UK Secure Email Provider Shut Down His Service In January To Prevent GCHQ From Obtaining Encryption Keys

from the the-fallout-before-the-fallout dept

Shutting down secure email services because of surveillance agency interference apparently isn't just a local phenomenon. Lavabit, Snowden's email provider, shut down earlier this year to prevent being forced by the NSA to sabotage its own encryption. Silent Circle, another secure communications service, shut down its email product only hours later (but not its main messaging product). Silent Circle hadn't yet been pressured by the government, but obviously felt it was only a matter of time.

International Business Times is reporting a similar incident occurred in the UK earlier this year.

PrivateSky was shut down at the beginning of the year after introducing a web-based version in beta and for Outlook and had "tens of thousands of heavily active users".

Brian Spector, CEO of CertiVox, told IT Security Guru: "Towards the end of 2012, we heard from the National Technical Assistance Centre (NTAC), a division of GCHQ and a liaison with the Home Office, [that] they wanted the keys to decrypt the customer data. We did it before Lavabit and Silent Circle and it was before Snowden happened.

Even before the leaks made the Five Eyes' covert surveillance programs public, PrivateSky got an inside peek at the intelligence community's thirst for data. Unfortunately for Spector and his company, complying with GCHQ's request would mean destroying the security it promised to its customers.

[W]e had the choice to make - either architect the world's most secure encryption system on the planet, so secure that CertiVox cannot see your data, or spend £500,000 building a backdoor into the system to mainline data to GCHQ so they can mainline it over to the NSA.

"It would be anti-ethical to the values and message we are selling our customers in the first place."

I suppose GCHQ is satisfied either way. While having the encryption key would have been nice, it's just as simple to gather up communications and metadata from less secure services -- services some of PrivateSky's customers would have resorted to instead. National intelligence agencies seem all too willing to deploy scorched earth policies that destroy companies that don't immediately cave in to their demands. And why not? It does no harm to the government to force secure services out of business. The users of these services have to go somewhere and many of the available options have been compromised already.

Spector hasn't completely given up on the thought of offering a secure email service. He says PrivateSky is still up and running but is currently only used internally by CertiVox. But he does have a plan for another secure email offering based on the internal PrivateSky service.

He said that from the technology it has implemented a split of the root key in the M-Pin technology so it has one half and the user has the other.

"So as far as I know we are the first to do that so if the NSA or GCHQ says 'hand it over' we can comply as they cannot do anything with it until they have the other half, where the customer has control of it."

This could throw up some obstacles for intelligence agencies, the sort of thing they do everything in their power to avoid. The path of least resistance is also the one most frequently traveled. These agencies hate being told "no" almost as much as they hate being inconvenienced. PrivateSky's split key will do both. It should be interesting to see GCHQ's response if Spector takes the service live again.

Filed Under: email, encryption, gchq, secure email, shutting down, surveillance
Companies: certivox, lavabit, silent circle

Lavabit Case Shows Why We Need Tech Literate Judges

from the a-failure-of-knowledge dept

While there's plenty of attention being paid to Lavabit's temporary re-opening for the sake of letting people export their accounts, a much more interesting issue is the recent development in the legal case. Lavabit has filed its latest brief, and there are some interesting discussions about the details of the case. From my reading, Lavabit makes a very strong argument that the government has no right to demand the production of Lavabit's private SSL keys, as it's an overreach way beyond what traditional wiretapping laws allow. Lawyer Orin Kerr's analysis argues that Lavabit's case is weak, mainly arguing that the federal government can subpoena whatever the hell they want, and just because it conflicts with your business model: too bad. Lavabit argues that complying with the government's order is oppressive because it would effectively mean it would be committing fraud on all its customers:

[T]o comply with the government’s subpoena would have either required Lavabit to perpetrate a fraud on its customer base or shut down entirely. That is the key point, and the resulting harm goes far beyond a mere inconvenient search for records. Just as requiring a hotel owner to install glass doors on all its hotel rooms would destroy the hotel’s business, Lavabit cannot exist as an honest company if the government is entitled to take this sort of information in secret. Its relationship with its customers and business partners depends on an assurance that it will not secretly enable the government to monitor all of their communications at all times. If a mere grand jury subpoena can be used to get around that (in secret, no less), then no business—anywhere—can credibly offer its customers a secure email service.

But Kerr points out that this is a "really weak argument":

This strikes me as a really weak argument. Lavabit is essentially claiming that its anti-government business model trumps the subpoena power. That is, it is arguing that the subpoena is “oppressive” precisely because it would work: It would allow the government to conduct the surveillance it is allowed to conduct under the Pen Register statute.

Further, Kerr argues that to accept Lavabit's argument would mean that any company that announces an "ideology or business strategy" that opposes government surveillance could then resist legitimate government subpoenas simply by arguing that they are oppressive and abusive.

I respect Kerr and always look forward to his legal analysis, but I think he's wrong at a variety of levels here, and, tragically the judge in the case seems to have the same confused view of what Lavabit is actually arguing (though, one could argue, that is actually the fault of Lavabit in not making its case clearly). Lawyer Scott Greenfield does a good job explaining why Kerr has mischaracterized Lavabit's defense -- first noting that being pro-privacy is hardly being "anti-government" as Kerr implies. Then pointing out that Lavabit's argument isn't that the government's demand for its private keys was merely oppressive because of its business model, but because it would put Lavabit out of business -- which is not the same thing.

This isn't really a fair characterization of Lavabit's point. Initially, the argument is that revelation of the private key would be the ruination of the business. By exposing every customer to government disclosure, and covert disclosure at that, the government would take a viable business, making money and delivering a service as businesses are allowed to do in America, and destroy it. Poof, company gone. Business gone. Revenue gone. Wham, bam, thank you, Ladar.

But there's an even bigger point in here, which I think Kerr misses entirely, and Greenfield skips over: from a technology standpoint, what the government is demanding of Lavabit is absolutely oppressive and abusive. And, for that, it helps to look at Ed Felten's discussion of the case, in which he notes that the judge and other DOJ supporters in this case (including, it would seem, Kerr) are basically arguing that "If court orders are legitimate, why should we allow engineers to design services that protect users against court-ordered access." But Felten points out that requiring "court ordered access" is tantamount to requiring a massive vulnerability to insider attacks:

To see why, consider two companies, which we’ll call Lavabit and Guavabit. At Lavabit, an employee, on receiving a court order, copies user data and gives it to an outside party—in this case, the government. Meanwhile, over at Guavabit, an employee, on receiving a bribe or extortion threat from a drug cartel, copies user data and gives it to an outside party—in this case, the drug cartel.

From a purely technological standpoint, these two scenarios are exactly the same: an employee copies user data and gives it to an outside party. Only two things are different: the employee’s motivation, and the destination of the data after it leaves the company. Neither of these differences is visible to the company’s technology—it can’t read the employee’s mind to learn the motivation, and it can’t tell where the data will go once it has been extracted from the company’s system. Technical measures that prevent one access scenario will unavoidably prevent the other one.

Insider attacks are a big problem. You might have read about a recent insider attack against the NSA by Edward Snowden. Similar but less spectacular attacks happen all the time, and Lavabit, or any well-run service that holds user data, has good reason to try to control them.

Now, go back to the judge's order or Kerr's analysis, and revisit it with what Felten pointed out, and you realize how far off-base both the Judge and Kerr are in their analyses. Lavabit didn't design its system to be setup the way it was because it was "anti-government," but rather because it wanted to create secure email that protects against a variety of different kinds of attacks, both insider and outsider. That's why it found the government's request so "abusive" and "oppressive." Not because of an ideological disagreement, but rather because of the technological reality that handing over Lavabit's private keys absolutely wrecks any real security of Lavabit's system, which is Lavabit's entire business.

So, while Kerr and the judge in the case seem to think it's a mere ideological issue, that's simply not true. It's a technological issue, on which Lavabit's entire business was based. If Kerr and the judge are correct, then, as Felten properly notes, it becomes effectively illegal to build a really secure communications system. That seems positively ridiculous, especially in a time when we're told (by the very government agency that wants to do all this spying) that we need better online security to protect against attacks.

Filed Under: doj, ed felten, email, ladar leveson, orin kerr, scott greenfield, secure email, subpoenas
Companies: lavabit

Insanity: PayPal Freezes Mailpile's Account, Demands Excessive Info To Get Access

from the why-we-need-paypal-alternatives dept

See update at the bottom

A few weeks ago, we wrote about Mailpile, a new attempt to create a webmail client that is built with both security and usability in mind -- think Gmail/Outlook-type interface, but which you can control and with built in security. The project looks awesome and is greatly needed these days, as we learn more and more about government intrusions into hosted webmail accounts. Their IndieGoGo campaign has been a huge success, going past their $100,000 target, and is currently at around $137,000, which will allow the three person team to focus on it full time.

Except... as the team announced this morning, PayPal, for reasons known only to PayPal, has decided to freeze their funds and won't let Mailpile access the money that people donated:

Saturday August 31st I woke to two emails from PayPal. The first notified me they had cancelled the debit card associated with my sole proprietor business account, the second was informing me they placed a block on my account barring me from withdrawing or sending any money out of my PayPal account.

Assuming this would get sorted out after a little explaining/security check, the team has been trying to get PayPal to unfreeze the account, with no luck. PayPal is demanding an insane level of detail into Mailpile's personal finances and business:

Afer 4 phone calls, the last of which I spoke to a supervisor, the understanding I have come to is, unless Mailpile provides PayPal with a detailed budgetary breakdown of how we plan to use the donations from our crowd funding campaign they will not release the block on my account for 1 year until we have shipped a 1.0 version of our product. A final email communication from PayPal reaffirmed us of their stance by stating:

"Please provide an itemized budget and your development goal dates for your project"

This puts us in an incredibly uncomfortable position as we do not feel that it's remotely in their jurisdiction to ask for a detailed budget of our business, any more than it is within our right to ask for theirs.

Even worse, it seems that the folks at PayPal recognize that it holds power over Mailpile, and seems almost to be lording that power over them:

Communications with PayPal have implied that they would use any excuse available to them to delay delivering as much of our cash as possible for as long as possible. Asking us to give them justification for such behavior is obviously not in our best interests. PayPal's position particularly ridiculous when contrasted with IndieGoGo's policy of transferring all funds to successful campaigns within 15 days of their conclusion. If IndieGoGo can do it, so can PayPal.

This isn't all of the money raised -- it's about $45,000 of the $137,000, but it's still a huge pain. Mailpile has now had the Software Freedom Law Center look into their legal options for obtaining the money that people donated to the project.

Yes, PayPal has a long history of similar things, but that doesn't make it okay.

Update: And... of course, the inevitable backtrack. After all the publicity. From PayPal:

We have reached out to MailPile and the limitation has been lifted. Supporting crowd funding campaigns is an exciting new part of our business.We are working closely with industry-leaders like IndieGoGo and adapting our processes and policies to better serve the innovative companies that are relying on PayPal and crowd funding campaigns to grow their businesses. We never want to get in the way of innovation, but as a global payments company we must ensure the payments flowing through our system around the world are in compliance with laws and regulations. We understand that the way in which we are complying to these rules can be frustrating in some cases and we've made significant changes in North America to adapt to the unique needs of crowd funding campaigns. We are currently working to roll these improvements out around the world.

Filed Under: email, frozen account, paypal, secure email
Companies: mailpile, paypal

Another Secure Email Service Shuts Down To Avoid Having To Do So Later

from the us-government-destroying-american-businesses dept

When Lavabit announced its sudden decision to shut down yesterday, many of its customers were actually fairly perturbed that they were given no notice, and no way to retrieve their mail before it went away. While I can certainly understand that emotional response to losing your email account like that, it seems rather obvious that there was no real choice here. If Lavabit had alerted customers that they had a day or a week or whatever before the service shut down, it seems quite likely from the hints given that the government would have stepped in with an order to preserve the information it was clearly seeking access to.

Given that, it's noteworthy that another secure email provider, Silent Circle, chose to announce its own plans to close down its secure email service hours later. Silent Circle isn't facing the same hidden court orders/government demands, but it recognized that it would likely come some day soon -- and thus it was better to shut down ahead of time, before the government forced it to make the same decision. I'm somewhat surprised that Silent Circle didn't at least give its customers a day or whatever to close out their email, but rather the company flat out destroyed its servers, noting:

"Gone. Can't get it back. Nobody can."

The company is still offering other secure tools that feature end-to-end encryption such that there's nothing they can hand over to the government.

In discussing this, I saw some people point out that another service, CryptoCloud, has actually had it as a part of its privacy policy for over five years that it would shut down rather than let the government get direct access to accounts:

If a court orders us to allow them to secretly place surveillance "sniffers" on a specific account, we will fight this order to the highest judicial authority possible. If we lose, we will shut down the business and call it a day. End of story.

Still, this kind of thing is showing how these ridiculous surveillance policies from the US government are doing massive harm to US businesses, basically making them either lie to their customers and violate their privacy, or to shut down completely. It's going to drive many, many users to overseas services. Is that really worth it?

Filed Under: email, secure email, shutting down, surveillance
Companies: lavabit, silent circle