Secure email services went dark because email is 'broken'
- By William Jackson
- Aug 09, 2013
Silent Circle, the Maryland-based secure communications company, on Aug. 8 shut down its "secure" email service, less than 24 hours after encrypted email provider Lavabit shut its doors apparently as a result of the Edward Snowden case.
The problem is that no email service really is secure, said Silent Circle CEO Mike Janke. “The fundamentals of email are broken, and we just couldn’t continue with this,” he said.
Even when the contents of an email are encrypted, the metadata generated in email protocols remain vulnerable to security breaches and government action, both here and abroad. This could put Silent Circle’s U.S. government customers at risk overseas, he said.
“This data was obviously going to be a target for somebody,” Janke said. “We just didn’t have any choice.”
The company did not release the number of its email customers, but Janke said Silent Circle is on track to have between 2 million and 3 million customers total by the end of the year. Only 35 percent of its business is in North America and its customers include U.S. government agencies as well as governments in eight foreign countries, Janke said. He said that most government and corporate customers did not use the email service because the other peer-to-peer services are more secure.
In a statement on its website, the company said it saw “the writing on the wall” when Lavabit shut down its service earlier in the day. Lavabit posted a statement on its site saying that it was shutting down to avoid becoming complicit “in crimes against the American people.” The statement does not specify details other than to say it would “continue to fight for the Constitution in the Fourth Circuit Court of Appeals.”
This is an apparent reference to a Foreign Intelligence Surveillance Act court subpoena and gag order related to the case of accused NSA leaker Edward Snowden, who was known to have had a Lavabit email account.
Silent Circle told its customers that “we have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.”
But the issue is greater than the use of secret court orders by the United States, Janke said. The fundamental insecurity of email makes it vulnerable to legal action in other countries as well, which potentially could expose information about Silent Circle’s U.S. government customers to foreign governments.
“We had to look at it from a global view,” Janke said. “We are an off-shore company with data centers in Canada and Switzerland,” and foreign subpoenas could be served there.
“It would be uncertain how the matter of jurisdiction would work out,” said Philip Zimmermann, the company’s president and creator of PGP (Pretty Good Privacy), the widely used email encryption software.
Unable to provide assurances for the security of email data, the decision was made to shut down Silent Mail at 9 p.m. Aug. 8. The company’s flagship services, Silent Phone, Silent Text and Silent Eyes for encrypted smartphone voice, text and video communications, continue to operate because they are peer-to-peer services that do not generate vulnerable metadata.
While two encrypted email services in the United States are closing down, two Internet service providers in Germany have announced they will begin automatically encrypting all email traffic as of Aug. 9, apparently in response to revelations of U.S. snooping.
"Germans are deeply unsettled by the latest reports on the potential interception of communication data,” Deutsche Telekom CEO René Obermann said in a statement. “Our initiative is designed to counteract this concern and make email communication throughout Germany more secure in general. Protection of the private sphere is a valuable commodity."
Deutsche Telekom and United Internet will encrypt emails automatically without effort from users and data will be stored in secure data centers in Germany.
Janke said the decision to shut down Silent Mail was made easier by the fact that it had been intended only as a temporary stop-gap until a more secure service could be developed. Silent Circle expects to launch more secure peer-to-peer email application later this year. Janke said the company’s Secure Text service already is a viable alternative to email because it allows users to securely send files of up to 120 megabits.
William Jackson is freelance writer and the author of the CyberEye blog.