Snowden's email provider, Lavabit, shutters citing legal pressure

Lavabit specialized in providing a highly secure, encrypted email service

By , IDG News Service |  Security, Edward Snowden

Edward Snowden masks

People wearing masks with pictures of former NSA contractor Edward Snowden, August 6, 2013.

Image credit: REUTERS/Ueslei Marcelino

An email provider reportedly used by former NSA contractor Edward Snowden shut down on Thursday, citing an ongoing court battle that it could not discuss.

Lavabit, which launched in 2004, specialized in providing a high-security email service that employed advanced encryption. It was designed to thwart the kind of surveillance techniques that Snowden revealed in June were used by the U.S. government.

Snowden used a Lavabit email address to invite people to a press conference at Sheremetyevo Airport in Moscow on July 12, according to a report from the international wire service Global Post.

Lavabit founder Ladar Levison wrote that he couldn't describe the legal machinations under way. "As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests," he wrote in a front-page notice on his website.

Levison wrote that Lavabit has "started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company."

Kurt Opsahl, senior staff attorney with the Electronic Frontier Foundation, said in an interview that there are many statutes that could be used by the government to prevent Lavabit from describing its legal situation.

"What we need here is more transparency to have a real debate around government surveillance powers," Opsahl said. "It would be great to have Lavabit to be able to participate in a national discussion we are having right now on surveillance powers."

Snowden, who remains in Russia after being granted asylum for one year, is wanted by the U.S. for passing documents to media outlets such as the Guardian and Washington Post that described anti-terrorism surveillance projects conducted by the U.S. National Security Agency (NSA).

The documents revealed arrangements with major companies such as Microsoft, Google and Verizon to turn over email and Internet-related data under the Foreign Intelligence Surveillance Act (FISA).

Lavabit's website is largely offline, but Google's cache still has a copy of its description of how its service worked. Lavabit used three encryption schemes to scramble email based around Elliptical Curve Cryptography (ECC).

E-mail is encrypted before it is sent to the company's servers. The result of the encryption process means that a message is, in theory, cryptographically impossible to read without a password, Lavabit wrote.

"We say cryptographically impossible because, in theory, an attacker with unlimited computing resources could use brute force to decipher the original message," according to the description.

It appears from the description that Lavabit only retains a Secure Hash Algorithm (SHA) representation of a person's password. The hash, even if it was obtained by investigators with a court order, would likely not be of use to investigators seeking to decrypt Snowden's email.

Lavabit warned that the encryption's strength also relies heavily on a secure password selected by a user. Attackers could also intercept a message in transit if SSL (Secure Sockets Layer) encryption is not used for the communication between a user and Lavabit's servers. Unencrypted messages could also be potentially pulled from a user's hard drive.

"Our goal was to make invading a user's privacy difficult, by protecting messages at their most vulnerable point," Lavabit wrote. "That doesn't mean a dedicated attacker, like the United States government, couldn't intercept the message in transit or once it reaches your computer."

Levison could not immediately be reached for comment. In closing, he wrote: "This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States."

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Don't miss...

The best places to work in IT
The best places to work in IT

20 historic tech sounds you may have forgotten

25 crazy and scary things the TSA has found on travelers

  Sign me up for ITworld's FREE daily newsletter!
Email: 
 

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness