger Max Fisher and Guardian journalist Glenn Greenwald have both since reported that Lavabit is indeed Snowden’s email provider.
During a Q&A session hosted by The Guardian last month, Snowden wrote, “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.”
Although Lavabit’s website is now almost entirely inaccessible, a cached version hosted by Google provides background on why and how the service provided highly secure encryption to its users.
“In an era where Microsoft and Yahoo’s e-mail services sell access past their spam filters, Google profiles user’s inboxes for targeted advertising, and AT&T allows the government to tap phone calls without a court warrant; we decided to take a stand,” one page reads. “Lavabit has developed a system so secure that it prevents everyone, including us, from reading the e-mail of the people that use it.”
By combining three different encryption schemes with Elliptical Curve Cryptography, Lavabit provided a service purposely designed to provide protection against government surveillance.
“The result is that once a message is stored on our servers in this fashion, it can’t be recovered without knowing a user’s password. This provides a priceless level of security, particularly for customers that use e-mail to exchange sensitive information,” the company wrote.
“The key element of the PATRIOT Act is that it allows the FBI to issue National Security Letters (NSLs). NSLs are used to force an Internet Service Provider, like Lavabit, to surrender all private information related to a particular user. The problem is that NSLs come without the oversight of a court and can be issued in secret. Issuing an NSL in secret effectively denies the accused an opportunity to defend himself in court. Fortunately, the courts ruled NSLs unconstitutional in 2005; but not before illustrating the need for a technological guarantee of privacy,” the cached page reads.
“Lavabit believes that a civil society depends on the open, free and private flow of ideas. The type of monitoring promoted by the PATRIOT Act restricts that flow of ideas because it intimidates those afraid of retaliation. To counteract this chilling effect, Lavabit developed its secure e-mail platform. We feel e-mail has evolved into a critical channel for the communication of ideas in a healthy democracy. It’s precisely because of e-mail’s importance that we strive so hard to protect private e-mails from eavesdropping.”
Lavabit noted that brute force attacks could theoretically allow a third-party to see password-protected emails but said that such attacks shouldn’t be happening anytime soon.
“In practice, the key lengths Lavabit has chosen equal enough possible inputs that a brute-force attack shouldn’t be feasible for a long time to come.”
According to Snowden’s Q&A with The Guardian last month, “endpoint security is so terrifically weak that NSA can frequently find ways around it.”
Now as Levison and crew prepare for a fight in appeals court, he suggests that very few are safe from having even secure emails stolen by the US government.
“This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States,” Snowden said in the statement.
On a since removed page from Lavabit.com, the company wrote, “Like insurance, we hope our secure e-mail platform is something you’ll never need. However, should the issue ever arise, like insurance, you’ll be glad you have it.”
Earlier this year, Federal Bureau of Investigation general counsel Andrew Weismann said the US Justice Department wants to be able to decrypt all messages sent over the internet in real-time by the end of 2014.
“The problem with not having [that ability in America] is that we’re making the ability to intercept communications with a court order increasingly obsolete,” Weissman said. “Those communications are being used for criminal conversations, by definition…and so this huge legal apparatus that many of you know about to prevent crimes, to prevent terrorist attacks is becoming increasingly hampered and increasingly marginalized the more we have technology that is not covered” under current law.
According to a cached page of the company’s history, Lavabit was launched in 2004 and most recently handled service for upwards of 60,000 individuals at a rate of around 200,000 emails a day.
“How many Lavabit users have just been impacted by the hand of attempted government oppression in secret?” security researcher Jacob Appelbaum tweeted on Thursday. “The path chosen by Lavabit is an honorable choice. It is also horrible that they must now ruin their company to try to keep their integrity.”