Lavabit: The Latest Dead Canary in the Privacy Coal Mine

Many of you probably had never even heard of Lavabit until recently. In case you don’t know, its story is just the latest in a long string of incidents that show how dangerous it is to keep your personal or business digital presence within the reach of the US government.

As you will see in the article below, Lavabit heroically fell on its own sword, choosing to close down its profitable and growing business rather than submit to the dictates of the American government and compromise their client’s privacy. We can only hope that Lavabit’s stand for civil liberties in the face of the leviathan’s onslaught will inspire others.

I am not holding my breath though.

Thanks in part to the Snowden revelations, we now know that the US has traveled much further down the road of becoming an even more-complete Orwellian surveillance state than many had initially feared. This trend is unfortunately not going to reverse itself anytime soon—the US will remain an unfriendly digital jurisdiction for the foreseeable future.

Instead, the only rational and prudent course of action for a business or individual to take is to move their digital presence to friendlier shores.

The effects are already starting to be felt. The WSJ recently cited a study that stated that the IT service industry in the US could lose up to $180 billion in business to non-US companies on account of fear from the NSA’s privacy-killing shenanigans.

Now I’ll turn it over to IM correspondent and digital diversification expert Kyle Gonzales for more details on this story.




Nick Giambruno, Editor

Lavabit: The Latest Dead Canary in the Privacy Coal Mine

Last Thursday I received emails from a number of people alerting me that Lavabit, a US-based privacy-conscious email provider, was shutting down. Lavabit had a recently famous (or infamous) customer in one Edward Snowden. Ladar Levison, the owner of Lavabit, could not legally explain the reason he was shutting down beyond saying that he had a choice:

"… to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit."

The speculation is that Levison was prevented from speaking on the matter due to pending legal action and by the use of a National Security Letter (NSL) from the US government.

Lavabit's 350,000 customers are now without access to their email accounts and the emails stored within.

Then Silent Mail Goes Silent

Shortly after Levison posted that Lavabit was shutting down due to his legal troubles with the US government, Silent Circle posted that they would be discontinuing their Silent Mail service. In the blog post, Silent Circle CTO Jon Callas posted a number of reasons why they made this decision:

“Email that uses standard Internet protocols cannot have the same security guarantees that real-time communications has. There are far too many leaks of information and metadata intrinsically in the email protocols themselves. Email as we know it with SMTP, POP3, and IMAP cannot be secure.”

I have a huge amount of respect for the decisions of a man with a resume like Mr. Callas. However, to me, the primary reason why Silent Mail is being discontinued is clear as day—their address:

US Headquarters
Silent Circle
120 Waterfront Street
Suite 420
National Harbor, MD 20745

Having a physical presence in the US puts Silent Circle clearly within the crosshairs of the US government, even if the email was not stored in the US. Rather than risk their customer's email to the whims of the US government, they chose to shut down their Silent Mail email service.

Now the thousands of Silent Circle customers are left looking for another email solution.

Lavabit Wasn't the First, and It Won't Be the Last

This is not the first time the US government has used an NSL to compel a US-based internet service provider to violate their customer's privacy and then forbid them to speak on the matter.

Nicholas Merrill, former operator of Calyx, was also presented an NSL in 2004 to turn over data on his customers. Merrill chose to fight the gag order portion of the NSL in court but was prevented from discussing the situation for 6 years. Interestingly, Merrill noted that during his case, the use of National Security Letters were twice ruled as being unconstitutional. The Supreme Court would never rule on the matter to make it binding in all US court districts. Therefore the NSLs continue to be issued.

A similar gag order was used in 2010 with Pete Ashdown, CEO of a small Utah-based ISP called XMission. He was issued a Foreign Intelligence Surveillance Act (FISA) warrant to install surveillance equipment to monitor one of his customers. The warrant allowed him to talk about the technical aspects of what the FBI and NSA required him to do but not about who or what was being monitored. The gag order extends indefinitely. Ashdown noted that since the FISA is not a public court, it's impossible to fight a warrant request.

NSA Makes Large Companies Comply As Well… Or Else

Not cooperating with the US government domestic spying programs causes pain for large companies as well. In February 2001, Qwest CEO Joseph Nacchio refused to allow his company to cooperate with the NSA’s newest surveillance program. Nacchio was concerned about the legal implications for Qwest in participating with a dodgy NSA program.

What did Qwest and Nacchio get for taking their stand? According to Nacchio’s lawyers, Qwest lost out on a number of large government contracts, which contributed to their financial downfall. Qwest no longer exists, having merged with CenturyLink. Nacchio went to jail for insider trading.

Now we know why AT&T asked for immunity in participating in these NSA programs… immunity that the Supreme Court did not overturn.

Strong Advice from Levison

Lavabit's Levison was able to share this very strong and direct piece of advice in the open letter to his customers:

"This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States."

Here's the point: Private data stored with a company which is US-based and/or has servers based in the US does not have strong legal or privacy protection. The US government can force that company to turn over its customer data while also preventing it from talking about it. Levison took a huge personal and legal risk in even posting what he did.

Are you still entrusting your private data to a US-based company or a company with servers based in the US? If you are but you value your privacy, you need to move your data elsewhere. Otherwise, that company might be compelled to violate your privacy and give up your data to the US government. And they may never be able to tell you about it.

About the Author: Kyle Gonzales is a self-taught, self-made business professional with 14 years of experience in the IT industry. Over that time, he has assumed leadership positions ranging from corporate networking to technical sales. He launched JumpShip Services, a firm that offers "multi-flagged" and offshore internet solutions that offer enhanced security, privacy, and peace of mind for your digital communications.

Tags: digital diversification,