Once it became clear that he was going to be trapped in Moscow's Sheremetyevo Airport for a while, National Security Agency (NSA) leaker Edward Snowden chose to end his isolation by inviting several human rights activists to meet with
him in July. The e-mails Snowden sent out to organize that meeting reportedly came from the e-mail address "edsnowden@lavabit.com."
That got Lavabit quite a bit of positive attention from techies concerned about privacy. "Pretty cool features list," observed BoingBoing's
Xeni Jardin. "I am sold!"gushed a writer at DailyKos.
Not all the attention may have been positive. Less than a month after Snowden was revealed to have used the service, it has been shut
down. The owner of Lavabit,Ladar Levison, has left a cryptic and chillingmessage stating
that he had to walk away from the ten years of work he put into Lavabit, lest he "become complicit in crimes against the American public." Until real reform happens, Levison says he "would _strongly_ recommend against anyone trusting their private data to
a company with physical ties to the United States."
The full message reads:
I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided
to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on—the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately,
Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.
What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me to resurrect Lavabit as
an American company.
This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to
the United States.
Sincerely,
Ladar Levison
Owner and Operator, Lavabit LLC
Defending the constitution is expensive! Help us by donating to the Lavabit Legal Defense Fund
here.
Lavabit's deleted website is still available, for now, through Google Cache. The pages show a long list of privacy and anti-spam features. Lavabit emphasized that stored mail was encrypted with public and private keys. The
security section read in part:
The secure mail storage process uses asymmetric encryption to ensure the privacy of messages while being stored on the Lavabit servers. Asymmetric encryption is a process that uses public key and private key encryption to make messages
unreadable without knowing a user's plaintext password. Presently we use Elliptical Curve Cryptography (ECC) with 512 bits of security to encrypt messages. The private, or decryption, key is then encrypted with a user’s password using the Advanced Encryption
Standard (AES) and 256 bits of security. The result is that once a message is stored on our servers in this fashion, it can’t be recovered without knowing a user's password. This provides a priceless level of security, particularly for customers that use e-mail
to exchange sensitive information.
It should be noted that ECC has been approved by the NSA for Suite B, meaning the agency thinks it's strong
enough for government use.