Are small-fry encrypted email ISPs using feds as excuse for closure?
Yesterday, it was Lavabit. Today it's Silent Circle. What? You never heard of these companies? Yeah, neither did I. They're getting headlines this week by closing their doors.
Here is, roughly, the story. Lavabit is/was a secured email provider that claimed to also be the service used by Edward Snowden, the NSA secrets thief who ran away from his country and is hiding out in Russia.
Lavabit (which is really a guy named Ladar Levison) claims to have been running his service for ten years, but doesn't want to become "complicit in crimes against the American people" so he shut down his service...all but the PayPal account where he's taking donations for his "legal defense fund".
Silent Circle is a different story. Even though Silent Circle has been around since October and the company hasn't yet made it a year in business, it's got some heavy hitters on its management team. Chief among them is company president Phil Zimmerman, creator of PGP (Pretty Good Privacy), a tool that's been used for email encryption worldwide for years.
If anyone knows about encryption and the legal complications, restrictions, and requirements, it's Zimmerman. That's why it's particularly interesting, as Steven Musil reported on CNET this morning, that Silent Circle is shuttering its email encryption service.
Silent Circle's Web site has been intermittently responsive as I write this, and since they've closed their email service down, it's difficult finding out exactly what service they were offering. But I'll make a few educated guesses.
Email using the Internet's SMTP protocol travels in the open over the Internet. Email is a store and forward protocol, which means a message leaves your account, is stored intermittently on a server, and arrives at a destination account. These days most email clients are Web based, which means the messages aren't downloaded to a PC and deleted, but instead stored on the provider's server.
These messages are generally stored unencrypted, which means an email provider can, at government request, dig through the email store of any given user and read the messages.
PGP, as a tool, as been used as an email client and an add-on to email clients like Outlook, to encrypt an email message from the source computer, send it in encrypted form across the network, and then let the recipient decrypt it using a public key and a private key.
Since PGP has been working like this for decades, it's unlikely this practice is what scared Silent Circle away from the email business. From what I can gather, it seems Silent Circle was storing email messages for clients and keeping them stored in encrypted form.
This would potentially subject them to government intervention, because they might then have to respond to a government request for certain email messages from suspect individuals and organizations.
Now, Silent Circle specifically claims that they "We have not received subpoenas, warrants, security letters, or anything else by any government."
From another group of founders, I would have considered this a spurious excuse, potentially to investors, as a way to get out of an unsuccessful business model. But these guys know this field better than almost anyone.
I do find it odd that people who are so aware of the government's connection to encryption issues would create a service that, from the beginning, could not be responsive to legal government requests. Perhaps they also found it odd, which is why they saw "the writing on the wall" and chose to close their service.
What does this mean for securing your information on the Internet? Well, that depends on who you're trying to secure it from. If you want a simple, secure communication that can't be cracked by criminals or your teenager, you'll continue to find excellent services that provide that capability.
But if you want to hide information that the government may need as part of criminal or counterterrorism investigations, then -- as it should be -- it will be increasingly difficult to do so.
This is not a case of "if you've got nothing to hide." Rather, it's a case of security provided that's also protecting national security. ISPs and email hosting providers need to be willing to and plan for the need to work with government officials.
Most large businesses have relationships with the government in one way or another and have for many, many years. This is not new.