Lavabit, Silent Circle: "The Public-Private Surveillance Partnership"

Email service used by Snowden shuts itself down, warns against using US-based companies

What is particularly creepy about the Lavabit self-shutdown is that the company is gagged by law even from discussing the legal challenges it has mounted and the court proceeding it has engaged. In other words, the American owner of the company believes his Constitutional rights and those of his customers are being violated by the US Government, but he is not allowed to talk about it. Just as is true for people who receive National Security Letters under the Patriot Act, Lavabit has been told that they would face serious criminal sanctions if they publicly discuss what is being done to their company. Thus we get hostage-message-sounding missives like this:

I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what's going on - the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

Does that sound like a message coming from a citizen of a healthy and free country? Secret courts issuing secret rulings invariably in favor of the US government that those most affected are barred by law from discussing? Is there anyone incapable at this point of seeing what the United States has become? Here's the very sound advice issued by Lavabit's founder:

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

As security expert Bruce Schneier wrote in a great Bloomberg column last week, this is one of the key aspects of the NSA disclosures: the vast public-private surveillance partnership. That's what makes Lavabit's stance so heroic: as our reporting has demonstrated, most US-based tech and telecom companies (though not all) meekly submit to the US government's dictates and cooperate extensively and enthusiastically with the NSA to ensure access to your communications. [...]

This morning, Silent Circle, a US-based secure online communication service, followed suit by shutting its own encrypted email service. Although it said it had not yet been served with any court order, the company, in a statement by its founder, internet security guru Phil Zimmerman, said: "We see the writing on the wall, and we have decided that it is best for us to shut down Silent Mail now."

Previously, previously, previously, previously.

Tags: , , , ,

12 Responses:

  1. James says:

    I was recently told that end-to-end client-side PFS encryption with elliptic curve GPG is better than certificate escrow for CALEA. Where do I donate to ask my cloud providers to offer peer-to-peer apps with fully client side encryption, decryption, and alternate band key exchange?

    I want a peer-to-peer suite of office applications which works like client-server versions, but with STUN/TURN and advanced merge capabilities.

    • antabakayt says:

      For a start, try a non-US cloud provider. Even chinese seem to be a better bet these days.

      • James says:

        My cloud provider for China is in Singapore. If I was setting up a press organization instead of trying to integrate pronunciation assessment systems, I would be looking at Iceland, Switzerland, or a distributed Freenet-style conglomeration of clouds in a bunch of countries that don't like each other.

  2. MattyJ says:

    I didn't realize how bad it was until Phil Zimmerman gave up. Shit.

    • James says:

      Except Silent Email isn't anything like end-to-end PGP or GPG. It's just webmail with SSL that sends unencrypted SMTP from Silent Circle HQ when the receiving end doesn't support encryption.

  3. Klaus says:

    Came to your website yesterday, googling the Lavabit shutdown. Found my feelings expressed.

    I got 5 cents (or, possibly, 1) to add in the security field: Many websites offer https (e.g. Google, Wikipedia). No link uses it. I found the Firefox extension "HTTPS finder", which switches you to https wherever possible. I like it. I know how little it helps. But: why isn't it the default option in every browser since the beginning of time? Common interests of governments and businesses again, I think.

    I worked with LISP in the 80ties and programmed things in the 90ties.

    Returned to your website today, this time to the home page. Got a heart throb. Is his server so mangled, that it can only express itself by a memory dump? Really.

    Perhaps you could even offer https.

    Kind regards.

    • Jens Kilian says:

      Perhaps you could even offer https.

      Why? So that in addition to the jerks from the city government he's always ranting about, he also gets visits from the MIB demanding to hand over his private keys?

    • gryazi says:

      I too demand magic security pixie dust. It is an outrage that anyone working for the government or a business might be able to view this comment.

      • Klaus says:

        Irony, was it? - Two people are arguing on Jamie's behalf now. In fact, I would be even more interested in the original opinion.

        Regards Klaus

        • James says:

          Anyone reading this blog who can't figure out how to use a proxy-based anonymization solution is probably not going to be arrested for reading it. Are you suggesting otherwise?

  4. not-jms says:

    Privacy on the Internet? In the words of Ambassador Kosh: the avalanche has already started; it is too late for the pebbles to vote.

  5. B R says:

    And with all this coming on the heels of TorMail's ISP (Freedom Hosting) being compromised and shut down and it's owner arrested over very convenient charges of possessing and distributing child porn.