Lavabit

From Wikipedia, the free encyclopedia

Lavabit
Type of site
Webmail
OwnerLavabit LLC
Created byLadar Levison
URLlavabit.com
CommercialYes
RegistrationRequired
Launched2004
Current statusOnline
Content license
Open-source (mail server)

Lavabit is an open-source encrypted webmail service, founded in 2004. The service suspended its operations on August 8, 2013 after the U.S. Federal Government ordered it to turn over its Secure Sockets Layer (SSL) private keys, in order to allow the government to spy on Edward Snowden's email.[1][2][3][4]

Lavabit's owner and operator, Ladar Levison, announced on January 20, 2017 that Lavabit would start operating again, using the new Dark Internet Mail Environment (DIME), which is an end-to-end email encryption platform designed to be more surveillance-resistant. However, as of June 2017, while the DIME transition was being completed, service was only being offered to past customers and those who took advantage of the early signup offer.[5][6][7][8] As of October 2017, the ability for new customers to purchase service was again being offered.[9]

History[edit]

Lavabit was founded by Texas-based programmers who formed Nerdshack LLC, renamed Lavabit LLC the next year, who cited privacy concerns about Gmail, Google's free, widely used email service, and their use of the content of users' email to generate advertisements and marketing data.[10] Lavabit offered significant privacy protection for their users' email, including asymmetric encryption. The strength of the cryptographic methods used was of a level that is presumed impossible for even intelligence agencies to crack. In August 2013, Lavabit had about 410,000 users and offered free and paid accounts with levels of storage ranging from 128 megabytes to 8 gigabytes.[11][12] In January 2011,[13] Lavabit had launched a shared web hosting service.[14]

Before the Snowden incident, Lavabit had complied with previous search warrants. For example, in June 2013 a search warrant was executed against a Lavabit account for suspected possession of child pornography.[15]

Connection to Edward Snowden[edit]

Court documents (PDF)

Lavabit received media attention in July 2013 when it was revealed that Edward Snowden was using the Lavabit email address Ed_Snowden@lavabit.com to invite human rights lawyers and activists to a press conference during his confinement at Sheremetyevo International Airport in Moscow.[16] The day after Snowden revealed his identity, the United States federal government served a court order, dated June 10, 2013, and issued under 18 USC 2703(d), a 1994 amendment of the Stored Communications Act, asking for metadata on a customer who was unnamed. Kevin Poulsen of Wired wrote that "the timing and circumstances suggest" that Snowden was this customer.[17] In July 2013 the federal government obtained a search warrant demanding that Lavabit give away the private SSL keys to its service affecting all Lavabit users.[18] A 2016 redaction error confirmed that Edward Snowden was the target.[2]

Suspension and gag order[edit]

On August 8, 2013, Lavabit suspended its operations, and the email service log-in page was replaced by a message from the owner and operator Ladar Levison.[1] The New Yorker suggested that the suspension might be related to the US National Security Agency (NSA)'s "domestic-surveillance practices".[19] Wired speculated that Levison was fighting a warrant or national security letter seeking customer information under extraordinary circumstances, as Lavabit had complied with at least one routine search warrant in the past.[16][20] Levison stated in an interview that he has responded to "at least two dozen subpoenas" over the lifetime of the service.[21] He hinted that the objectionable request was for "information about all the users" of Lavabit.[22]

Levison explained he was under gag order and that he was legally unable to explain to the public why he ended the service.[21] Instead, he asked for donations to "fight for the Constitution" in the United States Court of Appeals for the Fourth Circuit. Levison also stated he has even been barred from sharing some information with his lawyer.[21] Meanwhile, the Electronic Frontier Foundation called on the Federal Bureau of Investigation (FBI) to provide greater transparency to the public, in part to help observers "understand what led to a ten-year-old business closing its doors and a new start-up abandoning a business opportunity".[23]

Levison said that he could be arrested for closing the site instead of releasing the information, and it was reported that the federal prosecutor's office had sent Levison's lawyer an email to that effect.[22][24]

Lavabit is believed to be the first technology firm that has chosen to suspend or shut down its operation rather than comply with an order from the United States government to reveal information or grant access to information.[3] Silent Circle, an encrypted email, mobile video and voice service provider, followed the example of Lavabit by discontinuing its encrypted email services.[25] Citing the impossibility of being able to maintain the confidentiality of its customers' emails should it be served with government orders, Silent Circle permanently erased the encryption keys that allowed access to emails stored or transmitted by its service.[26]

Levison in September 2013 at the Liberty Political Action Conference

In September 2013 Levison appealed the order that resulted in the closing of his website.[27]

Levison and his lawyer made two requests to Judge Claude M. Hilton to unseal the records, both of which were denied. They also launched an appeals case regarding legality of the original warrant. The appeals court then requested the records to be unsealed, and Judge Hilton granted the request. On October 2, 2013, the Federal District Court in Alexandria, Virginia unsealed records in this case, but only censored the name and detail of the target of the search order. Wired suggested the target was likely Snowden.[4] The court records show that the FBI sought Lavabit's Transport Layer Security (TLS/SSL) private key. Levison objected, saying that the key would allow the government to access communications by all 400,000 customers of Lavabit. He also offered to add code to his servers that would provide the information required just for the target of the order. The court rejected this offer because it would require the government to trust Levison and stated that just because the government could access all customers' communication did not mean they would be legally permitted to do so. Lavabit was ordered to provide the SSL key in machine readable format by noon, August 5 or face a fine of $5000 per day.[28] Levison closed down Lavabit 3 days later.

On October 14, 2013, Levison announced he would allow Lavabit users to change their passwords until October 18, 2013, after which they could download an archive of their emails and personal data.[29][30]

The court documents stated that on July 13 Levison sent an open letter to the assistant US attorney, offering to give email metadata (without email content, usernames or passwords) to the FBI if it paid him $2,000 "to cover the cost of the development time and equipment necessary to implement my solution" and $1,500 to give data "intermittently during the collection period".[31]

Afterwards, Levison wrote that after being contacted by the FBI, he was subpoenaed to appear in federal court, and was forced to appear without legal representation because it was served on such short notice; in addition, as a third party, he had no right to representation, and was not allowed to ask anyone who was not an attorney to help find him one. He also wrote that in addition to being denied a hearing about the warrant to obtain Lavabit's user information, he was held in contempt of court. The appellate court denied his appeal due to no objection, however, he wrote that because there had been no hearing, no objection could have been raised. His contempt of court charge was also upheld on the ground that it was not disputed; similarly, he was unable to dispute the charge because there had been no hearing to do it in. He also wrote that "the government argued that, since the 'inspection' of the data was to be carried out by a machine, it was exempt from the normal search-and-seizure protections of the Fourth Amendment."[32]

Legacy[edit]

One year after the suspension of Lavabit, its founder Ladar Levison announced a specification for the Dark Internet Mail Environment (DIME) at DEF CON 22. It is under development by the Dark Mail Alliance.[33]

In April 2014, after a contempt of court conviction for providing the key as a printout was upheld by an appeals court, he described the initiative to Ars Technica as "a technological solution which would take the decision away from the will of man."[34]

The contempt of court was caused by Levison providing the keys printed in a tiny (4 point) font, which was deemed "largely illegible" by an FBI motion, which went on to complain that "To make use of these keys, the FBI would have to manually input all 2560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data."[35]

In November 2015, Levison said that work on DIME was still progressing, although slower than he would like.[36] As of July 2016, posts to the Dark Mail Alliance forum suggest that all collaborators have left the project and Ladar has been working on DIME alone.[37][original research?]

Relaunch[edit]

On January 20, 2017, Lavabit owner Ladar Levison relaunched the service. Per the wording of the announcement, this date was apparently timed to coincide with the inauguration of Donald Trump (though he was not mentioned by name). The service has been revamped to use the Dark Internet Mail Environment protocols and software that Ladar had been working on for the past few years. This DIME platform, and the associated Magma open source email server, are designed to use end-to-end email encryption in such a way that when operating with the highest security settings, subpoenas cannot force service providers to give governments access to customer email (or be forced to shut down in order to avoid this). When using the maximum security settings, even an attacker breaking into DIME servers would have no feasible way to access customer emails, leaving client-side attacks as likely the only potential points of vulnerability.

See also[edit]

References[edit]

  1. ^ a b "Lavabit". Lavabit. Archived from the original on August 9, 2013. Retrieved April 6, 2016.
  2. ^ a b "A Government Error Just Revealed Snowden Was the Target in the Lavabit Case". WIRED. March 17, 2016.
  3. ^ a b Ackerman, Spencer (August 9, 2013). "Lavabit email service abruptly shut down citing government interference: Founder of service reportedly used by Edward Snowden said he would not be complicit in 'crimes against the American people'". The Guardian. Retrieved August 9, 2013.
  4. ^ a b Edward Snowden’s E-Mail Provider Defied FBI Demands to Turn Over Crypto Keys, Documents Show. Wired
  5. ^ "Lavabit Reloaded". lavabit.com. January 20, 2017. Archived from the original on March 31, 2017. Retrieved April 23, 2017.
  6. ^ "Explain Lavabit". lavabit.com. January 28, 2017. Archived from the original on June 23, 2017. Retrieved April 23, 2017.
  7. ^ "Want Lavabit". lavabit.com. 2017. Archived from the original on April 25, 2017. Retrieved April 23, 2017.
  8. ^ "Lavabit Haves". lavabit.com. January 28, 2017. Archived from the original on April 25, 2017. Retrieved April 23, 2017.
  9. ^ "Lavabit: Select your plan". lavabit.com. Archived from the original on May 2, 2018. Retrieved March 17, 2019.
  10. ^ "Lavabit High Scalability Writeup". Archived from the original on October 3, 2013. Retrieved August 9, 2013.
  11. ^ Lavabit chief predicts 'long fight' with feds CNET, August 9, 2013. Retrieved August 13, 2013.
  12. ^ Ingersoll, Geoffrey (July 12, 2013). "How Edward Snowden Sends His Ultra-Sensitive Emails". Business Insider. Archived from the original on August 8, 2013. Retrieved August 8, 2013.
  13. ^ "Lavabit ..::.. Home". Archived from the original on April 23, 2011. Retrieved September 10, 2013.
  14. ^ "Lavabit Hosting". Archived from the original on September 10, 2013. Retrieved September 10, 2013.
  15. ^ "In the Matter of the Search of: Lavabit LLC Email Account for Joey006@lavabit.com". Docket Alarm, Inc. Retrieved August 10, 2013.
  16. ^ a b Poulsen, Kevin (August 8, 2013). "Edward Snowden's Email Provider Shuts Down After Secret Court Battle". Wired. Archived from the original on August 8, 2013. Retrieved August 8, 2013.
  17. ^ Poulsen, Kevin. "Feds Targeted Snowden’s Email Provider the Day After NSA Whistleblower Went Public." Wired. September 27, 2013. Retrieved on October 2, 2013.
  18. ^ Poulsen, Kevin. "Edward Snowden’s E-Mail Provider Defied FBI Demands to Turn Over Crypto Keys, Documents Show." Wired. October 2, 2013. Retrieved on October 2, 2013.
  19. ^ Davidson, Amy. "The N.S.A. and Its Targets: Lavabit Shuts Down". The New Yorker. Retrieved August 8, 2013.
  20. ^ Jardin, Xeni (August 8, 2013). "Lavabit, email service Snowden reportedly used, abruptly shuts down". Boing Boing. Archived from the original on August 8, 2013. Retrieved August 8, 2013.
  21. ^ a b c Mullin, Joe (August 14, 2013). "Lavabit founder, under gag order, speaks out about shutdown decision". Ars Technica. Retrieved August 16, 2013.
  22. ^ a b Michael Isikoff (August 15, 2013). "Lavabit.com owner: 'I could be arrested' for resisting surveillance order". NBC News Investigations. Retrieved September 15, 2013. But a source familiar with the matter told NBC News that James Trump, a senior litigation counsel in the U.S. attorney's office in Alexandria, Va., sent an email to Levison's lawyer last Thursday — the day Lavabit was shuttered — stating that Levison may have 'violated the court order,' a statement that was interpreted as a possible threat to charge Levison with contempt of court.
  23. ^ Samson, Ted (August 9, 2013). "Lavabit shutdown marks another costly blemish for U.S. tech companies". InfoWorld. Retrieved August 16, 2013.
  24. ^ Nicole Perlroth and Scott Shane (October 2, 2013). "As F.B.I. Pursued Snowden, an E-Mail Service Stood Firm". New York Times. Retrieved October 2, 2013.
  25. ^ Ribeiro, John. "After Lavabit, Silent Circle also shuts down its encrypted email service". PC World. Retrieved August 9, 2013.
  26. ^ Sengupta, Somini (August 8, 2013). "2 E-Mail Services Close and Destroy Data Rather Than Reveal Files" (Bits blog). The New York Times. Retrieved August 10, 2013.
  27. ^ Poulsen, Kevin. "Lavabit’s Owner Appeals Secret Surveillance Order That Led Him to Shutter Site." Wired. September 11, 2013. Retrieved on October 2, 2013.
  28. ^ "Lavabit Details Unsealed: Refused To Hand Over Private SSL Key Despite Court Order & Daily Fines". Techdirt. October 2, 2013.
  29. ^ "Lavabit to Briefly Reinstate Services for Data Recovery". PR Newswire. October 14, 2013. Retrieved October 14, 2013.
  30. ^ "Lavabit ..::.. Liberty". Archived from the original on October 15, 2013. Retrieved October 14, 2013.
  31. ^ Hern, Alex (October 9, 2013). "Lavabit founder offered to log users' metadata if FBI paid him $3,500". The Guardian. Retrieved February 5, 2014.
  32. ^ Levison, Ladar (May 20, 2014). "Secrets, lies and Snowden's email: why I was forced to shut down Lavabit". The Guardian.
  33. ^ "DEF CON 22 - Ladar Levison and Stephen Watt - Dark Mail". Youtube.
  34. ^ Joe Silver (April 16, 2014). "Lavabit held in contempt of court for printing crypto key in tiny font [Updated]: US attorney: Lavabit "treated court orders like contract negotiations."". Ars Technica.
  35. ^ Joseph Cox (March 17, 2016). "Here Are The Teeny-Tiny Printed Out Crypto Keys of Snowden's Email Service". Vice.
  36. ^ Zack Whittaker (November 2, 2015). "'Dark mail' debut will open door for Lavabit's return, says Ladar Levison". ZDnet.
  37. ^ "darkmail.info forums". January 22, 2016. Archived from the original on January 20, 2017.

External links[edit]