Secure Email Providers Close In Response to US Surveillance

Edward Snowden’s recent revelations about US government surveillance have prompted a lot of speculation about the wider impact on the US communications industry. In short, some theorized that customers might avoid doing business with communication providers that will hand data to the US government. Now it appears that Lavabit, an American provider of secure email services, has chosen to close down rather than allow snooping on its customers. Another American comms provider, Silent Circle, has followed suit by terminating its secure email service, in belief that its security could be compromised by the government.

Ladar Levison, owner of Lavabit, explained why he has closed Lavabit, as far as he could.

I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot.

He went on to suggest that the problem did not lie with the business or its technology. Instead, the weakness results from being subject to American law.

We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.

And Levison was brutally frank in his advice to customers who want to protect their privacy.

…without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

Levison’s full statement can be read at Lavabit’s home page.

Soon after, Silent Circle decided to shutdown their email service. The service, called Silent Mail, is based on the widely-used PGP encryption protocol. However, Silent Circle will continue to provide their other secure end-to-end communication services. Silent Circle’s CTO and co-founder, Jon Callas, is an expert on PGP encryption, and this is how he explained the decision on Silent Circle’s corporate blog:

Email that uses standard Internet protocols cannot have the same security guarantees that real-time communications has. There are far too many leaks of information and metadata intrinsically in the email protocols themselves. Email as we know it with SMTP, POP3, and IMAP cannot be secure.

He went to explain that the company’s decision is proactive, choosing to shutdown the service before the US government exercises its legal powers in order to gain access to customer communications:

…another secure email provider, Lavabit, shut down their system lest they “be complicit in crimes against the American people.” We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.

However, Callas emphasized that Silent Circle’s other communication services do not share the same surveillance vulnerabilities as email:

Silent Phone and Silent Text, along with their cousin Silent Eyes are end-to-end secure. We don’t have the encrypted data and we don’t collect metadata about your conversations.

Whilst these may not be the largest communications firms in the USA, this is a demonstration that government spying will have an adverse impact on some businesses. There are customers who will not let their privacy be compromised.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Director of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.