Another US 'Secure' Service Shuts Down: CryptoSeal VPN Goes Dark To Protect Against US Surveillance
from the chilling-effects dept
The full details here aren't clear, but it looks like another "secure" service based in the US has felt the need to shut down over fears about US surveillance efforts compromising actual security. VPN provider CryptoSeal has announced that it's shuttered the service (via Hacker News):CryptoSeal Privacy Consumer VPN service terminated with immediate effectFrom this it doesn't sound like the company had been approached by the feds yet, but is doing this in a proactive manner, highlighting the chilling effects of the US government's overreach into online security services.
With immediate effect as of this notice, CryptoSeal Privacy, our consumer VPN service, is terminated. All cryptographic keys used in the operation of the service have been zerofilled, and while no logs were produced (by design) during operation of the service, all records created incidental to the operation of the service have been deleted to the best of our ability.
Essentially, the service was created and operated under a certain understanding of current US law, and that understanding may not currently be valid. As we are a US company and comply fully with US law, but wish to protect the privacy of our users, it is impossible for us to continue offering the CryptoSeal Privacy consumer VPN product.
Specifically, the Lavabit case, with filings released by Kevin Poulsen of Wired.com (https://www.documentcloud.org/documents/801182-redacted-pleadings-exhibits-1-23.html) reveals a Government theory that if a pen register order is made on a provider, and the provider's systems do not readily facilitate full monitoring of pen register information and delivery to the Government in realtime, the Government can compel production of cryptographic keys via a warrant to support a government-provided pen trap device. Our system does not support recording any of the information commonly requested in a pen register order, and it would be technically infeasible for us to add this in a prompt manner. The consequence, being forced to turn over cryptographic keys to our entire system on the strength of a pen register order, is unreasonable in our opinion, and likely unconstitutional, but until this matter is settled, we are unable to proceed with our service.
We encourage anyone interested in this issue to support Ladar Levison and Lavabit in their ongoing legal battle. Donations can be made at https://rally.org/lavabit We believe Lavabit is an excellent test case for this issue.
We are actively investigating alternative technical ways to provide a consumer privacy VPN service in the future, in compliance with the law (even the Government's current interpretation of pen register orders and compelled key disclosure) without compromising user privacy, but do not have an estimated release date at this time.
To our affected users: we are sincerely sorry for any inconvenience. For any users with positive account balances at the time of this action, we will provide 1 year subscriptions to a non-US VPN service of mutual selection, as well as a refund of your service balance, and free service for 1 year if/when we relaunch a consumer privacy VPN service. Thank you for your support, and we hope this will ease the inconvenience of our service terminating.
For anyone operating a VPN, mail, or other communications provider in the US, we believe it would be prudent to evaluate whether a pen register order could be used to compel you to divulge SSL keys protecting message contents, and if so, to take appropriate action.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cryptography, nsa surveillance, privacy, private keys, surveillance, vpn
Companies: cryptoseal, lavabit
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
[ link to this | view in thread ]
My guess is that business portion is more profitable and person service is more likely to get them served. If that's the case, by handing over the key, it would compromised their business service...
so they had to shut down personal service because of this risk.
Good job America, the land of the pseudo-free!
[ link to this | view in thread ]
[ link to this | view in thread ]
For all their clamoring about "job creation", it's clear that they care far more about preserving their own power than improving the economy. (As if that hadn't already been proven by over two weeks of petty bickering during a government shutdown and nearly defaulting on the national debt because neither side was mature enough to put the entire nation's wellbeing above their own political maneuverings until the last possible moment.)
[ link to this | view in thread ]
Re:
We will also need to strike down the Patriot Act and the CFAA and any ACTA/CISPA like bills in the future.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
FTFY
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
. . . and home of the sort-of brave. our forefathers and foremothers would be so proud of us.
[ link to this | view in thread ]
Re: Re: Re:
Yes, but Obama really took the baton and ran with it, reaching hitherto unexplored heights of Orwellianism.
[ link to this | view in thread ]
Re: Re:
It's the politicians.
[ link to this | view in thread ]
Re: Re: Re: Re:
And thanks to Obama, we have another: Secrecy is transparency.
[ link to this | view in thread ]
I know this becuase I had to move, the only Internet I had for a while was through my 4G cell provider, and I had to use a VPN to bypass the part of the system that detects and blocks any "tethering". However, none of the VPN providers I was using have U.S. servers. Some VPN services are solving the problem by pulling all servers from U.S. datacenters.
Because of this, I could not watch Netflix, or access U.S.-only web sites for quite a while, since the VPN services I was using pulled all their U.S. servers, to avoid U.S. laws.
I could not watch Netflix, access my bank accounts. I could not even cancel service from my old ISP, because they block access to certain parts of their network to non-US IP addresses to protect their customers. They are very privacy minded.
I cannot even find a VPN provider now that does have any servers in U.S. datacenters. I guess the4 Lavabit case means that VPN providers will soon no longer have servers in U.S. datacenters, so they can avoid U.S. wiretapping orders.
One would think that Cryptoseal would just simply pull their servers out of U.S datacenters, like a few other VPN providers had, that that solved the problem for them. The other VPN providers out there that pulled their US servers made themselves no longer subject to U.S. laws.
To me, it seems that what Cryptoseal did was a little overkill. They could have just simply pulled all their servers from U.S. datacenters, and that would have been enough. If other VPN providers can do that and avoid U.S. laws, why not Cryptoseal?
[ link to this | view in thread ]
Re: Re: Re:
It's the politicians."
qft
[ link to this | view in thread ]
StrongVPN
If you're in a militarized country, speaking out can get you shot, so VPN's like CryptoSeal are essential.
One of the other big leaks of that data is msftncsi.com, the Microsoft network awareness URL.
Your PC queries this & its DNS, on each network startup to report if you have a network connection. I notice it reports outside of the VPN and inside the VPN to see if a connection exists without the VPN and via VPN, which lets an observer of that URL unmask the VPN's alternate IP.
131.107.255.255 dns.msftncsi.com
127.0.0.1 www.msftncsi.com
One of the software packages could report if a new device appears or disappears off the net, and I suspect it's watching the network awareness URLs.
[ link to this | view in thread ]
Offshore it
Of course, that's basically what will happen over the next five to ten years - and hopefully countries will fall over themselves to show how conscious they are of the need for individual privacy protection.
[ link to this | view in thread ]
Re: Offshore it
So if you like to watch Netflix, Hulu, or any other U.S.-only site, by way of a proxy or VPN, that soon may not be an option.
[ link to this | view in thread ]
US Government invasion of privacy
[ link to this | view in thread ]
Re: Offshore it
SO if you are going to offshore your VPN service, be sure to move it to a country that will tell the US government to get lost, and no cooperate with the US government in any way.
[ link to this | view in thread ]
Re:
It's used in regulated industries which already are subject to much more monitoring than court-ordered pen traps, so the monitoring from pen traps is irrelevant to them.
We're working on some better solutions to both sets of customers, but it'll be 2014 before they're ready. Privacy-conscious consumers should use non-US services for now.
[ link to this | view in thread ]
Re:
I am not a lawyer, of course.
[ link to this | view in thread ]
Re:
http://www.hidemyass.com/vpn/servers/#us
Did it? Has this been tested yet? Could be that they only think their problem is solved when it isn't.
[ link to this | view in thread ]
Re:
That's not enough. As long as their company has U.S. based entities, they have to obey U.S. court orders.
So while non-U.S. based VPN providers can evade by moving their assets out, native U.S. based VPN providers are cannot. They have to shutdown their copmany and re-register in other countries that is considered "safe".
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Offshore it
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re:
What is this "barry" bill?
[ link to this | view in thread ]
Re: StrongVPN
Mine doesn't.
[ link to this | view in thread ]
Re: Re:
http://blog.hidemyass.com/2011/09/23/lulzsec-fiasco/
Law enforcement cooperation between countries may mean you are not necessarily protected although you might be more protected than being subject to U.S. law enforcement (or CIA etc.) activities directly.
[ link to this | view in thread ]
Individual SSL keys per customer?
Yes, the price of SSL keys could be a factor, but perhaps a different CA would be appropriate for this.
[ link to this | view in thread ]
vpn
[ link to this | view in thread ]
Top VPN service that rises in USA
[ link to this | view in thread ]
USA fastest VPN is helpful to secure your identity
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Amerika is not free
Nowadays everything changes and the same law has been adopted in Russia https://www.bestvpnrating.com/news/dire-consequences-passed-law according to which the services containing the private data should reveal it if the government asks it. Moreover, some vpn services located in Russia also shut down. Who will be the next?
[ link to this | view in thread ]
More will follow...
[ link to this | view in thread ]
Amerika is not free
http://ontimefeed.com/bitmain-antminer-d3-review
Nowadays everything changes and the same law has been adopted in Russia according to which the services containing the private data should reveal it
http://ontimefeed.com if the government asks it. Moreover, some vpn services located in Russia also shut down. Who will be the next?
[ link to this | view in thread ]
VPN a must
[ link to this | view in thread ]
[ link to this | view in thread ]
Best VPNs for USA
In our time, it`s not even worthwhile to use a public wi-fi without a virtual private network. So, please, be careful and secure while surfing the web. I can advise you the list of VPNs that can be used in USA - https://topvpnchoice.com/best-vpns-for-usa/, attentively read reviews and only then make a decision which VPN perfectly meets your requirements.
[ link to this | view in thread ]
Best VPN for Australia
Get the Australia VPN service to unblock geo-blocked knowledge from Australia. With military-grade security, users in Australia or any place around the world will surf the net restriction-free! Make a choice from 70+ servers and obtain IPs to relish native content from various countries.
https://fastestvpn.com/australia-vpn
[ link to this | view in thread ]