Type of site | Webmail |
---|---|
Owner | Lavabit LLC |
Created by | Ladar Levison |
URL | lavabit |
Commercial | Yes |
Registration | Required |
Launched | 2004 |
Current status | Online |
Content license | Open-source (mail server) |
Lavabit is an open-source encrypted webmail service, founded in 2004. The service suspended its operations on August 8, 2013, after the U.S. Federal Government ordered it to turn over its Secure Sockets Layer (SSL) private keys, in order to allow the government to spy on Edward Snowden's email. [1] [2] [3] [4]
Lavabit's owner and operator, Ladar Levison, announced on January 20, 2017, that Lavabit would start operating again, using the new Dark Internet Mail Environment (DIME), which is an end-to-end email encryption platform designed to be more surveillance-resistant. However, as of June 2017, while the DIME transition was being completed, service was only being offered to past customers and those who took advantage of the early signup offer. [5] [6] [7] [8] As of October 2017, new customers were again being offered the opportunity to purchase service. [9]
Lavabit was founded by Texas-based programmers who formed Nerdshack LLC (renamed Lavabit LLC the next year), citing privacy concerns about Gmail, Google's free, widely used email service, and their use of the content of users' email to generate advertisements and marketing data. [10] Lavabit offered significant privacy protection for their users' email, including asymmetric encryption. The strength of the cryptographic methods used was of a level that is presumed impossible even for intelligence agencies to crack. In August 2013, Lavabit had about 410,000 users and offered free and paid accounts with levels of storage ranging from 128 megabytes to 8 gigabytes. [11] [12] In January 2011, [13] Lavabit had launched a shared web hosting service. [14]
Before the Snowden incident, Lavabit had complied with previous search warrants. For example, in June 2013 a search warrant was executed against a Lavabit account for suspected possession of child pornography. [15]
Lavabit received media attention in July 2013 when it was revealed that Edward Snowden was using the Lavabit email address Ed_Snowden@lavabit.com to invite human rights lawyers and activists to a press conference during his confinement at Sheremetyevo International Airport in Moscow. [16] The day after Snowden revealed his identity, the United States federal government served a court order, dated June 10, 2013, and issued under 18 USC 2703(d), a 1994 amendment of the Stored Communications Act, asking for metadata on a customer who was unnamed. Kevin Poulsen of Wired wrote that "the timing and circumstances suggest" that Snowden was this customer. [17] In July 2013 the federal government obtained a search warrant demanding that Lavabit give away the private SSL keys to its service, affecting all Lavabit users. [18] A 2016 redaction error confirmed that Edward Snowden was the target. [2]
On August 8, 2013, Lavabit suspended its operations, and the email service log-in page was replaced by a message from the owner and operator Ladar Levison. [1] The New Yorker suggested that the suspension might be related to the US National Security Agency (NSA)'s "domestic-surveillance practices". [19] Wired speculated that Levison was fighting a warrant or national security letter seeking customer information under extraordinary circumstances, as Lavabit had complied with at least one routine search warrant in the past. [16] [20] Levison stated in an interview that he responded to "at least two dozen subpoenas" over the lifetime of the service. [21] He hinted that the objectionable request was for "information about all the users" of Lavabit. [22]
Levison explained he was under a gag order and that he was legally unable to explain to the public why he ended the service. [21] Instead, he asked for donations to "fight for the Constitution" in the United States Court of Appeals for the Fourth Circuit. Levison also stated he has even been barred from sharing some information with his lawyer. [21] Meanwhile, the Electronic Frontier Foundation called on the Federal Bureau of Investigation (FBI) to provide greater transparency to the public, in part to help observers "understand what led to a ten-year-old business closing its doors and a new start-up abandoning a business opportunity". [23]
Levison said that he could be arrested for closing the site instead of releasing the information, and it was reported that the federal prosecutor's office had sent Levison's lawyer an email to that effect. [22] [24]
Lavabit is believed to be the first technology firm that has chosen to suspend or shut down its operation rather than comply with an order from the United States government to reveal information or grant access to information. [3] Silent Circle, an encrypted email, mobile video and voice service provider, followed the example of Lavabit by discontinuing its encrypted email services. [25] Citing the impossibility of being able to maintain the confidentiality of its customers' emails should it be served with government orders, Silent Circle permanently erased the encryption keys that allowed access to emails stored or transmitted by its service. [26]
In September 2013 Levison appealed the order that resulted in the closing of his website. [27]
Levison and his lawyer made two requests to Judge Claude M. Hilton to unseal the records, both of which were denied. They also launched an appeals case regarding legality of the original warrant. The appeals court then requested the records be unsealed, and Judge Hilton granted the request. On October 2, 2013, the Federal District Court in Alexandria, Virginia unsealed records in this case, but only censored the name and detail of the target of the search order. Wired suggested the target was likely Snowden. [4] The court records show that the FBI sought Lavabit's Transport Layer Security (TLS/SSL) private key. Levison objected, saying that the key would allow the government to access communications by all 400,000 customers of Lavabit. He also offered to add code to his servers that would provide the information required just for the target of the order. The court rejected this offer because it would require the government to trust Levison and stated that just because the government could access all customers' communication did not mean they would be legally permitted to do so. Lavabit was ordered to provide the SSL key in machine readable format by noon, August 5 or face a fine of $5000 per day. [28] Levison closed down Lavabit 3 days later.
On October 14, 2013, Levison announced he would allow Lavabit users to change their passwords until October 18, 2013, after which they could download an archive of their emails and personal data. [29] [30]
The court documents stated that on July 13 Levison sent an open letter to the assistant US attorney, offering to give email metadata (without email content, usernames or passwords) to the FBI if it paid him $2,000 "to cover the cost of the development time and equipment necessary to implement my solution" and $1,500 to give data "intermittently during the collection period". [31]
Afterwards, Levison wrote that after being contacted by the FBI, he was subpoenaed to appear in federal court, and was forced to appear without legal representation because it was served on such short notice; in addition, as a third party, he had no right to representation, and was not allowed to ask anyone who was not an attorney to help find him one. He also wrote that in addition to being denied a hearing about the warrant to obtain Lavabit's user information, he was held in contempt of court. The appellate court denied his appeal due to no objection, however, he wrote that because there had been no hearing, no objection could have been raised. His contempt of court charge was also upheld on the ground that it was not disputed; similarly, he was unable to dispute the charge because there had been no hearing to do it in. He also wrote that "the government argued that, since the 'inspection' of the data was to be carried out by a machine, it was exempt from the normal search-and-seizure protections of the Fourth Amendment." [32]
One year after the suspension of Lavabit, its founder Ladar Levison announced a specification for the Dark Internet Mail Environment (DIME) at DEF CON 22. It is under development by the Dark Mail Alliance. [33]
In April 2014, after a contempt of court conviction for providing the key as a printout was upheld by an appeals court, he described the initiative to Ars Technica as "a technological solution which would take the decision away from the will of man." [34]
The contempt of court was caused by Levison providing the keys printed in a tiny (4 point) font, which was deemed "largely illegible" by an FBI motion, which went on to complain that "To make use of these keys, the FBI would have to manually input all 2560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data." [35]
In November 2015, Levison said that work on DIME was still progressing, although slower than he would like. [36] As of July 2016, posts to the Dark Mail Alliance forum suggest that all collaborators have left the project and Ladar has been working on DIME alone. [37] [ original research? ]
On January 20, 2017, Lavabit owner Ladar Levison relaunched the service. Per the wording of the announcement, this date was apparently timed to coincide with the inauguration of Donald Trump (though he was not mentioned by name). The service has been revamped to use the Dark Internet Mail Environment protocols and software that Ladar had been working on for the past few years. This DIME platform, and the associated Magma open source email server, are designed to use end-to-end email encryption in such a way that when operating with the highest security settings, subpoenas cannot force service providers to give governments access to customer email (or be forced to shut down in order to avoid this). When using the maximum security settings, even an attacker breaking into DIME servers would have no feasible way to access customer emails, leaving client-side attacks as likely the only potential points of vulnerability.
Cryptome is an online library and 501(c)(3) private foundation created in 1996 by John Young and Deborah Natsios closed in 2023 and reopened soon afterward. The site collected information about freedom of expression, privacy, cryptography, dual-use technologies, national security, intelligence, and government secrecy.
Hushmail is an encrypted proprietary web-based email service offering PGP-encrypted e-mail and vanity domain service. Hushmail uses OpenPGP standards. If public encryption keys are available to both recipient and sender, Hushmail can convey authenticated, encrypted messages in both directions. For recipients for whom no public key is available, Hushmail will allow a message to be encrypted by a password and stored for pickup by the recipient, or the message can be sent in cleartext. In July 2016, the company launched an iOS app that offers end-to-end encryption and full integration with the webmail settings. The company is located in Vancouver, British Columbia, Canada.
Email privacy is a broad topic dealing with issues of unauthorized access to, and inspection of, electronic mail, or unauthorized tracking when a user reads an email. This unauthorized access can happen while an email is in transit, as well as when it is stored on email servers or on a user's computer, or when the user reads the message. In countries with a constitutional guarantee of the secrecy of correspondence, whether email can be equated with letters—therefore having legal protection from all forms of eavesdropping—is disputed because of the very nature of email.
The following tables compare general and technical information for a number of notable webmail providers who offer a web interface in English.
Opportunistic TLS refers to extensions in plain text communication protocols, which offer a way to upgrade a plain text connection to an encrypted connection instead of using a separate port for encrypted communication. Several protocols use a command named "STARTTLS" for this purpose. It is a form of opportunistic encryption and is primarily intended as a countermeasure to passive monitoring.
The Stored Communications Act is a law that addresses voluntary and compelled disclosure of "stored wire and electronic communications and transactional records" held by third-party Internet service providers (ISPs). It was enacted as Title II of the Electronic Communications Privacy Act of 1986 (ECPA).
Fastmail is an email hosting company based in Melbourne, Australia. In addition to its Fastmail-branded services, the company also operates Topicbox, a mailing list service, and Pobox, an email service it acquired in 2015.
Tor Mail was a Tor hidden service that went offline in August 2013 after an FBI raid on Freedom Hosting. The service allowed users to send and receive email anonymously to email addresses inside and outside the Tor network.
PRISM is a code name for a program under which the United States National Security Agency (NSA) collects internet communications from various U.S. internet companies. The program is also known by the SIGAD US-984XN. PRISM collects stored internet communications based on demands made to internet companies such as Google LLC and Apple under Section 702 of the FISA Amendments Act of 2008 to turn over any data that match court-approved search terms. Among other things, the NSA can use these PRISM requests to target communications that were encrypted when they traveled across the internet backbone, to focus on stored data that telecommunication filtering systems discarded earlier, and to get data that is easier to handle.
The practice of mass surveillance in the United States dates back to wartime monitoring and censorship of international communications from, to, or which passed through the United States. After the First and Second World Wars, mass surveillance continued throughout the Cold War period, via programs such as the Black Chamber and Project SHAMROCK. The formation and growth of federal law-enforcement and intelligence agencies such as the FBI, CIA, and NSA institutionalized surveillance used to also silence political dissent, as evidenced by COINTELPRO projects which targeted various organizations and individuals. During the Civil Rights Movement era, many individuals put under surveillance orders were first labelled as integrationists, then deemed subversive, and sometimes suspected to be supportive of the communist model of the United States' rival at the time, the Soviet Union. Other targeted individuals and groups included Native American activists, African American and Chicano liberation movement activists, and anti-war protesters.
Kolab Now is a web-based email and groupware service, based completely on free and open-source software. It is owned and operated by Kolab Systems AG and was formerly known as MyKolab.
The global surveillance disclosure released to media by Edward Snowden has caused tension in the bilateral relations of the United States with several of its allies and economic partners as well as in its relationship with the European Union. In August 2013, U.S. President Barack Obama announced the creation of "a review group on intelligence and communications technologies" that would brief and later report to him. In December, the task force issued 46 recommendations that, if adopted, would subject the National Security Agency (NSA) to additional scrutiny by the courts, Congress, and the president, and would strip the NSA of the authority to infiltrate American computer systems using "backdoors" in hardware or software. Geoffrey R. Stone, a White House panel member, said there was no evidence that the bulk collection of phone data had stopped any terror attacks.
The Dark Mail Alliance is an organization dedicated to creating an email protocol and architecture with end-to-end encryption.
The Data Intercept Technology Unit is a unit of the Federal Bureau of Investigation (FBI) of the United States, which is responsible for intercepting telephone calls and e-mail messages of terrorists and foreign intelligence targets inside the US. It is not known when DITU was established, but the unit already existed in 1997.
Guerrilla Mail is a free disposable email address service launched in 2006. Visitors are automatically assigned a random email address upon visiting the site.
Attempts, unofficially dubbed the "Crypto Wars", have been made by the United States (US) and allied governments to limit the public's and foreign nations' access to cryptography strong enough to thwart decryption by national intelligence agencies, especially the National Security Agency (NSA).
Riseup is a volunteer-run social movement organization providing secure email, email lists, a VPN service, online chat, and other online services to support activists engaged in various social justice causes and opposition to capitalism. This organization was launched by activists in Seattle with borrowed equipment and a few users in 1999 or 2000, and quickly grew to millions of accounts.
Marcia Clare Hofmann is an American attorney and US-UK Fulbright Scholar. Hofmann is known for her work as an advocate of electronic privacy and free expression, including defending individuals charged with high-profile computer crimes, such as Marcus Hutchins and Weev.
Mailfence is secure encrypted email service that offers OpenPGP based end-to-end encryption and digital signatures. It was launched in November 2013 by Belgium-based company ContactOffice Group that has been operating an online collaboration suite since 1999.
In 2013, Edward Snowden, a former NSA contractor, leaked NSA documents that revealed the agency was collecting data from the electronic communications of United States citizens and foreign telecommunications agencies. Other disclosures included information about PRISM, the agency's data collection program, a surveillance metadata collection, and XKeyscore, which supplies federated search capabilities for all NSA databases. Since that time, there have been perceptible increases in the general public's knowledge about the U.S. government's cybersecurity initiatives and awareness of how those initiatives have impacted the privacy of individuals, businesses, and foreign governments.
But a source familiar with the matter told NBC News that James Trump, a senior litigation counsel in the U.S. attorney's office in Alexandria, Va., sent an email to Levison's lawyer last Thursday — the day Lavabit was shuttered — stating that Levison may have 'violated the court order,' a statement that was interpreted as a possible threat to charge Levison with contempt of court.