Lavabit

Last updated

Lavabit
Lavabit.png
Type of site
 Webmail
OwnerLavabit LLC
Created byLadar Levison
URL lavabit.com
CommercialYes
RegistrationRequired
Launched2004
Current statusOnline
Content license
 Open-source (mail server)

Lavabit is an open-source encrypted webmail service, founded in 2004. The service suspended its operations on August 8, 2013 after the U.S. Federal Government ordered it to turn over its Secure Sockets Layer (SSL) private keys, in order to allow the government to spy on Edward Snowden's email. [1] [2] [3] [4]

Contents

Lavabit's owner and operator, Ladar Levison, announced on January 20, 2017 that Lavabit would start operating again, using the new Dark Internet Mail Environment (DIME), which is an end-to-end email encryption platform designed to be more surveillance-resistant. However, as of June 2017, while the DIME transition was being completed, service was only being offered to past customers and those who took advantage of the early signup offer. [5] [6] [7] [8] As of October 2017, the ability for new customers to purchase service was again being offered. [9]

History

Lavabit was founded by Texas-based programmers who formed Nerdshack LLC, renamed Lavabit LLC the next year, who cited privacy concerns about Gmail, Google's free, widely used email service, and their use of the content of users' email to generate advertisements and marketing data. [10] Lavabit offered significant privacy protection for their users' email, including asymmetric encryption. The strength of the cryptographic methods used was of a level that is presumed impossible for even intelligence agencies to crack. In August 2013, Lavabit had about 410,000 users and offered free and paid accounts with levels of storage ranging from 128 megabytes to 8 gigabytes. [11] [12] In January 2011, [13] Lavabit had launched a shared web hosting service. [14]

Before the Snowden incident, Lavabit had complied with previous search warrants. For example, in June 2013 a search warrant was executed against a Lavabit account for suspected possession of child pornography. [15]

Connection to Edward Snowden

Court documents (PDF) LavabitCourtDocuments.pdf
Court documents (PDF)

Lavabit received media attention in July 2013 when it was revealed that Edward Snowden was using the Lavabit email address Ed_Snowden@lavabit.com to invite human rights lawyers and activists to a press conference during his confinement at Sheremetyevo International Airport in Moscow. [16] The day after Snowden revealed his identity, the United States federal government served a court order, dated June 10, 2013, and issued under 18 USC 2703(d), a 1994 amendment of the Stored Communications Act, asking for metadata on a customer who was unnamed. Kevin Poulsen of Wired wrote that "the timing and circumstances suggest" that Snowden was this customer. [17] In July 2013 the federal government obtained a search warrant demanding that Lavabit give away the private SSL keys to its service affecting all Lavabit users. [18] A 2016 redaction error confirmed that Edward Snowden was the target. [2]

Suspension and gag order

On August 8, 2013, Lavabit suspended its operations, and the email service log-in page was replaced by a message from the owner and operator Ladar Levison. [1] The New Yorker suggested that the suspension might be related to the US National Security Agency (NSA)'s "domestic-surveillance practices". [19] Wired speculated that Levison was fighting a warrant or national security letter seeking customer information under extraordinary circumstances, as Lavabit had complied with at least one routine search warrant in the past. [16] [20] Levison stated in an interview that he has responded to "at least two dozen subpoenas" over the lifetime of the service. [21] He hinted that the objectionable request was for "information about all the users" of Lavabit. [22]

Levison explained he was under gag order and that he was legally unable to explain to the public why he ended the service. [21] Instead, he asked for donations to "fight for the Constitution" in the United States Court of Appeals for the Fourth Circuit. Levison also stated he has even been barred from sharing some information with his lawyer. [21] Meanwhile, the Electronic Frontier Foundation called on the Federal Bureau of Investigation (FBI) to provide greater transparency to the public, in part to help observers "understand what led to a ten-year-old business closing its doors and a new start-up abandoning a business opportunity". [23]

Levison said that he could be arrested for closing the site instead of releasing the information, and it was reported that the federal prosecutor's office had sent Levison's lawyer an email to that effect. [22] [24]

Lavabit is believed to be the first technology firm that has chosen to suspend or shut down its operation rather than comply with an order from the United States government to reveal information or grant access to information. [3] Silent Circle, an encrypted email, mobile video and voice service provider, followed the example of Lavabit by discontinuing its encrypted email services. [25] Citing the impossibility of being able to maintain the confidentiality of its customers' emails should it be served with government orders, Silent Circle permanently erased the encryption keys that allowed access to emails stored or transmitted by its service. [26]

Levison in September 2013 at the Liberty Political Action Conference Ladar Levison (9926144665).jpg
Levison in September 2013 at the Liberty Political Action Conference

In September 2013 Levison appealed the order that resulted in the closing of his website. [27]

Levison and his lawyer made two requests to Judge Claude M. Hilton to unseal the records, both of which were denied. They also launched an appeals case regarding legality of the original warrant. The appeals court then requested the records to be unsealed, and Judge Hilton granted the request. On October 2, 2013, the Federal District Court in Alexandria, Virginia unsealed records in this case, but only censored the name and detail of the target of the search order. Wired suggested the target was likely Snowden. [4] The court records show that the FBI sought Lavabit's Transport Layer Security (TLS/SSL) private key. Levison objected, saying that the key would allow the government to access communications by all 400,000 customers of Lavabit. He also offered to add code to his servers that would provide the information required just for the target of the order. The court rejected this offer because it would require the government to trust Levison and stated that just because the government could access all customers' communication did not mean they would be legally permitted to do so. Lavabit was ordered to provide the SSL key in machine readable format by noon, August 5 or face a fine of $5000 per day. [28] Levison closed down Lavabit 3 days later.

On October 14, 2013, Levison announced he would allow Lavabit users to change their passwords until October 18, 2013, after which they could download an archive of their emails and personal data. [29] [30]

The court documents stated that on July 13 Levison sent an open letter to the assistant US attorney, offering to give email metadata (without email content, usernames or passwords) to the FBI if it paid him $2,000 "to cover the cost of the development time and equipment necessary to implement my solution" and $1,500 to give data "intermittently during the collection period". [31]

Afterwards, Levison wrote that after being contacted by the FBI, he was subpoenaed to appear in federal court, and was forced to appear without legal representation because it was served on such short notice; in addition, as a third party, he had no right to representation, and was not allowed to ask anyone who was not an attorney to help find him one. He also wrote that in addition to being denied a hearing about the warrant to obtain Lavabit's user information, he was held in contempt of court. The appellate court denied his appeal due to no objection, however, he wrote that because there had been no hearing, no objection could have been raised. His contempt of court charge was also upheld on the ground that it was not disputed; similarly, he was unable to dispute the charge because there had been no hearing to do it in. He also wrote that "the government argued that, since the 'inspection' of the data was to be carried out by a machine, it was exempt from the normal search-and-seizure protections of the Fourth Amendment." [32]

Legacy

One year after the suspension of Lavabit, its founder Ladar Levison announced a specification for the Dark Internet Mail Environment (DIME) at DEF CON 22. It is under development by the Dark Mail Alliance. [33]

In April 2014, after a contempt of court conviction for providing the key as a printout was upheld by an appeals court, he described the initiative to Ars Technica as "a technological solution which would take the decision away from the will of man." [34]

The contempt of court was caused by Levison providing the keys printed in a tiny (4 point) font, which was deemed "largely illegible" by an FBI motion, which went on to complain that "To make use of these keys, the FBI would have to manually input all 2560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data." [35]

In November 2015, Levison said that work on DIME was still progressing, although slower than he would like. [36] As of July 2016, posts to the Dark Mail Alliance forum suggest that all collaborators have left the project and Ladar has been working on DIME alone. [37] [ original research? ]

Relaunch

On January 20, 2017, Lavabit owner Ladar Levison relaunched the service. Per the wording of the announcement, this date was apparently timed to coincide with the inauguration of Donald Trump (though he was not mentioned by name). The service has been revamped to use the Dark Internet Mail Environment protocols and software that Ladar had been working on for the past few years. This DIME platform, and the associated Magma open source email server, are designed to use end-to-end email encryption in such a way that when operating with the highest security settings, subpoenas cannot force service providers to give governments access to customer email (or be forced to shut down in order to avoid this). When using the maximum security settings, even an attacker breaking into DIME servers would have no feasible way to access customer emails, leaving client-side attacks as likely the only potential points of vulnerability.

See also

Related Research Articles

Cryptome is an online library and 501(c)(3) private foundation created in 1996 by John Young and Deborah Natsios and closed in 2023. The site collected information about freedom of expression, privacy, cryptography, dual-use technologies, national security, intelligence, and government secrecy.

<span class="mw-page-title-main">Mass surveillance</span> Intricate surveillance of an entire or a substantial fraction of a population

Mass surveillance is the intricate surveillance of an entire or a substantial fraction of a population in order to monitor that group of citizens. The surveillance is often carried out by local and federal governments or governmental organizations, such as organizations like the NSA, but it may also be carried out by corporations. Depending on each nation's laws and judicial systems, the legality of and the permission required to engage in mass surveillance varies. It is the single most indicative distinguishing trait of totalitarian regimes. It is also often distinguished from targeted surveillance.

Email privacy is a broad topic dealing with issues of unauthorized access to, and inspection of, electronic mail, or unauthorized tracking when a user reads an email. This unauthorized access can happen while an email is in transit, as well as when it is stored on email servers or on a user's computer, or when the user reads the message. In countries with a constitutional guarantee of the secrecy of correspondence, whether email can be equated with letters—therefore having legal protection from all forms of eavesdropping—is disputed because of the very nature of email.

Opportunistic TLS refers to extensions in plain text communication protocols, which offer a way to upgrade a plain text connection to an encrypted connection instead of using a separate port for encrypted communication. Several protocols use a command named "STARTTLS" for this purpose. It is a form of opportunistic encryption and is primarily intended as a countermeasure to passive monitoring.

<span class="mw-page-title-main">Stored Communications Act</span>

The Stored Communications Act is a law that addresses voluntary and compelled disclosure of "stored wire and electronic communications and transactional records" held by third-party Internet service providers (ISPs). It was enacted as Title II of the Electronic Communications Privacy Act of 1986 (ECPA).

<span class="mw-page-title-main">Fastmail</span> Australian email service provider

Fastmail is an email hosting company based in Melbourne, Australia. In addition to its Fastmail-branded services, the company also operates Topicbox, a mailing list service, and Pobox, an email service it acquired in 2015.

Silent Circle is an encrypted communications firm based in Washington DC. Silent Circle provides multi-platform secure communication services for mobile devices and desktop. Launched October 16, 2012, the company operates under a subscription business model. The encryption part of the software used is free software/open source and peer-reviewed. For the remaining parts of Silent Phone and Silent Text, the source code is available on GitHub, but under proprietary software licenses.

<span class="mw-page-title-main">Tor Mail</span> Defunct Tor email service

Tor Mail was a Tor hidden service that went offline in August 2013 after an FBI raid on Freedom Hosting. The service allowed users to send and receive email anonymously to email addresses inside and outside the Tor network.

<span class="mw-page-title-main">PRISM</span> Mass surveillance program run by the NSA

PRISM is a code name for a program under which the United States National Security Agency (NSA) collects internet communications from various U.S. internet companies. The program is also known by the SIGAD US-984XN. PRISM collects stored internet communications based on demands made to internet companies such as Google LLC and Apple under Section 702 of the FISA Amendments Act of 2008 to turn over any data that match court-approved search terms. Among other things, the NSA can use these PRISM requests to target communications that were encrypted when they traveled across the internet backbone, to focus on stored data that telecommunication filtering systems discarded earlier, and to get data that is easier to handle.

<span class="mw-page-title-main">Freedom Hosting</span> Defunct Tor specialist web hosting service

Freedom Hosting was a Tor specialist web hosting service that was established in 2008. At its height in August 2013, it was the largest Tor web host.

<span class="mw-page-title-main">Mass surveillance in the United States</span>

The practice of mass surveillance in the United States dates back to wartime monitoring and censorship of international communications from, to, or which passed through the United States. After the First and Second World Wars, mass surveillance continued throughout the Cold War period, via programs such as the Black Chamber and Project SHAMROCK. The formation and growth of federal law-enforcement and intelligence agencies such as the FBI, CIA, and NSA institutionalized surveillance used to also silence political dissent, as evidenced by COINTELPRO projects which targeted various organizations and individuals. During the Civil Rights Movement era, many individuals put under surveillance orders were first labelled as integrationists, then deemed subversive, and sometimes suspected to be supportive of the communist model of the United States' rival at the time, the Soviet Union. Other targeted individuals and groups included Native American activists, African American and Chicano liberation movement activists, and anti-war protesters.

<span class="mw-page-title-main">Kolab Now</span>

Kolab Now is a web-based email and groupware service, based completely on free and open-source software. It is owned and operated by Kolab Systems AG and was formerly known as MyKolab.

<span class="mw-page-title-main">Reactions to global surveillance disclosures</span>

The global surveillance disclosure released to media by Edward Snowden has caused tension in the bilateral relations of the United States with several of its allies and economic partners as well as in its relationship with the European Union. In August 2013, U.S. President Barack Obama announced the creation of "a review group on intelligence and communications technologies" that would brief and later report to him. In December, the task force issued 46 recommendations that, if adopted, would subject the National Security Agency (NSA) to additional scrutiny by the courts, Congress, and the president, and would strip the NSA of the authority to infiltrate American computer systems using "backdoors" in hardware or software. Geoffrey R. Stone, a White House panel member, said there was no evidence that the bulk collection of phone data had stopped any terror attacks.

The Dark Mail Alliance is an organization dedicated to creating an email protocol and architecture with end-to-end encryption.

<span class="mw-page-title-main">Data Intercept Technology Unit</span> US FBI special unit

The Data Intercept Technology Unit is a unit of the Federal Bureau of Investigation (FBI) of the United States, which is responsible for intercepting telephone calls and e-mail messages of terrorists and foreign intelligence targets inside the US. It is not known when DITU was established, but the unit already existed in 1997.

Guerrilla Mail is a free disposable email address service launched in 2006. Visitors are automatically assigned a random email address upon visiting the site.

<span class="mw-page-title-main">Riseup</span> Tech collective

Riseup is a volunteer-run collective providing secure email, email lists, a VPN service, online chat, and other online services. This organization was launched by activists in Seattle with borrowed equipment and a few users in 1999 or 2000, and quickly grew to millions of accounts.

<span class="mw-page-title-main">Marcia Hofmann</span> American attorney

Marcia Clare Hofmann is an American attorney and US-UK Fulbright Scholar. Hofmann is known for her work as an advocate of electronic privacy and free expression, including defending individuals charged with high-profile computer crimes, such as Marcus Hutchins and Weev.

<span class="mw-page-title-main">Snowden effect</span>

In 2013, Edward Snowden, a former NSA contractor, leaked NSA documents that revealed the agency was collecting data from the electronic communications of United States citizens. Other disclosures included information about PRISM, the agency's data collection program, a surveillance metadata collection and XKeyscore, which supplies federated search capabilities for all NSA databases. Since that time, there have been perceptible increases in the general public's knowledge about the U.S. government's cybersecurity initiatives and awareness of how those initiatives have impacted the privacy of individuals, businesses and foreign governments.

Stephen Huntley Watt is an American computer security consultant and hacker, known for his involvement in the TJX data breach.

References

  1. 1 2 "Lavabit". Lavabit. Archived from the original on August 9, 2013. Retrieved April 6, 2016.
  2. 1 2 "A Government Error Just Revealed Snowden Was the Target in the Lavabit Case". WIRED. March 17, 2016.
  3. 1 2 Ackerman, Spencer (August 9, 2013). "Lavabit email service abruptly shut down citing government interference: Founder of service reportedly used by Edward Snowden said he would not be complicit in 'crimes against the American people'". The Guardian. Retrieved August 9, 2013.
  4. 1 2 Edward Snowden’s E-Mail Provider Defied FBI Demands to Turn Over Crypto Keys, Documents Show. Wired
  5. "Lavabit Reloaded". lavabit.com. January 20, 2017. Archived from the original on March 31, 2017. Retrieved April 23, 2017.
  6. "Explain Lavabit". lavabit.com. January 28, 2017. Archived from the original on June 23, 2017. Retrieved April 23, 2017.
  7. "Want Lavabit". lavabit.com. 2017. Archived from the original on April 25, 2017. Retrieved April 23, 2017.
  8. "Lavabit Haves". lavabit.com. January 28, 2017. Archived from the original on April 25, 2017. Retrieved April 23, 2017.
  9. "Lavabit: Select your plan". lavabit.com. Archived from the original on May 2, 2018. Retrieved March 17, 2019.
  10. "Lavabit High Scalability Writeup". Archived from the original on October 3, 2013. Retrieved August 9, 2013.
  11. Lavabit chief predicts 'long fight' with feds CNET, August 9, 2013. Retrieved August 13, 2013.
  12. Ingersoll, Geoffrey (July 12, 2013). "How Edward Snowden Sends His Ultra-Sensitive Emails". Business Insider . Archived from the original on August 8, 2013. Retrieved August 8, 2013.
  13. "Lavabit ..::.. Home". Archived from the original on April 23, 2011. Retrieved September 10, 2013.
  14. "Lavabit Hosting". Archived from the original on September 10, 2013. Retrieved September 10, 2013.
  15. "In the Matter of the Search of: Lavabit LLC Email Account for Joey006@lavabit.com". Docket Alarm, Inc. Retrieved August 10, 2013.
  16. 1 2 Poulsen, Kevin (August 8, 2013). "Edward Snowden's Email Provider Shuts Down After Secret Court Battle". Wired . Archived from the original on August 8, 2013. Retrieved August 8, 2013.
  17. Poulsen, Kevin. "Feds Targeted Snowden’s Email Provider the Day After NSA Whistleblower Went Public." Wired . September 27, 2013. Retrieved on October 2, 2013.
  18. Poulsen, Kevin. "Edward Snowden’s E-Mail Provider Defied FBI Demands to Turn Over Crypto Keys, Documents Show." Wired . October 2, 2013. Retrieved on October 2, 2013.
  19. Davidson, Amy. "The N.S.A. and Its Targets: Lavabit Shuts Down". The New Yorker. Retrieved August 8, 2013.
  20. Jardin, Xeni (August 8, 2013). "Lavabit, email service Snowden reportedly used, abruptly shuts down". Boing Boing . Archived from the original on August 8, 2013. Retrieved August 8, 2013.
  21. 1 2 3 Mullin, Joe (August 14, 2013). "Lavabit founder, under gag order, speaks out about shutdown decision". Ars Technica . Retrieved August 16, 2013.
  22. 1 2 Michael Isikoff (August 15, 2013). "Lavabit.com owner: 'I could be arrested' for resisting surveillance order". NBC News Investigations. Retrieved September 15, 2013. But a source familiar with the matter told NBC News that James Trump, a senior litigation counsel in the U.S. attorney's office in Alexandria, Va., sent an email to Levison's lawyer last Thursday — the day Lavabit was shuttered — stating that Levison may have 'violated the court order,' a statement that was interpreted as a possible threat to charge Levison with contempt of court.
  23. Samson, Ted (August 9, 2013). "Lavabit shutdown marks another costly blemish for U.S. tech companies". InfoWorld . Retrieved August 16, 2013.
  24. Nicole Perlroth and Scott Shane (October 2, 2013). "As F.B.I. Pursued Snowden, an E-Mail Service Stood Firm". New York Times. Retrieved October 2, 2013.
  25. Ribeiro, John. "After Lavabit, Silent Circle also shuts down its encrypted email service". PC World. Retrieved August 9, 2013.
  26. Sengupta, Somini (August 8, 2013). "2 E-Mail Services Close and Destroy Data Rather Than Reveal Files" (Bits blog). The New York Times. Retrieved August 10, 2013.
  27. Poulsen, Kevin. "Lavabit’s Owner Appeals Secret Surveillance Order That Led Him to Shutter Site." Wired . September 11, 2013. Retrieved on October 2, 2013.
  28. "Lavabit Details Unsealed: Refused To Hand Over Private SSL Key Despite Court Order & Daily Fines". Techdirt. October 2, 2013.
  29. "Lavabit to Briefly Reinstate Services for Data Recovery". PR Newswire. October 14, 2013. Retrieved October 14, 2013.
  30. "Lavabit ..::.. Liberty". Archived from the original on October 15, 2013. Retrieved October 14, 2013.
  31. Hern, Alex (October 9, 2013). "Lavabit founder offered to log users' metadata if FBI paid him $3,500". The Guardian . Retrieved February 5, 2014.
  32. Levison, Ladar (May 20, 2014). "Secrets, lies and Snowden's email: why I was forced to shut down Lavabit". The Guardian .
  33. "DEF CON 22 - Ladar Levison and Stephen Watt - Dark Mail". Youtube.
  34. Joe Silver (April 16, 2014). "Lavabit held in contempt of court for printing crypto key in tiny font [Updated]: US attorney: Lavabit "treated court orders like contract negotiations."". Ars Technica.
  35. Joseph Cox (March 17, 2016). "Here Are The Teeny-Tiny Printed Out Crypto Keys of Snowden's Email Service". Vice.
  36. Zack Whittaker (November 2, 2015). "'Dark mail' debut will open door for Lavabit's return, says Ladar Levison". ZDnet.
  37. "darkmail.info forums". January 22, 2016. Archived from the original on January 20, 2017.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.