Another US 'Secure' Service Shuts Down: CryptoSeal VPN Goes Dark To Protect Against US Surveillance

from the chilling-effects dept

Mon, Oct 21st 2013 12:57pm — Mike Masnick

The full details here aren't clear, but it looks like another "secure" service based in the US has felt the need to shut down over fears about US surveillance efforts compromising actual security. VPN provider CryptoSeal has announced that it's shuttered the service (via Hacker News):

CryptoSeal Privacy Consumer VPN service terminated with immediate effect

With immediate effect as of this notice, CryptoSeal Privacy, our consumer VPN service, is terminated. All cryptographic keys used in the operation of the service have been zerofilled, and while no logs were produced (by design) during operation of the service, all records created incidental to the operation of the service have been deleted to the best of our ability.

Essentially, the service was created and operated under a certain understanding of current US law, and that understanding may not currently be valid. As we are a US company and comply fully with US law, but wish to protect the privacy of our users, it is impossible for us to continue offering the CryptoSeal Privacy consumer VPN product.

Specifically, the Lavabit case, with filings released by Kevin Poulsen of Wired.com (https://www.documentcloud.org/documents/801182-redacted-pleadings-exhibits-1-23.html) reveals a Government theory that if a pen register order is made on a provider, and the provider's systems do not readily facilitate full monitoring of pen register information and delivery to the Government in realtime, the Government can compel production of cryptographic keys via a warrant to support a government-provided pen trap device. Our system does not support recording any of the information commonly requested in a pen register order, and it would be technically infeasible for us to add this in a prompt manner. The consequence, being forced to turn over cryptographic keys to our entire system on the strength of a pen register order, is unreasonable in our opinion, and likely unconstitutional, but until this matter is settled, we are unable to proceed with our service.

We encourage anyone interested in this issue to support Ladar Levison and Lavabit in their ongoing legal battle. Donations can be made at https://rally.org/lavabit We believe Lavabit is an excellent test case for this issue.

We are actively investigating alternative technical ways to provide a consumer privacy VPN service in the future, in compliance with the law (even the Government's current interpretation of pen register orders and compelled key disclosure) without compromising user privacy, but do not have an estimated release date at this time.

To our affected users: we are sincerely sorry for any inconvenience. For any users with positive account balances at the time of this action, we will provide 1 year subscriptions to a non-US VPN service of mutual selection, as well as a refund of your service balance, and free service for 1 year if/when we relaunch a consumer privacy VPN service. Thank you for your support, and we hope this will ease the inconvenience of our service terminating.

For anyone operating a VPN, mail, or other communications provider in the US, we believe it would be prudent to evaluate whether a pen register order could be used to compel you to divulge SSL keys protecting message contents, and if so, to take appropriate action.

From this it doesn't sound like the company had been approached by the feds yet, but is doing this in a proactive manner, highlighting the chilling effects of the US government's overreach into online security services.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cryptography, nsa surveillance, privacy, private keys, surveillance, vpn
Companies: cryptoseal, lavabit

46 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 21 Oct 2013 @ 1:18pm

-1 for humanity
[ link to this | view in chronology ]
Zakida Paul (profile), 21 Oct 2013 @ 1:24pm

I do not trust any US hosted VPN or email service no matter how secure they claim to be. I suspect many living in Europe feel the same way.
[ link to this | view in chronology ]
- Anonymous Coward, 21 Oct 2013 @ 2:50pm
  
  Re:
  I do not trust any US hosted VPN or email service no matter how secure they claim to be. I suspect many feel the same way.
  
  FTFY
  [ link to this | view in chronology ]
william (profile), 21 Oct 2013 @ 1:29pm

some people are questioning why they keep the business service open but closed the personal service.

My guess is that business portion is more profitable and person service is more likely to get them served. If that's the case, by handing over the key, it would compromised their business service...

so they had to shut down personal service because of this risk.

Good job America, the land of the pseudo-free!
[ link to this | view in chronology ]
- Anonymous Coward, 21 Oct 2013 @ 3:37pm
  
  Re:
  you can thank barry and his criminal cohorts
  [ link to this | view in chronology ]
  - John Fenderson (profile), 21 Oct 2013 @ 3:40pm
    
    Re: Re:
    It started well before Obama, but if by "criminal cohorts" your mean Congress and the Judiciary, then I agree with you.
    [ link to this | view in chronology ]
    - btr1701 (profile), 21 Oct 2013 @ 4:37pm
      
      Re: Re: Re:
      > It started well before Obama
      
      Yes, but Obama really took the baton and ran with it, reaching hitherto unexplored heights of Orwellianism.
      [ link to this | view in chronology ]
      - Bergman (profile), 21 Oct 2013 @ 6:14pm
        
        Re: Re: Re: Re:
        War is peace. Freedom is slavery. Ignorance is strength.
        
        And thanks to Obama, we have another: Secrecy is transparency.
        [ link to this | view in chronology ]
- Ryan Lackey (profile), 22 Oct 2013 @ 12:28am
  
  Re:
  It's partially that, but it's also that the business system has full monitoring built in (so owners can monitor employees, automatically, with DLP and such).
  
  It's used in regulated industries which already are subject to much more monitoring than court-ordered pen traps, so the monitoring from pen traps is irrelevant to them.
  
  We're working on some better solutions to both sets of customers, but it'll be 2014 before they're ready. Privacy-conscious consumers should use non-US services for now.
  [ link to this | view in chronology ]
Anonymous Coward, 21 Oct 2013 @ 1:44pm

Well done, US gov! Tech companies are fleeing the US. This will get worse after tonight's EU vote on dataprotection. So, besides pumping ludicrous amounts of money into NSA e.a., you lose more money on businesses fleeing the country. And all of this helped to catch how many terrorists exactly?
[ link to this | view in chronology ]
Anonymous Coward, 21 Oct 2013 @ 2:06pm

We are on the threshold of a chain reaction. Entire industries will pack up and move overseas, all due to our government's ongoing efforts to emulate third-world dictatorships; their desperate seizure of power under the quixotic (when not blatantly fraudulent) banner of "fighting terrorism".

For all their clamoring about "job creation", it's clear that they care far more about preserving their own power than improving the economy. (As if that hadn't already been proven by over two weeks of petty bickering during a government shutdown and nearly defaulting on the national debt because neither side was mature enough to put the entire nation's wellbeing above their own political maneuverings until the last possible moment.)
[ link to this | view in chronology ]
- Anonymous Coward, 21 Oct 2013 @ 2:43pm
  
  Re:
  absolutely this is all to evident. The whole thing is a disaster. Once the boomers pass on if we do not change fundamentally how campaign finance, lobbying, financial regulation and patent/copyright law works we are totally fucked.
  
  We will also need to strike down the Patriot Act and the CFAA and any ACTA/CISPA like bills in the future.
  [ link to this | view in chronology ]
  - Anonymous Coward, 21 Oct 2013 @ 3:38pm
    
    Re: Re:
    you forgot the NDAA and barry
    [ link to this | view in chronology ]
    - Anonymous Coward, 22 Oct 2013 @ 8:10am
      
      Re: Re: Re:
      to strike down the Patriot Act and the CFAA and any ACTA/CISPA like bills ... you forgot barry
      
      What is this "barry" bill?
      [ link to this | view in chronology ]
  - Anonymous Coward, 21 Oct 2013 @ 4:52pm
    
    Re: Re:
    Got news for you. It isn't the boomers cause they are not listening to us any more than you.
    
    It's the politicians.
    [ link to this | view in chronology ]
    - Atkray (profile), 21 Oct 2013 @ 6:59pm
      
      Re: Re: Re:
      "Got news for you. It isn't the boomers cause they are not listening to us any more than you.
      
      It's the politicians."
      
      qft
      [ link to this | view in chronology ]
Wolfy, 21 Oct 2013 @ 2:48pm

Used to be, the Chamber of Commerce would be leaning on Gov't. in this type of situation.
[ link to this | view in chronology ]
roarshock44, 21 Oct 2013 @ 4:08pm

william: the land of the pseudo-free

. . . and home of the sort-of brave.� our forefathers and foremothers would be so proud of us.
[ link to this | view in chronology ]
Anonymous Coward, 21 Oct 2013 @ 6:48pm

A lot VPN services are simply pulling their U.S. servers, to avoid US law. As long as they no servers in U.S. datacenters, they are not subject to U.S. wiretap orders.

I know this becuase I had to move, the only Internet I had for a while was through my 4G cell provider, and I had to use a VPN to bypass the part of the system that detects and blocks any "tethering". However, none of the VPN providers I was using have U.S. servers. Some VPN services are solving the problem by pulling all servers from U.S. datacenters.

Because of this, I could not watch Netflix, or access U.S.-only web sites for quite a while, since the VPN services I was using pulled all their U.S. servers, to avoid U.S. laws.
I could not watch Netflix, access my bank accounts. I could not even cancel service from my old ISP, because they block access to certain parts of their network to non-US IP addresses to protect their customers. They are very privacy minded.

I cannot even find a VPN provider now that does have any servers in U.S. datacenters. I guess the4 Lavabit case means that VPN providers will soon no longer have servers in U.S. datacenters, so they can avoid U.S. wiretapping orders.

One would think that Cryptoseal would just simply pull their servers out of U.S datacenters, like a few other VPN providers had, that that solved the problem for them. The other VPN providers out there that pulled their US servers made themselves no longer subject to U.S. laws.

To me, it seems that what Cryptoseal did was a little overkill. They could have just simply pulled all their servers from U.S. datacenters, and that would have been enough. If other VPN providers can do that and avoid U.S. laws, why not Cryptoseal?
[ link to this | view in chronology ]
- Ryan Lackey (profile), 22 Oct 2013 @ 12:30am
  
  Re:
  We're all US citizens, working and living in the US, and just setting up our servers offshore wouldn't have protected us from personal jurisdiction for things like civil or criminal contempt. We could potentially have owned/licensed an offshore operator to run the whole thing, but at that point, there's not much value we could add -- just use an entirely offshore business run by non-US-citizens.
  
  I am not a lawyer, of course.
  [ link to this | view in chronology ]
- Anonymous Coward, 22 Oct 2013 @ 12:30am
  
  Re:
  I cannot even find a VPN provider now that does have any servers in U.S. datacenters. I guess the4 Lavabit case means that VPN providers will soon no longer have servers in U.S. datacenters, so they can avoid U.S. wiretapping orders.
  
  http://www.hidemyass.com/vpn/servers/#us
  
  One would think that Cryptoseal would just simply pull their servers out of U.S datacenters, like a few other VPN providers had, that that solved the problem for them. The other VPN providers out there that pulled their US servers made themselves no longer subject to U.S. laws.
  
  Did it? Has this been tested yet? Could be that they only think their problem is solved when it isn't.
  [ link to this | view in chronology ]
  - aldestrawk (profile), 22 Oct 2013 @ 11:11am
    
    Re: Re:
    The experience with LulzSec two years ago show that a VPN service can be subject to a court order (in the UK) or other legal subpoena or warrant despite not having servers, or any presence, in the U.S.
    http://blog.hidemyass.com/2011/09/23/lulzsec-fiasco/
    
    Law enforcement cooperation between countries may mean you are not necessarily protected although you might be more protected than being subject to U.S. law enforcement (or CIA etc.) activities directly.
    [ link to this | view in chronology ]
- Anonymous Coward, 22 Oct 2013 @ 12:56am
  
  Re:
  [To me, it seems that what Cryptoseal did was a little overkill. They could have just simply pulled all their servers from U.S. datacenters, and that would have been enough. If other VPN providers can do that and avoid U.S. laws, why not Cryptoseal?]
  That's not enough. As long as their company has U.S. based entities, they have to obey U.S. court orders.
  
  So while non-U.S. based VPN providers can evade by moving their assets out, native U.S. based VPN providers are cannot. They have to shutdown their copmany and re-register in other countries that is considered "safe".
  [ link to this | view in chronology ]
Anonymous Coward, 21 Oct 2013 @ 7:40pm

StrongVPN
I ditched StrongVPN post PRISM. One of the leaks XKEYSCORE, mentioned you could query for users in a country that had just started a VPN link.

If you're in a militarized country, speaking out can get you shot, so VPN's like CryptoSeal are essential.

One of the other big leaks of that data is msftncsi.com, the Microsoft network awareness URL.

Your PC queries this & its DNS, on each network startup to report if you have a network connection. I notice it reports outside of the VPN and inside the VPN to see if a connection exists without the VPN and via VPN, which lets an observer of that URL unmask the VPN's alternate IP.

131.107.255.255 dns.msftncsi.com
127.0.0.1 www.msftncsi.com

One of the software packages could report if a new device appears or disappears off the net, and I suspect it's watching the network awareness URLs.
[ link to this | view in chronology ]
- John Fenderson (profile), 22 Oct 2013 @ 10:22am
  
  Re: StrongVPN
  
  Your PC queries this & its DNS, on each network startup to report if you have a network connection
  
  Mine doesn't.
  [ link to this | view in chronology ]
Postulator (profile), 21 Oct 2013 @ 8:43pm

Offshore it
Close the service down, and move it and the company offshore to a country that values privacy.

Of course, that's basically what will happen over the next five to ten years - and hopefully countries will fall over themselves to show how conscious they are of the need for individual privacy protection.
[ link to this | view in chronology ]
- Anonymous Coward, 21 Oct 2013 @ 11:23pm
  
  Re: Offshore it
  Like I said in one other comment, many VPN companies are now pulling out servers from US datacenters, and that, alone, is goo enough for most VPN companies to avoid U.S. laws.
  
  So if you like to watch Netflix, Hulu, or any other U.S.-only site, by way of a proxy or VPN, that soon may not be an option.
  [ link to this | view in chronology ]
- Anonymous Coward, 21 Oct 2013 @ 11:27pm
  
  Re: Offshore it
  The USA could still try and make US laws apply. A few years ago, one VPN company, based outside the USA, was bullied into pulling its Cuba, Iran, and North Korea servers. They decided that since the owner was a US citizen, he was still subject to OFAC regulations prohibting him from operating servers in those countries.
  
  SO if you are going to offshore your VPN service, be sure to move it to a country that will tell the US government to get lost, and no cooperate with the US government in any way.
  [ link to this | view in chronology ]
  - Anonymous Howard (profile), 22 Oct 2013 @ 3:31am
    
    Re: Re: Offshore it
    Brazil seems to be the next capital of internet. Ironic, isn't it?
    [ link to this | view in chronology ]
Miceal Mac an tSaoir, 21 Oct 2013 @ 11:26pm

US Government invasion of privacy
How many people realise though that many of the 'free' email services offered around the world are actually all hosted by the same company in California and the company that owns the hosting company is 45% owned by the US Federal Government? I had two, seemingly separate, email accounts some years back but it turns out they were both hosted by this one company. When I expressed too much interest in the HAARP facility my main account was closed down. I then used my backup account to complain about this and it too was closed down. I believe the Federal involvement in this email hosting company was deliberate in an attempt to offer easy access to and control of worldwide email traffic.
[ link to this | view in chronology ]
Anonymous Coward, 22 Oct 2013 @ 1:26am

USA and Canada are losing the VPN business.
[ link to this | view in chronology ]
Anonymous Coward, 22 Oct 2013 @ 4:28am

as it's only the public, basically, that are affected here, no one will give a toss. the whole aim of all this stuff is to stop the public from having any secrets, anywhere. if there were some/one business/es affected, there would be all sorts of backlash going on!
[ link to this | view in chronology ]
Ninja (profile), 22 Oct 2013 @ 4:28am

Keep 'em coming. When you hit where it hurts the most (the pockets) things will start changing.
[ link to this | view in chronology ]
Mike Raffety (profile), 22 Oct 2013 @ 11:57am

Individual SSL keys per customer?
Could a privacy service use a separate subdomain for each customer (or group of customers) with a separate SSL key, allowing them to comply with a pen register order for one customer without revealing all customers' traffic?

Yes, the price of SSL keys could be a factor, but perhaps a different CA would be appropriate for this.
[ link to this | view in chronology ]
jessica p (profile), 2 Nov 2013 @ 4:22pm

vpn
i personally recomend https://www.waselpro.com/en/ Service. I always have a good experience with it VPN because some time VPN causes on wifi but this VPN support team is available 24/7 for customers assistance.
[ link to this | view in chronology ]
AmmarNaeem, 7 Jan 2014 @ 11:47pm

Top VPN service that rises in USA
I have been using VPN for 2 years and now i got good understanding about the nature of VPN. In my opinion people having has two major concerns with VPN specially in USA and these are connectivity and speed. Therefore now I only recommend Hidemyass, ipvanish and Purevpn, because all of them provide excellent services with fast connectivity and speed. Though i still recommend you to go through some other top services for USA that are getting more strong in USA. Source: http://www.vpnranks.com/usa-vpn/
[ link to this | view in chronology ]
Amanda, 7 Oct 2015 @ 3:14am

USA fastest VPN is helpful to secure your identity
I always prefer to use Fast VPN connection to secure my identity while, I used many VPN providers but they sucks my internet speed and based on my experience in USA VPN connectivity and speed is a major concern, I always use Hidemyass it superb on all VPN services as it offers high speed connection. You can also have a look at Fast VPN Service site http://www.fastvpnservice.com/ they keep updated their site and only list the fastest VPN Providers from all over the world.
[ link to this | view in chronology ]
AnastasiaBrown, 27 Jun 2016 @ 6:23am

I was looking for a fast speed USA VPN to bypass the geo-restrictions as well and provide me full security also I searched my VPN services but found the best one here http://goo.gl/yiiRCO
[ link to this | view in chronology ]
droland (profile), 26 Jul 2016 @ 7:55am

Before Snowden we would have laughed at the tinfoil crowd. Now we know that for the average user it is nearly impossible to keep their information secret from the US government if the computer is connected to the Internet. System backdoors from Apple and Microsoft, internet and phone companies handing over data sharing the source with the NSA. VPN and Crypto services compromised, even international crypto standards.
[ link to this | view in chronology ]
AlexRoss, 28 Jul 2016 @ 1:22am

Amerika is not free
1. Before America was associated with freedom particularly as regards freedom of action and privacy. Now the situation has changed completely. The new laws are ordained for imposing restrictions on human activity. In the case mentioned above CryptoSeal VPN coped with the problem successfully. What could they do? The proposal concerning their users is also great.
Nowadays everything changes and the same law has been adopted in Russia https://www.bestvpnrating.com/news/dire-consequences-passed-law according to which the services containing the private data should reveal it if the government asks it. Moreover, some vpn services located in Russia also shut down. Who will be the next?
[ link to this | view in chronology ]
Katherin, 29 Dec 2016 @ 7:45am

More will follow...
More and more services will have the same fate only honeypots and agency controlled services will remain. I would be weary about purchasing any of the more mainstream ones https://vpntrends.com as they may probably be state controlled.
[ link to this | view in chronology ]
Shehroz Asif, 8 Oct 2017 @ 12:18pm

Amerika is not free
1. Before America was associated with freedom particularly as regards freedom of action and privacy. Now the situation has changed completely. The new laws are ordained for imposing restrictions on human activity. In the case mentioned above CryptoSeal VPN coped with the problem successfully. What could they do? The proposal concerning their users is also great.
http://ontimefeed.com/bitmain-antminer-d3-review
Nowadays everything changes and the same law has been adopted in Russia according to which the services containing the private data should reveal it
http://ontimefeed.com if the government asks it. Moreover, some vpn services located in Russia also shut down. Who will be the next?
[ link to this | view in chronology ]
Meee, 28 Jan 2018 @ 3:54pm

VPN a must
A VPN is a must have in this day and age. While most pay for Netfilx or Hulu the amount of content on Kodi and a good Build is hard to ignore. http://whyingo.org/the-top-best-kodi-17-krypton-builds-2017/
[ link to this | view in chronology ]
Mike, 11 Jul 2018 @ 4:12am

Great https://abcd.com
[ link to this | view in chronology ]
Sam, 16 Jul 2018 @ 1:21am

Best VPNs for USA
In our time, it`s not even worthwhile to use a public wi-fi without a virtual private network. So, please, be careful and secure while surfing the web. I can advise you the list of VPNs that can be used in USA - https://topvpnchoice.com/best-vpns-for-usa/, attentively read reviews and only then make a decision which VPN perfectly meets your requirements.
[ link to this | view in chronology ]
Katie Wilson, 8 Feb 2019 @ 6:45am

Best VPN for Australia
Get the Australia VPN service to unblock geo-blocked knowledge from Australia. With military-grade security, users in Australia or any place around the world will surf the net restriction-free! Make a choice from 70+ servers and obtain IPs to relish native content from various countries.

https://fastestvpn.com/australia-vpn
[ link to this | view in chronology ]