Lavabit specialized in providing a highly secure, encrypted email service An email provider reportedly used by former NSA contractor Edward Snowden shut down on Thursday, citing an ongoing court battle that it could not discuss.Lavabit, which launched in 2004, specialized in providing a high-security email service that employed advanced encryption. It was designed to thwart the kind of surveillance techniques that Snowden revealed in June were used by the U.S. government.Snowden used a Lavabit email address to invite people to a press conference at Sheremetyevo Airport in Moscow on July 12, according to a report from the international wire service Global Post.Lavabit founder Ladar Levison wrote that he couldn’t describe the legal machinations under way. “As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests,” he wrote in a front-page notice on his website. Levison wrote that Lavabit has “started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.”Kurt Opsahl, senior staff attorney with the Electronic Frontier Foundation, said in an interview that there are many statutes that could be used by the government to prevent Lavabit from describing its legal situation. “What we need here is more transparency to have a real debate around government surveillance powers,” Opsahl said. “It would be great to have Lavabit to be able to participate in a national discussion we are having right now on surveillance powers.”Snowden, who remains in Russia after being granted asylum for one year, is wanted by the U.S. for passing documents to media outlets such as the Guardian and Washington Post that described anti-terrorism surveillance projects conducted by the U.S. National Security Agency (NSA).The documents revealed arrangements with major companies such as Microsoft, Google and Verizon to turn over email and Internet-related data under the Foreign Intelligence Surveillance Act (FISA).Lavabit’s website is largely offline, but Google’s cache still has a copy of its description of how its service worked. Lavabit used three encryption schemes to scramble email based around Elliptical Curve Cryptography (ECC).E-mail is encrypted before it is sent to the company’s servers. The result of the encryption process means that a message is, in theory, cryptographically impossible to read without a password, Lavabit wrote.“We say cryptographically impossibleA because, in theory, an attacker with unlimited computing resources could use brute force to decipher the original message,” according to the description. It appears from the description that Lavabit only retains a Secure Hash Algorithm (SHA) representation of a person’s password. The hash, even if it was obtained by investigators with a court order, would likely not be of use to investigators seeking to decrypt Snowden’s email.Lavabit warned that the encryption’s strength also relies heavily on a secure password selected by a user. Attackers could also intercept a message in transit if SSL (Secure Sockets Layer) encryption is not used for the communication between a user and Lavabit’s servers. Unencrypted messages could also be potentially pulled from a user’s hard drive.“Our goal was to make invading a user’s privacy difficult, by protecting messages at their most vulnerable point,” Lavabit wrote. “That doesn’t mean a dedicated attacker, like the United States government, couldn’t intercept the message in transit or once it reaches your computer.”Levison could not immediately be reached for comment. In closing, he wrote: “This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.” Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe