Not so secure email …

I’ve been following the Edward Snowden saga, along with the revelations from Snowden and the NSA with great interest.  I really have conflicting concerns  over this, believing we have a fundamental right not to have our privacy invaded by the government versus the very real need of government entities to have access to data to help protect the safety of its citizenry.

Last October, I wrote a post about Wickr, a service provider that provides a very secure method for messaging.   The concept is that for messages between you and your recipient are highly encrypted using keys not available to service provider, then the messages are completely destroyed after receipt to insure confidentiality.  There are a few other services that have been providing secure messaging, including secure email.  Two that provided secure email have been in the news lately are Lavabit and Silent Circle.    Lavabit obtained notoriety by being the email provider that Edward Snowden used to securely email his revelations to the press.   Both differ from Wickr in that they encrypt the messages but not the metadata since email protocols require unencrypted metadata to be able to deliver the message (see the GLOSSARY for a definition of metadata).  Wickr uses proprietary instant messaging protocols where the messages only reside for short periods of time on their servers and are fully encrypted.  Most importantly, Wickr doesn’t have the encryption keys.

Both Lavabit and Silent Circle shutdown their encrypted email services due to the fallout from the Snowden revelations.  Lavabit has simply stopped operations.  Lavabit has posted the following on their website:

My Fellow Users,

I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on–the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

Sincerely,
Ladar Levison
Owner and Operator, Lavabit LLC

Reading between the lines, it appears that Lavabit was legally compelled to turn over data and metadata on their servers to the US Government in the Snowden matter and due to this, Levison believes that the service isn’t viable any longer.  Silent Circle shut down it’s secure email service to prevent getting into a similar no win position with the US Government.  Note: Silent Circle continues other secure messaging services which have similar attributes as the Wickr service.  

What’s unfortunate in this situation is that the US Government isn’t the only entity one might want to shield email content from.  The bigger concern that I would have is someone wanting to do me, my family and/or friends harm by intercepting my email.  The fact remains that most all governments have the power to compel data and metadata to be provided in civil, criminal and national security situations.   The problem is whether governments overreach in their access to this data, but that is a much bigger issue than this particular one.    Also, even if your service provider can’t deliver unencrypted data to a government entity, you can be compelled to deliver the unencrypted data or the encryption keys.

So, what to do?

  • Assume that emails are not totally secure even if encrypted.   Encrypting sensitive emails is still valuable, but its value like a lot of things is a matter of degree.   If you hold the keys, then it’s just the metadata that’s unencrypted.  The fact that you’re passing financials between you and your financial guy still is a valuable use of encryption even if the government knows you’re doing it.
  • Keep these types of issues in perspective.  I’m less alarmed about government access to metadata because I believe that they are looking for patterns that simply shouldn’t be impacting me and mine.   That said, I am concerned about the erosion of our 4th amendment rights in our zeal to solve crimes and to thwart terrorism.  Technology has made it very easy to collect and data mine all sorts of data about the population.  Think about local governments capturing and storing license plate data.
  • Don’t let this particular issue mask what I think is the more pervasive privacy issue, which is the privacy we’ve gleefully traded for features in our technical infrastructure.  BTW: The data from those features are also subject to subpoena. So, you’ve already provided much more data than who you’ve messaged, such as where you’ve been.  The fact is that government use of this data is restricted by law, business use of this data has little to no restrictions on its use.
  • Don’t put into the Cloud any data that you wouldn’t be OK with the Government having access to.   Assume that if some government entity wants a slice of your data, they will be able to get it.  For general protection, never put any sensitive data into the Cloud that isn’t encrypted by you and you  hold the encryption keys.

The last item is the most troubling in general.  The best method to safeguard from general governmental searches (and other unauthorized access) is to not have the data stored in Cloud servers.   Unfortunately, the Cloud is rapidly becoming the de facto method for storing our digital lives.  Something to think about …

Finally, as I mentioned in a previous post, make the Electronic Frontier Foundation website one of the sites you periodically look at.  I discussed these very threats to Internet freedoms last year in this post.  The EFF is in the forefront in fighting for our digital rights.

2 Comments

  1. freddy kuman

    It would be interesting to know how this relates to non-US based email encryption services such as http://salusafe.com and if it we could expect similar abrupt shutdowns of offshore servers?

  2. I suspect for now, they will continue on. However, what this episode has shed light on are the limitations of email security. This is a good thing, since folks need to understand these boundaries.

    The other interesting point is exactly that … non-US services will fill the gap. That’s the fluidity of the Net. However, the US isn’t the only country that can compel disclosure of data and metadata.

    Thanks for your comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: