August 9, 2013 | 17
Revelations of the U.S. National Security Agency’s PRISM program continue to have worldwide ripple effects. Nearly two months after U.S. federal prosecutors charged NSA whistleblower Edward Snowden with espionage and theft of government property for blowing the lid off of the clandestine surveillance program, the company that secured Snowden’s electronic communications with journalists and international officials has shut down its encrypted e-mail services.
Texas-based Lavabit LLC announced August 8 that it was suspending operations due to unspecified legal pressures. The move prompted another company, Silent Circle, to likewise drop its own encrypted e-mail service on August 9 before becoming the target of similar legal scrutiny. Meanwhile, concerns over the NSA’s snooping have prompted the opposite reaction in Germany, where two of that country’s biggest Internet service providers—Deutsche Telekom AG and United Internet AG—say they will now encrypt customers’ emails by default.
In a note posted to Lavabit’s homepage, owner and operator Ladar Levison suggested that a long, secretive turn of events led to his decision to scuttle the service. “As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests,” the site says. He also notes that, a “favorable decision” by the Fourth Circuit Court of Appeals would allow him to “resurrect Lavabit as an American company.”
Levison launched Lavabit in 2004 under the name Nerdshack. By 2009 the site boasted 140,000 registered users with more than 260,000 email addresses. Most of those accounts belonged to individual users, although the company did provide corporate e-mail services to about 70 companies.
Lavabit developed its secure e-mail platform around asymmetric encryption. This means that incoming e-mail messages were encrypted before being saved on the company’s servers and could be decrypted only by someone with a password for that e-mail account.
Most e-mail programs support encryption via Secure Sockets Layer (SSL) protocol, developed in the mid-1990s as a cryptographic tool to encode communications over TCP/IP networks. SSL uses a cryptographic system with two keys—a public key to encrypt the data and a private key, known only to a message’s recipient, to decipher it. SSL encrypts messages sent from the user’s machine to their ISP. As messages move through the core of the Internet, they are usually unencrypted, however. “Unless somebody is doing something intentionally to put encryption on the messages, the messages are decrypted at each hop along the way and are visible there,” cryptographer Paul Kocher, president and chief scientist of Cryptography Research, recently told Scientific American.
Silent Circle posted a note to its homepage Friday implying the company has shut down its secure Silent Mail service—which encrypts messages sent between Silent Circle customers—before being forced to comply with any government subpoenas, warrants, security letters or other legal demands for customer information. Phil Zimmermann, creator of the Pretty Good Privacy (PGP) program to encrypt and decrypt e-mail messages, co-founded the Washington, D.C., company, which claims to have its network located in Canada.
Silent Circle points out in the same note that its “end-to-end” cryptography meant that it had “nil” exposure to customer data. Yet the company’s FAQ states that, if the company is managing a client’s encryption keys (the other option would be for customers to manage their own keys), then Silent Circle can hand over client messages to law enforcement when legally compelled to do so. Silent Circle will continue to offer secure voice and text services because it has control over the infrastructure supporting them and can guarantee that messages were not intercepted or tampered with en route, the BBC reported Friday.
Zimmerman’s company apparently anticipated run-ins with the law. A Web page recounting Silent Circle’s history states: “We believe in honest transparency, and protecting individual and business privacy. We will post the requests we get from Government, Law Enforcement and worldwide legal entities for users data.” It goes on to declare: “We know that we’ll have a target painted on us from day one.”
The NSA crafted PRISM as a means for collecting data on people suspected of plotting terrorist attacks, spying or other forms of malfeasance. The government claims that information gathered via PRISM has disrupted dozens of potential terrorist attacks. Yet the program’s legacy is having other, likely unintended consequences on electronics communication. Lavabit’s Levison notes that, unless changes are made to current U.S. surveillance policies, “I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.”