Lavaboom on security snake oil buzzwords: Don't say any email service is NSA-proof

German-based Lavaboom, a good-for-privacy email contender took issue with services being described with buzzwords like NSA-proof, self-destructing and location-based security.

encrypted email service is not nsa proof email

Different people react differently to specific phrases or buzzwords. For example, anyone arguing against privacy with the “nothing to hide” argument used to really trigger my temper. Some of these buzzwords are born in an attempt to explain otherwise complex ideas like encryption, but a good-for-privacy email contender took issue with the “completely unverifiable” buzzword "NSA-proof."

German-based Lavaboom was founded in 2014, promising to implement end-to-end encryption for “zero-knowledge” privacy and three-way authentication if you pay for the secure email service. In light of the Snowden leaks highlighting NSA surveillance, and inspired by, but not connected to Lavabit, Lavaboom’s mission is to provide “easy to use encrypted email,” so that “three billion people” will have “an opportunity to once again have truly private conversations.”

The freebie option has a 250 MB mailbox limit and two-factor authentication, but you can’t use Lavaboom yet. You can sign up for beta access. If you are like me, you’ve been on that list for months and months now.

The buzzword “NSA-proof” has been used to describe Lavaboom, and more recently Swiss-based ProtonMail; it was used again when German-based crypto-experts launched Tutanota. “With encryption becoming mainstream, journalists now have the hard job of simplifying some very complex concepts,” explained Lavaboom. But when it comes to being NSA-proof…"If Barack Obama considers you a terrorist, it's likely you will be hacked.”

The Lavaboom blog went on to add:

For the record: Lavaboom is not NSA-proof. PGP encryption has not knowingly been beaten, but if you’re a terrorist, Lavaboom is the wrong service for you. Phil Zimmerman (inventor of PGP encryption) said about Blackphone: “If someone tells you that it’ll protect you from the NSA, I’ll fire them.”

Lavaboom didn’t stop there either, explaining what some of these buzzwords really mean. Next, Lavaboom took on the phrase "self-destructing."

“Anyone promising totally self-destructing content are offering the impossible. Trust us, apps that offer 'self-destructing' pics are hackable and those 'snaps' you sent? Yeah…”

While that has proven to be true for SnapChat, I’m still a fan of Wickr, which "forensically wipes” messages and media after they expire, aka self-destructing messages.

It’s not difficult to understand Lavaboom’s point; after all, there are tons of people out there promising privacy and otherwise selling security snake oil.

When it comes to location-based security, Lavaboom pointed out that Germany has better privacy laws than the U.S., “but no matter where a security company is based, it is still subject to a very complicated legal framework. The U.S. can still send their citizens subpoenas even if they live in Switzerland.”

If someone is promising military-grade encryption, then Lavaboom suggests asking “which military”? When it comes to claims that “even our admins can’t read your emails:”

This is a complicated one. Lets say you give someone an email you’ve encrypted yourself (this is what happens with Lavaboom), then the other person can’t decrypt it / read it. But what if you don’t encrypt your email yourself, or never even see your encryption keys and the admin encrypts it? Then the admin has the ability to decrypt it. That’s why Gmail telling us that our emails are encrypted end-to-end doesn’t mean a whole lot for privacy - they still read our emails.

Why not sign up for Lavaboom, ProtonMail and even try out Tutanota? If you want more info about Lavaboom, you should read the FAQs and browse the blog; also, Cryptocoin news and Freedom Hacker both had good interviews to help explain the end-to-end encrypted mail service.

Copyright © 2014 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.