Lavabit To Release Code As Open Source, As It Creates Dark Mail Alliance To Create Even More Secure Email
from the it's-needed dept
This whole morning, while all these stories of the NSA hacking directly into Google and Yahoo's network have been popping up, I've been at the Inbox Love conference, all about the future of email. The "keynote" that just concluded, was Ladar Levison from Lavabit (with an assist from Mike Janke from Silent Circle), talking about the just announced Dark Mail Alliance, between Lavabit and Silent Circle -- the other "security" focused communications company who shut down its email offering after Lavabit was forced to shut down. Levison joked that they went with "Dark Mail" because "Black Mail" might have negative connotations. Perhaps just as interesting, Levison is going to be releasing the Lavabit source code (and doing a Kickstarter project to support this), with the hope that many others can set up their own secure email using Lavabit's code, combined with the new Dark Mail Alliance secure technology which will be available next year.As noted, the Alliance is working on trying to create truly secure and surveillance-proof email. Of course, nothing is ever 100% surveillance proof -- and both members of the alliance have previously claimed that it was almost impossible to do surveillance-proof email. However, they're claiming they've had a "breakthrough" that will help.
The newly developed technology has been designed to look just like ordinary email, with an interface that includes all the usual folders—inbox, sent mail, and drafts. But where it differs is that it will automatically deploy peer-to-peer encryption, so that users of the Dark Mail technology will be able to communicate securely. The encryption, based on a Silent Circle instant messaging protocol called SCIMP, will apply to both content and metadata of the message and attachments. And the secret keys generated to encrypt the communications will be ephemeral, meaning they are deleted after each exchange of messages.Importantly, they're not asking everyone to just trust them to be secure -- even though both companies have the right pedigree to deserve some level of trust. Instead, they're going to release the source code for public scrutiny and audits, and they're hoping that other email providers will join the alliance.
For the NSA and similar surveillance agencies across the world, it will sound like a nightmare. The technology will thwart attempts to sift emails directly from Internet cables as part of so-called “upstream” collection programs and limit the ability to collect messages directly from Internet companies through court orders. Covertly monitoring encrypted Dark Mail emails would likely have to be done by deploying Trojan spyware on a targeted user. If every email provider in the world adopted this technology for all their users, it would render dragnet interception of email messages and email metadata virtually impossible.
At the conference, Levison recounted much of what's happened over the last few months (with quite a bit of humor), joking about how he tried to be "nice" in giving the feds Lavabit's private keys printed out, by noting that he included line numbers to help (leaving unsaid that this would make OCR'ing the keys even more difficult). He also admitted that giving them the paper version was really just a way to buy time to shut down Lavabit.
Janke came up on stage to talk about the importance of changing the 40-year-old architecture of email, because it's just not designed for secure communications. The hope is that as many other email providers as possible will join the Alliance and that this new setup becomes the de facto standard for end-to-end secure email, which is where Levison's open sourcing of his code gets more interesting. In theory, if it all works out, it could be a lot easier for lots of companies to set up their own "dark mail" email providers.
Either way, I would imagine that this development can't make the NSA all that happy.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: dark mail, dark mail alliance, email, ladar levison, mark janke, nsa, nsa surveillance, open source, security, surveillance
Companies: dark mail alliance, lavabit, silent circle
Reader Comments
Subscribe: RSS
View by: Time | Thread
As a bonus...
[ link to this | view in chronology ]
Re: As a bonus...
So yes, spam volume ought to go down and spammer profits will fall or the cost for the senders will go up.
Eventually they might figure a way to work around holes in this but once we encrypt all email then tweaks to the protocols will be easier next time.
[ link to this | view in chronology ]
Re: Re: As a bonus...
[ link to this | view in chronology ]
Join the dark side of the force?
Darth Vader would approve!
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Could people port SCIMP to Javascript?
So everyone could use it anywhere that there is a browser?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Theoretically, I know, those should be the same, but reality is so far removed that the distinction is important.
[ link to this | view in chronology ]
Re:
Just look at all the damage the NSA has done to US interests.
MUCH more accurate!
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
High crimes = NSA + GCHQ + PUBLIC OFFICALS OF THE UK
& US ! ! !
Misdemeanors = Snowden, Manning, Assange, lAVABIT
REMEMBER: POLITICIANS, BUREAUCRATS AND DIAPERS SHOULD BE
CHANGED OFTEN AND FOR THE SAME REASON.
[ link to this | view in chronology ]
Ban encryption
[ link to this | view in chronology ]
Re: Ban encryption
[ link to this | view in chronology ]
Re: Ban encryption
[ link to this | view in chronology ]
Re: Ban encryption
They tried (Google for "Clipper chip"). We fought. We won.
Too much depends on encryption now, and it is too widespread. The negative reaction to any attempt to ban encryption would be very strong.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Couldn't make Google very happy, either!
So long as "The Market" (if not NSA directly) rewards Google for spying, do you expect it to do LESS of it?
09:19:21[k-362-3]
[ link to this | view in chronology ]
well we wouldn't want that.
- I have always thought of this as a technical problem. It won't be solved by new laws or new oversight or Politicians. Its simply a set of technical problems we will address, part of the reason its been so ignored is because of laziness. I think this will give us our edge back and we will be creating secure mail/messaging/P2P websites w/no traditional DNS lots of good stuff in the pipe.
[ link to this | view in chronology ]
Re:
_______________________________
I agree with you, although we need both. There must be a legal prohibition on certain activities as well (to provide accountability), but having tech-minded folks applying their skills to engineered solutions is essential as well.
[ link to this | view in chronology ]
As it ever is
Although the NSA won't be happy, they would be naive to assume there would be no reaction. It does put the NSA's reaction in a different context, although it was embarrassing and the terrorist's a red herring, the exposure of wide spread email monitoring will impact the ease at which they spy as programs such as dark mail are developed.
[ link to this | view in chronology ]
so why are email companies not doing it then? i can see very soon that those that dont will be losing customers, and so they should!
[ link to this | view in chronology ]
Hooray
Take my money, please.
[ link to this | view in chronology ]
Very Clever Deception
[ link to this | view in chronology ]
Re: Very Clever Deception
[ link to this | view in chronology ]
Re: Re: Very Clever Deception
[ link to this | view in chronology ]
Re: Re: Very Clever Deception
[ link to this | view in chronology ]
Black Ops Mail
Black Ops Mail, now that is a name that not only sounds cool but does a great job describing what they want to build.
They could register the Spanish domain bom.es which would really freak out the NSA as an added bonus!
[ link to this | view in chronology ]
Re: Black Ops Mail
[ link to this | view in chronology ]
Cut by their own sword...
Haha, no shit. It is definitely worth pointing out though that all of this is of the NSA's own making. If they wouldn't have been so cavalier about sucking up data, something like Dark Mail would never have been necessary and they could have continued - status quo.
[ link to this | view in chronology ]
Talking about which, why not adopt a similar protocol for chat?
[ link to this | view in chronology ]
Re: Talking about which, why not adopt a similar protocol for chat?
[ link to this | view in chronology ]
Key management
[ link to this | view in chronology ]
Wish 'em well
[ link to this | view in chronology ]