Secure email service Lavabit has decided it would rather go out of business after nearly 10 years than cooperate with US government demands to spy on its customers.
In a statement posted on Lavabit’s home page and Facebook, owner Ladar Levison wrote:
After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.
Lavabit gained national attention when it was revealed last month that former NSA contractor Ed Snowden used it to communicate with journalists.
And although Levison was legally forbidden to reveal why he decided to shut down, he left enough clues to make it obvious: Lavabit was most likely the recipient of a National Security Letter, which under the Patriot Act prevents the recipient from notifying anyone, including their mother, that they received one.
(In 2010, the law was modified to allow someone to share that knowledge with their attorney. In 2013 a federal judge declared NSLs unconstitutional, but stayed her ruling to allow the government to appeal.)
Just a few days ago, Lavabit was boasting of “a system so secure that even our administrators can’t read your e-mail.” For just $8 a year, you could get a secure inbox with 64MB of storage and email that employed three different types of encryption to ensure that only the holder of the account’s private key would be able to unlock the messages.
Lavabit’s Security page (archived here) goes on at some length about how this technology was designed to specifically thwart requests made by the government under the Patriot Act. It’s unclear if Levison wrote this before he got served by the spooks or after.
Lavabit believes that a civil society depends on the open, free and private flow of ideas. The type of monitoring promoted by the PATRIOT Act restricts that flow of ideas because it intimidates those afraid of retaliation. To counteract this chilling effect, Lavabit developed its secure e-mail platform. We feel e-mail has evolved into a critical channel for the communication of ideas in a healthy democracy. It’s precisely because of e-mail’s importance that we strive so hard to protect private e-mails from eavesdropping.
He goes on later to write:
The product of this encryption process is a message that is cryptographically impossible to read without the password. We saycryptographically impossiblebecause, in theory, an attacker with unlimited computing resources could use brute force to decipher the original message. However in practice, the key lengths Lavabit has chosen equal enough possible inputs that a brute-force attack shouldn’t be feasible for a long time to come….
Our hope is the difficulty associated with those strategies means they will only be used by governments on terrorists and scammers, not on honest citizens.