Death Before NSA Dishonor: Encrypted Services Stage Suicide Revolt
Popular sites Lavabit and Silent Circle would rather close down than betray customer privacy in face of government requests they deem 'unconstitutional'
The encrypted email service provider Silent Circle has followed its competitor Lavabit who on Thursday announced it would shutter its services rather than be compelled by the US government to hand over the private data and emails from its customers, one of whom is believed to be NSA whistleblower Edward Snowden.
"This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States." –Lavabit founder Lavar Levinson
Supporters of internet freedom and privacy protections were shocked at the news, but also expressing gratitude for what they see as a service provider choosing the protections of it own customers over the threat of lost profits or requests by the government that they deemed inappropriate and unconstitutional.
As Reuters reports:
[Lavabit's founder said] he has decided to "suspend operations" but was barred from discussing the events over the past six weeks that led to his decision.
That matches the period since Snowden went public as the source of media reports detailing secret electronic spying operations by the U.S. National Security Agency.
"Given the impressive powers of the government to obtain emails and records from service providers, both with and without legal authority, it is encouraging to see service providers take steps to limit their ability to access user data," said the Electronic Frontier Foundation's Kurt Opsahl in a web posting.
Thursday afternoon, it was Lavabit founder and director Lavar Levinson, who release this statement exlpaining why the service would be shut down:
My Fellow Users,
I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.
What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.
This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.
Owner and Operator, Lavabit LLC
"It’s rare to see an email provider choose to go out of business rather than compromise its values," said Opsahl. "It must have been a hard decision for Ladar Levison, but he remained true to his promise to put privacy before profits. It was also hard on the users, some of whom lost access to email not available elsewhere."
As the Guardian's Spencer Ackerman reports, "[Edward] Snowden was allegedly a Lavabit customer. A Lavabit email address believed to come from Snowden invited reporters to a press conference at Moscow's Sheremetyevo Airport in mid-July."
And his Guardian colleague Glenn Greenwald writes:
What is particularly creepy about the Lavabit self-shutdown is that the company is gagged by law even from discussing the legal challenges it has mounted and the court proceeding it has engaged. In other words, the American owner of the company believes his Constitutional rights and those of his customers are being violated by the US Government, but he is not allowed to talk about it.
Levison's decision for Lavabit was quickly followed by their competitor Silent Circle, which followed on Friday with this note to their customers:
We designed our phone, video, and text services (Silent Phone and Silent Text) to be completely end-to-end secure with all cryptography done on the clients and our exposure to your data to be nil. The reasons are obvious — the less of your information we have, the better it is for you and for us.
Silent Mail has thus always been something of a quandary for us. Email that uses standard Internet protocols cannot have the same security guarantees that real-time communications has. There are far too many leaks of information and metadata intrinsically in the email protocols themselves. Email as we know it with SMTP, POP3, and IMAP cannot be secure.
And yet, many people wanted it. Silent Mail has similar security guarantees to other secure email systems, and with full disclosure, we thought it would be valuable.
However, we have reconsidered this position. We’ve been thinking about this for some time, whether it was a good idea at all. Today, another secure email provider, Lavabit, shut down their system lest they “be complicit in crimes against the American people.” We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.
We’ve been debating this for weeks, and had changes planned starting next Monday. We’d considered phasing the service out, continuing service for existing customers, and a variety of other things up until today. It is always better to be safe than sorry, and with your safety we decided that the worst decision is always no decision.
Silent Phone and Silent Text, along with their cousin Silent Eyes are end-to-end secure. We don’t have the encrypted data and we don’t collect metadata about your conversations. They’re continuing as they have been. We are still working on innovative ways to do truly secure communications. Silent Mail was a good idea at the time, and that time is past.
We apologize for any inconvenience, and hope you understand that if we dithered, it could be more inconvenient.
Tech blogger and expert David Meyer expressed a widely held response to the news by suggesting the the US government's surveillance program will have a chilling impact on the digital economy in the US, with customers concerned about privay realizing that the demands for customer date by US agencies cannot be adequately resisted.
"The closures strongly suggest that secure hosted email services cannot be sited in the U.S. without being compelled to compromise users’ privacy if asked to do so by the authorities there," Meyer writes at Gigaom.
And John Constine at TechCrunch writes:
The move has bolstered critics who are becoming increasingly vocal about how the U.S. government’s surveillance efforts are jeopardizing American technology businesses. They fear international customers may take their cloud business elsewhere in an attempt to avoid the NSA. Jennifer Granick, the Director of Civil Liberties at the Stanford Center for Internet and Society, wrote that ”the U.S. government, in its rush to spy on everybody, may end up killing our most productive industry. Lavabit may just be the canary in the coal mine.”
Now it seems that the negative impact won’t just be in the form of lost customers or businesses shut down upon receiving data demands. The destruction could reach as far as companies unwilling to even risk compromising their values. At this point, the nation’s best hope for reform of spying practices might be making a case that it hurts the economy.