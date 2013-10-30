By Joseph Menn
| SAN FRANCISCO
SAN FRANCISCO Oct 30 The founder of the Lavabit
encrypted email service, which shut down rather than allow
potentially unlimited government interception, said he will
release his programming code to the public in an effort to
improve communication security.
Ladar Levison, who shuttered his startup Lavabit after a
U.S. court forced him to turn over the company's cryptographic
keys to federal agents, said he would work with former rivals
and newcomers on an open email system designed to protect
ordinary users' privacy from law enforcement, as well as insider
corruption and hacking.
Lavabit and civil-liberties groups have asked an appeals
court to reverse the decision favoring the federal agents, who
are believed to have been seeking information about former
National Security Agency contractor Edward Snowden, a Lavabit
user.
Levison told Reuters that he was so concerned about mass
surveillance that he did not want to wait until the appeals
court ruling.
"They've effectively violated the public's trust and as a
result, we've decided as a community that it's time to develop a
technical solution," Levison said. "Maybe there can be 100
Lavabits if I turn over the code."
Levison's Darkmail Alliance plan ranks as one of the more
dramatic examples of simmering rebellion in the technology
industry against government intelligence-gathering methods,
especially those revealed in secret documents leaked by Snowden.
It emerges as a fresh report showed that the NSA taps
massive internal traffic at Google and Yahoo
as emails and other user activity moves among international data
centers owned by those companies. Google has
said it is racing to encrypt such internal transmissions, though
the major email service providers tend to have far less security
than specialists such as Lavabit.
Several technology standards-setting groups and cryptography
experts are also working to tighten security procedures and
avoid formulas that were devised with help from the NSA.
Most Internet systems rely to a large extent on the users'
trust of numerous companies, including the makers of the
operating system and hardware, the email providers, and even
advertising networks and tracking firms.
But the Snowden documents show that many of those third
parties can be ordered to snoop in secret on Americans, while
even major American companies can have their communications
intercepted overseas.
U.S. intelligence agencies can read at least everything by
non-Americans that is relevant to international politics, while
many other countries and freelance hackers have no restrictions
and myriad opportunities to penetrate those multilayered and
complex systems.
"It really creates a situation where you can't have a
trusted third party," Levison said. "If they are compromised,
the entire system of trust breaks down."
CUMBERSOME PROTECTION
The issue closest to the front line is secure email. Though
Snowden has said that email sent using cryptography based on the
Pretty Good Privacy standard is fairly safe from prying eyes, it
is too cumbersome for most people.
Lavabit's case shows that even very sophisticated providers
that do the hard work on behalf of the users can't guarantee
protection from court orders. After Levison shut his company
down at least two other privacy-oriented email services, from
Silent Circle and CryptoSeal, also stopped accepting customers.
Because the U.S. Justice Department's logic in the Lavabit
case would allow it to access all traffic, not just one targeted
user, "if it stands, it will cripple the cloud computing and
software-as-a-service industries in the U.S.," said CryptoSeal
co-founder Ryan Lackey.
That's because the lower court judge directed Lavabit to
hand over the keys to its Secure Sockets Layer encryption, which
would allow the government to see everything that the company
sees.
Lavabit has appealed to the Fourth U.S. Circuit Court of
Appeals in Richmond, Virginia, and last week the American Civil
Liberties Union and the Electronic Frontier Foundation filed
separate friend-of-the-court briefs arguing that exposing
400,000 users to possible surveillance was unreasonably
burdensome, an invasion of privacy, and unconstitutionally
broad.
Though federal authorities have said they would only look at
the data of specific users, privacy advocates are skeptical.
Previous reports based on Snowden documents showed that the NSA
has amassed a stockpiles of SSL keys, some of which may have
been obtained in pursuit of one target but remain on hand for
other users of the same service.
In the interview, Levison said he has learned of other
companies being forced to hand over their SSL keys, though he
said none were household names.
INDIVIDUAL SECURITY KEYS
A part of the answer, according to Silent Circle Chief
Technology Officer Jon Callas, is to make sure that only
individual users have their own keys. "That's really the
fundamental thing you have to do," Callas said.
Silent Circle is Lavabit's first partner in the new email
project. Together they will work on the code and the protocols
for implementing it correctly, a process expected to take
months.
There are a number of possibilities for making sure that an
email gets to the right place while keeping most information
about it secret from communications carriers and even the email
providers. One is a system like Tor, where a series of servers
knows only the last one that the email came from and the next
one along the chain.
Callas said the messages themselves could be stored in the
cloud, with only the senders and recipients having access,
though some users might opt to keep them stored on their own
machines. He said the goal was a system that would be nearly as
easy to use as everyday mail programs.
Levison said he expected that Lavabit itself will return as
a provider of support services.
"I don't think the government fully realized the ethical
implication of what they are doing. They are forcing businesses
to spy on their customers," he said. "If the government has
access to everyone's communications, we can become a
totalitarian state overnight."