Lavabit | |
Commercial: | Yes |
Type: | Webmail |
Registration: | Required |
Content License: | Open-source (mail server) |
Owner: | Lavabit LLC |
Author: | Ladar Levison |
Launch Date: | 2004 |
Current Status: | Online |
Lavabit is an open-source encrypted webmail service, founded in 2004. The service suspended its operations on August 8, 2013, after the U.S. Federal Government ordered it to turn over its Secure Sockets Layer (SSL) private keys, in order to allow the government to spy on Edward Snowden's email.[1] [2] [3]
Lavabit's owner and operator, Ladar Levison, announced on January 20, 2017, that Lavabit would start operating again, using the new Dark Internet Mail Environment (DIME), which is an end-to-end email encryption platform designed to be more surveillance-resistant. However, as of June 2017, while the DIME transition was being completed, service was only being offered to past customers and those who took advantage of the early signup offer.[4] [5] [6] [7] As of October 2017, new customers were again being offered the opportunity to purchase service.[8]
Lavabit was founded by Texas-based programmers who formed Nerdshack LLC (renamed Lavabit LLC the next year), citing privacy concerns about Gmail, Google's free, widely used email service, and their use of the content of users' email to generate advertisements and marketing data.[9] Lavabit offered significant privacy protection for their users' email, including asymmetric encryption. The strength of the cryptographic methods used was of a level that is presumed impossible even for intelligence agencies to crack. In August 2013, Lavabit had about 410,000 users and offered free and paid accounts with levels of storage ranging from 128 megabytes to 8 gigabytes.[10] [11] In January 2011,[12] Lavabit had launched a shared web hosting service.[13]
Before the Snowden incident, Lavabit had complied with previous search warrants. For example, in June 2013 a search warrant was executed against a Lavabit account for suspected possession of child pornography.[14]
Lavabit received media attention in July 2013 when it was revealed that Edward Snowden was using the Lavabit email address Ed_Snowden@lavabit.com to invite human rights lawyers and activists to a press conference during his confinement at Sheremetyevo International Airport in Moscow. The day after Snowden revealed his identity, the United States federal government served a court order, dated June 10, 2013, and issued under 18 USC 2703(d), a 1994 amendment of the Stored Communications Act, asking for metadata on a customer who was unnamed. Kevin Poulsen of Wired wrote that "the timing and circumstances suggest" that Snowden was this customer.[15] In July 2013 the federal government obtained a search warrant demanding that Lavabit give away the private SSL keys to its service, affecting all Lavabit users.[16] A 2016 redaction error confirmed that Edward Snowden was the target.
On August 8, 2013, Lavabit suspended its operations, and the email service log-in page was replaced by a message from the owner and operator Ladar Levison. The New Yorker suggested that the suspension might be related to the US National Security Agency (NSA)'s "domestic-surveillance practices".[17] Wired speculated that Levison was fighting a warrant or national security letter seeking customer information under extraordinary circumstances, as Lavabit had complied with at least one routine search warrant in the past.[18] [19] Levison stated in an interview that he responded to "at least two dozen subpoenas" over the lifetime of the service. He hinted that the objectionable request was for "information about all the users" of Lavabit.
Levison explained he was under a gag order and that he was legally unable to explain to the public why he ended the service.[20] Instead, he asked for donations to "fight for the Constitution" in the United States Court of Appeals for the Fourth Circuit. Levison also stated he has even been barred from sharing some information with his lawyer. Meanwhile, the Electronic Frontier Foundation called on the Federal Bureau of Investigation (FBI) to provide greater transparency to the public, in part to help observers "understand what led to a ten-year-old business closing its doors and a new start-up abandoning a business opportunity".[21]
Levison said that he could be arrested for closing the site instead of releasing the information, and it was reported that the federal prosecutor's office had sent Levison's lawyer an email to that effect.[22] [23]
Lavabit is believed to be the first technology firm that has chosen to suspend or shut down its operation rather than comply with an order from the United States government to reveal information or grant access to information.[24] Silent Circle, an encrypted email, mobile video and voice service provider, followed the example of Lavabit by discontinuing its encrypted email services.[25] Citing the impossibility of being able to maintain the confidentiality of its customers' emails should it be served with government orders, Silent Circle permanently erased the encryption keys that allowed access to emails stored or transmitted by its service.[26]
In September 2013 Levison appealed the order that resulted in the closing of his website.[27]
Levison and his lawyer made two requests to Judge Claude M. Hilton to unseal the records, both of which were denied. They also launched an appeals case regarding legality of the original warrant. The appeals court then requested the records be unsealed, and Judge Hilton granted the request. On October 2, 2013, the Federal District Court in Alexandria, Virginia unsealed records in this case, but only censored the name and detail of the target of the search order. Wired suggested the target was likely Snowden. The court records show that the FBI sought Lavabit's Transport Layer Security (TLS/SSL) private key. Levison objected, saying that the key would allow the government to access communications by all 400,000 customers of Lavabit. He also offered to add code to his servers that would provide the information required just for the target of the order. The court rejected this offer because it would require the government to trust Levison and stated that just because the government could access all customers' communication did not mean they would be legally permitted to do so. Lavabit was ordered to provide the SSL key in machine readable format by noon, August 5 or face a fine of $5000 per day.[28] Levison closed down Lavabit 3 days later.
On October 14, 2013, Levison announced he would allow Lavabit users to change their passwords until October 18, 2013, after which they could download an archive of their emails and personal data.[29] [30]
The court documents stated that on July 13 Levison sent an open letter to the assistant US attorney, offering to give email metadata (without email content, usernames or passwords) to the FBI if it paid him $2,000 "to cover the cost of the development time and equipment necessary to implement my solution" and $1,500 to give data "intermittently during the collection period".[31]
Afterwards, Levison wrote that after being contacted by the FBI, he was subpoenaed to appear in federal court, and was forced to appear without legal representation because it was served on such short notice; in addition, as a third party, he had no right to representation, and was not allowed to ask anyone who was not an attorney to help find him one. He also wrote that in addition to being denied a hearing about the warrant to obtain Lavabit's user information, he was held in contempt of court. The appellate court denied his appeal due to no objection, however, he wrote that because there had been no hearing, no objection could have been raised. His contempt of court charge was also upheld on the ground that it was not disputed; similarly, he was unable to dispute the charge because there had been no hearing to do it in. He also wrote that "the government argued that, since the 'inspection' of the data was to be carried out by a machine, it was exempt from the normal search-and-seizure protections of the Fourth Amendment."[32]
One year after the suspension of Lavabit, its founder Ladar Levison announced a specification for the Dark Internet Mail Environment (DIME) at DEF CON 22. It is under development by the Dark Mail Alliance.[33]
In April 2014, after a contempt of court conviction for providing the key as a printout was upheld by an appeals court, he described the initiative to Ars Technica as "a technological solution which would take the decision away from the will of man."[34]
The contempt of court was caused by Levison providing the keys printed in a tiny (4 point) font, which was deemed "largely illegible" by an FBI motion, which went on to complain that "To make use of these keys, the FBI would have to manually input all 2560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data."[35]
In November 2015, Levison said that work on DIME was still progressing, although slower than he would like.[36] As of July 2016, posts to the Dark Mail Alliance forum suggest that all collaborators have left the project and Ladar has been working on DIME alone.[37]
On January 20, 2017, Lavabit owner Ladar Levison relaunched the service. Per the wording of the announcement, this date was apparently timed to coincide with the inauguration of Donald Trump (though he was not mentioned by name). The service has been revamped to use the Dark Internet Mail Environment protocols and software that Ladar had been working on for the past few years. This DIME platform, and the associated Magma open source email server, are designed to use end-to-end email encryption in such a way that when operating with the highest security settings, subpoenas cannot force service providers to give governments access to customer email (or be forced to shut down in order to avoid this). When using the maximum security settings, even an attacker breaking into DIME servers would have no feasible way to access customer emails, leaving client-side attacks as likely the only potential points of vulnerability.
US attorney: Lavabit "treated court orders like contract negotiations."]
. Joe Silver. Apr 16, 2014. Ars Technica.