Email leaking out of briefcase

Secure email services went dark because email is 'broken'

Silent Circle, the Maryland-based secure communications company, on Aug. 8 shut down its "secure" email service, less than 24 hours after encrypted email provider Lavabit shut its doors apparently as a result of the Edward Snowden case.

The problem is that no email service really is secure, said Silent Circle CEO Mike Janke. “The fundamentals of email are broken, and we just couldn’t continue with this,” he said.

Even when the contents of an email are encrypted, the metadata generated in email protocols remain vulnerable to security breaches and government action, both here and abroad. This could put Silent Circle’s U.S. government customers at risk overseas, he said.

“This data was obviously going to be a target for somebody,” Janke said. “We just didn’t have any choice.”

The company did not release the number of its email customers, but Janke said Silent Circle is on track to have between 2 million and 3 million customers total by the end of the year. Only 35 percent of its business is in North America and its customers include U.S. government agencies as well as governments in eight foreign countries, Janke said. He said that most government and corporate customers did not use the email service because the other peer-to-peer services are more secure.

In a statement on its website,  the company said it saw “the writing on the wall” when Lavabit shut down its service earlier in the day. Lavabit posted a statement on its site  saying that it was shutting down to avoid becoming complicit “in crimes against the American people.” The statement does not specify details other than to say it would “continue to fight for the Constitution in the Fourth Circuit Court of Appeals.”

This is an apparent reference to a Foreign Intelligence Surveillance Act court subpoena and gag order related to the case of accused NSA leaker Edward Snowden, who was known to have had a Lavabit email account.

Silent Circle told its customers that “we have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.”

But the issue is greater than the use of secret court orders by the United States, Janke said. The fundamental insecurity of email makes it vulnerable to legal action in other countries as well, which potentially could expose information about Silent Circle’s U.S. government customers to foreign governments.

“We had to look at it from a global view,” Janke said. “We are an off-shore company with data centers in Canada and Switzerland,” and foreign subpoenas could be served there.

“It would be uncertain how the matter of jurisdiction would work out,” said Philip Zimmermann, the company’s president and creator of PGP (Pretty Good Privacy), the widely used email encryption software.

Unable to provide assurances for the security of email data, the decision was made to shut down Silent Mail at 9 p.m. Aug. 8. The company’s flagship services, Silent Phone, Silent Text and Silent Eyes for encrypted smartphone voice, text and video communications, continue to operate because they are peer-to-peer services that do not generate vulnerable metadata.

While two encrypted email services in the United States are closing down, two Internet service providers in Germany have announced they will begin automatically encrypting all email traffic as of Aug. 9, apparently in response to revelations of U.S. snooping.

"Germans are deeply unsettled by the latest reports on the potential interception of communication data,” Deutsche Telekom CEO René Obermann said in a statement.  “Our initiative is designed to counteract this concern and make email communication throughout Germany more secure in general. Protection of the private sphere is a valuable commodity."

Deutsche Telekom and United Internet will encrypt emails automatically without effort from users and data will be stored in secure data centers in Germany.

Janke said the decision to shut down Silent Mail was made easier by the fact that it had been intended only as a temporary stop-gap until a more secure service could be developed. Silent Circle expects to launch more secure peer-to-peer email application later this year. Janke said the company’s Secure Text service already is a viable alternative to email because it allows users to securely send files of up to 120 megabits.

Reader Comments

Tue, Aug 13, 2013 JohnA2

I understood their business decision even though I disagreed with it. I don't think I will ever understand how little they thought of their customer's data so that they pulled the plug without warning.

Tue, Aug 13, 2013 Concerned Citizen

Frankluy, email is NOT "Broken"....the Right to Privacy as well as due process are what has become broken in this, and other countries. Legitimate need to monitor or tap email accounts no longer have to be factually based with a court and judge saying Yay, or Nay...I would imagine there is a windfall of "personal" intelligence data being captured that is of use to someone, more so than actual terrorist traffic. the number of incidents that have actually been stopped is "classified" as well as exaggerated.

Mon, Aug 12, 2013 Freddy Kuman

It would be interesting to see how this Lavabit meltdown relates to non-US based email encryption services such as http://salusafe.com and if it we could expect similar abrupt shutdowns of offshore servers?

Mon, Aug 12, 2013 jobardu

This makes me wonder if China has a program and data base equivalent to the NSA. They certainly have the capabilities of doing so. It would be curious if the media and European governments attack NSA programs and don't look at those of other countries.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above