Amid the ongoing saga of the NSA and our government's never-ending disregard for our privacy and liberty, yet another incredible set of events are occurring.
On August 9, a small email provider, Lavabit, abruptly shut down its service rather than comply with an NSA request to monitor any and all of their customer's accounts. Lavabit provided encrypted email without any logging, meaning that requests for users' data could not be fulfilled as such data did not exist - or it was encrypted in such a way as to be unreadable. Days later, Lavabit's founder has been threatened with criminal charges for shuttering his business rather than comply with domestic spying.
The same day, another email provider, Silent Circle, decided without warning to delete all their users' email from their own servers and discontinue all email services. This was done to prevent government reading email headers and gathering information about users, their location and their personal correspondence. For Silent Circle CEO Mike Janke, the writing was on the wall:
Janke says that news triggered an emergency conversation with Phil Zimmermann, a Silent Circle founder who in 1991 created the e-mail encryption protocol known as PGP for “pretty good privacy” (see “An App Keeps Spies Away from Your iPhone”). “Once we saw what happened with Lavabit, we realized it wasn’t days, it was hours that we had to make a decision,” Janke says. But he adds that he never did receive [an NSA] request.
Before proceeding with the story, we should take a step back and consider email itself. It is true that email can be encrypted in a way that's uncrackable, even by the NSA. Several email providers, ISPs and VPN providers around the world encrypt their data in the same manner that the NSA encrypts their own, Top Secret data.
However, that doesn't stop the NSA and other government worker bees from simply stealing your information much the same way a hacker might - by unleashing viruses and malware to infect services and users' own systems. These attacks steal header information as well as the famed "meta data." They also likely store encrypted information in vast warehouses for cracking in the future at some point, when technology exists to crack it.
[E]ven if an e-mail service encrypts messages for secrecy, as Lavabit and Silent Circle did, the e-mail headers and routing protocols reveal who the senders and receivers are, and that information can be valuable in its own right. And second, the passcodes used as keys to decrypt messages can be requested by the government (if held by the e-mail company) or simply stolen by sophisticated malware.Since the security community at large is aware of government encryption methods, its safe to say that when the NSA changes their own encryption methods, these private services will change as well. Why would private services change as well? Because if the NSA changes their own encryption methods, it likely means they've found a way to crack it. As a result, using strongly encrypted services should be considered safe and effective, so long as your service provider is attentive and competent.
Resistance is Futile
Lavabit was a service used by none-other than Edward Snowden, as well as at least 350,000 other people. The small business was run by the founder out of his apartment in Dallas, TX.
At any rate, the founder of Lavabit, Ladar Levison, has previously complied with NSA requests for user information. The most recent requests that resulted in the shuttering of his livelihood sought access to all users without restraint. You see, previous NSA requests were for specific users.
Levison stressed that he has complied with "upwards of two dozen court orders" for information in the past that were targeted at "specific users" and that "I never had a problem with that." But without disclosing details, he suggested that the order he received more recently was markedly different, requiring him to cooperate in broadly based surveillance that would scoop up information about all the users of his service. He likened the demands to a requirement to install a tap on his telephone.
Incredibly, only days later the NSA responds to Levison's decision to close his business by threatening legal action against him personally. Evidently, in the eyes of our government, closing his business is itself a violation of the NSA's request for data.
[A] source familiar with the matter told NBC News that James Trump, a senior litigation counsel in the U.S. attorney’s office in Alexandria, Va., sent an email to Levison's lawyer last Thursday – the day Lavabit was shuttered -- stating that Levison may have "violated the court order," a statement that was interpreted as a possible threat to charge Levison with contempt of court.When the NSA shows up at your door, resistance is futile. In our latest twist in this saga, closing a tech business can itself illegal. Presumably the reason is one cannot provide data from a company that no longer exists, in their eyes violating a court order to provide data.
You must change
Unequivocally speaking, any service you're using that is based in the United States is tapped, compromised and leaking like a sieve. The service providers may be complicit, or they may be hacked, it does not matter. Should the service be ordered to provide data, they cannot simply close its doors without continual government harassment.
You cannot stick your head in the sand. The Obama administration directly authorized the NSA to bulk collect all email routed through, an order that required renewal every 90 days since its inception. Therefore this cannot be considered a "fluke," one-time action that flew under the radar.
This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States. -- Ladar Levison, Owner and Operator, Lavabit LLCInstead, you should switch to an offshore business. Why? The EU has a data retention law that requires ISPs to collect data about its users, but business that provide other services are not required to comply. In fact, in many countries they already have in place laws to protect your electronic data specifically. Regardless of this fact, most companies outright ignore requests from the NSA or American organizations (like the MPAA). Instead, they wait to see if an order will come from their own government, which is not likely to happen to any ordinary, law abiding person.
Most EU and European email providers should be safe, so long as they are not also ISPs. Here is a brief list:
- Countermail - https://countermail.com (Sweden)
- Neobox - http://www.neomailbox.com (Netherlands)
- Green - http://www.mails.ch (Switzerland)
- Swiss Mail - http://www.swissmail.org (Switzerland)
Industry is changing
In response to government intrusion, many in the industry are changing the concept of email. Rather than serve messages over traditional email protocols, they aim to change messaging to other technologies. For example, making messages function and look like email, but actually rely on protocols typically used for instant messaging.
Meanwhile, Silent Circle is working on replacing its defunct e-mail service with a system that doesn’t rely on traditional e-mail protocols and keeps no messages or metadata within the company’s grasp. It is based on a protocol often used for instant messages and other applications. Janke says the goal is for this to not be e-mail, but “for all intents and purposes it looks, feels, and acts like e-mail.”
I should note, as eltee did below, that your traffic is still collected if you have an email address of any kind, and you're within any of the so called "Five Eyes" countries. My traffic is always routed through a VPN, and I neglected to mention that while writing this article. VPN access is quite trivial to setup nowadays, and should be used regardless of NSA spying - as a simple means to protect yourself. In general it should not matter too much where the VPN is located, since your traffic is encrypted end-to-end. Therefore your collected data can't be analyzed (yet). Here are some good providers: