The Snowden leaks demonstrated that major internet companies share user data with law enforcement. What about smaller companies? Let’s look back and remember what happened to Lavabit.
In July 2013, when Edward Snowden was stuck in the Moscow Airport, he used the email address Ed_Snowden@lavabit.com to arrange a press conference. His email was hosted by a small, privacy focused company called Lavabit.
The service that Lavabit provided was secure email. Incoming email was automatically encrypted when it was received with the end-user’s private key, and incoming email wasn’t logged before encryption. That’s what the website said, and that’s what users were paying for.
On August 8th, Lavabit suspended its operations and ceased to provide email service. They wouldn’t re-open until 2017.
The owner of Lavabit, Ladar Levison, said he couldn’t explain why he had shut down the service due to a legal gag order.
Later, we found out what happened.
Levison had received a National Security Letter from the FBI demanding that he cooperate with an investigation, most likely about Snowden. NSLs are administrative subpoenas that the FBI can issue without a warrant or any judicial oversight at all in relation to national security cases. As shown in this case, they can also come with gag orders that prohibit the recipient from talking about them.
Levison was apparently willing to help out and provide information about the specific customer named in the order - if it was Snowden, he was going to be prepared for that to happen - but that’s not what the FBI wanted. They got a court order demanding that the Lavabit private TLS keys be handed over, which would have allowed them to capture all email traffic for all 400,000 Lavabit users.
Since the whole point of Lavabit was not allowing user emails to be intercepted, Levison shut down the service.
Lavabit relaunched in 2017 with a new end-to-end encrypted mail protocol. I haven’t really looked into whether it’s any good, but there’s no way to make it both secure and compatible with standard email.
It’s not just Lavabit either. The recent thing with Protonmail in Switzerland providing IP addresses to police so they could arrest a climate activist is exactly the same issue.
The original Lavabit service was based on trust. Levison and any other Lavabit employees had the power to intercept emails at any time, but promised not to.
That promise was impossible to keep while still running the service.
A less principled business owner, or the owner of a business that wasn’t so completely based on a security promise, probably wouldn’t have shut down the business. They simply would have complied with the order and not talked about it.
So where does that leave us?
- Big internet companies provide direct access to user data for law enforcement.
- Small internet companies can be legally ordered to do the same thing at any time. They won’t even be able to talk about it.
That means that data sent to a service provider should be considered interceptable. Remember that most proprietary software has a universal backdoor, and can be updated to break features like end-to-end encryption at any time. Remember that metadata is no less valuable than data.