Snowden Endorses Lavabit: Encryption Service Relaunches With Modified Cybersecurity Features After Shutting Down To Protect Privacy Of Users in 2013
Edward Snowden, the former National Security Agency (NSA) contractor who is currently in exile in Russia for leaking classified information, has endorsed the relaunch of Lavabit, an encryption email service company that chose to shut down instead of complying with the order of authorities which Lavabit believed could compromise the private data of its users, a report said Friday.
Lavabit had 410,000 accounts in September 2013, when it shut down after being confronted by federal law authorities in pursuit of Snowden. Although the authorities claimed that they were after Snowden’s account, allowing them access to the service’s SSL encryption key could jeopardize the credentials for other users as well.
“The SSL key was our biggest threat,” Ladar Levison, the founder of Lavabit, explained to the Intercept, prior to the relaunch of the encryption service that has been modified with several privacy-enhancing features such as Dark Internet Mail Environment (DIME) standard that obscures the metadata on emails to prevent intelligence agencies from snooping on users' emails.
Information present in the “to,” “from,” and “subject” lines sent out in emails can be used by law enforcement agencies and intelligence agencies such as NSA and CIA to gather more information about the user through an analysis of the metadata. However, Dark Mail architecture modeled on Tor, the Onion Router, can obscure this process. Upon launch, new and old Lavabit users and customers will have three modes to choose from: Trustful, Cautious and Paranoid.
“This is the first step in a very long journey. ... What we’re hoping for is that by the end of this year we’ll be more secure than any of the other encrypted messaging apps out there on the market,” Levison added, while alluding to plans to roll out end-to-end encryption later this year.
He clarified that until the new end-to-end encryption is rolled out, the company has made temporary arrangements so that they will no longer be able to hand over the SSL key.
“We have installed FIPS 140-2 hardware security modules which allows us to use a TLS key without having to access it directly. Any attempt to extract the key will trigger a tamper circuit causing the key to self-destruct. The only account capable of extracting the key is the HSM supervisor. To prevent this we set the passphrase blindly thus locking us out,” the company explained.
Speaking to the Intercept, exiled whistleblower Snowden said that he plans on reactivating his Lavabit account after it relaunches, “if only to show support for their courage.” Snowden, however, did not comment on Lavabit's modified security features.
Snowden said Lavabit appeals to him because it has “a proven willingness to shut down the company rather than sell out their users, even if a court makes the wrong call. ... That’s actually a very big deal: They might be the only ones in the world that can claim that.”
Snowden may not be entirely correct in this claim, though. Following the gag order on Lavabit, Silent Circle, another similar encrypted email, mobile video and voice service provider that was also served with government orders, permanently erased the encryption keys that allowed access to emails stored or transmitted by its service and shut down its encrypted email services.
© Copyright IBTimes 2024. All rights reserved.