Mega to fill secure email gap left by Lavabit

Kim Dotcom's privacy company Mega prepares a 'cutting-edge' email encryption service.
Written by Rob O'Neill, Contributor

Kim Dotcom's "privacy company" Mega is developing secure email services to run on its entirely non-US-based server network as intense pressure from US authorities forces other providers to close.

Last week, Lavabit, which counted NSA leaker Edward Snowden as a user, closed and Silent Circle closed its secure email service. Lavabit's owner, Ladar Levison, said he was shutting it down to avoid becoming "complicit in crimes against the American people".

Last week, Mega chief executive Vikram Kumar told ZDNet that the company was being asked to deliver secure email and voice services. In the wake of the closures, he expanded on his plans.

Kumar said work is in progress, building off the end-to-end encryption and contacts functionality already working for documents in Mega.

"The biggest tech hurdle is providing email functionality that people expect, such as searching emails, that are trivial to provide if emails are stored in plain text (or available in plain text) on the server side," Kumar said.

"If all the server can see is encrypted text, as is the case with true end-to-end encryption, then all the functionality has to be built client side. [That's] not quite impossible, but very, very hard. That's why even Silent Circle didn't go there."

A big issue is handling emails to and from non-encrypted contacts when Mega's core proposition is end-to-end encryption, Kumar said.

"On this and other fronts, Mega is doing some hugely cutting-edge stuff," he said. "There is probably no one in the world who takes the Mega approach of making true crypto work for the masses, our core proposition."

Kumar said Mega is taking theoretic sounding technology such as Bloom filters, and making them work for the masses. Work is also under way to keep Mega secure, even if SSL/TLS is compromised.

"[It's] exciting stuff, but very hard, so I think it will take months more to crack it," he said. "But Mega will never launch anything that undermines its end-to-end encryption core security proposition and doesn't work for the mythical grandmother."

Meanwhile, Kim Dotcom has said that he may have to pull parts of Mega out of New Zealand if new surveillance legislation is passed into law.

Dotcom told TorrentFreak that the US government and the other Five Eyes partners, the UK, Canada, Australia, and New Zealand, are pushing new spy legislation to provide backdoors into internet services.

"The NZ government is currently aggressively looking to extend its powers with the GCSB [Government Computer Services Bureau] and the [Telecommunications Interception Capabilities] Act, which will force service providers with encryption capabilities to give them secret decryption access," Dotcom said.

He added that it might force some relocation of Mega's network to other jurisdictions, such as Iceland.

Dotcom explained that by design, Mega doesn't hold decryption keys to customer accounts and "never will".

Lavabit's Levison said: "This experience has taught me one very important lesson: Without congressional action or a strong judicial precedent, I would — strongly — recommend against anyone trusting their private data to a company with physical ties to the United States."

Kumar on his blog described the closures as "Privacy Seppuku", a form of Japanese ritual suicide aimed to preserve honour.

"These are acts of 'Privacy Seppuku' — honourably and publicly shutting down ('suicide') rather than being forced to comply with laws and courts intent on violating people's privacy," he said.

Editorial standards