Snowden’s email provider, Lavabit, shutters citing legal pressure

An email provider reportedly used by former NSA contractor Edward Snowden shut down on Thursday, citing an ongoing court battle that it could not discuss.

Lavabit, which launched in 2004, specialized in providing a high-security email service that employed advanced encryption. It was designed to thwart the kind of surveillance techniques that Snowden revealed in June were used by the U.S. government.

Snowden used a Lavabit email address to invite people to a press conference at Sheremetyevo Airport in Moscow on July 12, according to a report from the international wire service Global Post.

Lavabit founder Ladar Levison wrote that he couldn’t describe the legal machinations under way. “As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests,” he wrote in a front-page notice on his website.

Levison wrote that Lavabit has “started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.”

Kurt Opsahl, senior staff attorney with the Electronic Frontier Foundation, said in an interview that there are many statutes that could be used by the government to prevent Lavabit from describing its legal situation.

“What we need here is more transparency to have a real debate around government surveillance powers,” Opsahl said. “It would be great to have Lavabit to be able to participate in a national discussion we are having right now on surveillance powers.”

Snowden, who remains in Russia after being granted asylum for one year, is wanted by the U.S. for passing documents to media outlets such as the Guardian and Washington Post that described anti-terrorism surveillance projects conducted by the U.S. National Security Agency (NSA).

The documents revealed arrangements with major companies such as Microsoft, Google and Verizon to turn over email and Internet-related data under the Foreign Intelligence Surveillance Act (FISA).

Lavabit’s website is largely offline, but Google’s cache still has a copy of its description of how its service worked. Lavabit used three encryption schemes to scramble email based around Elliptical Curve Cryptography (ECC).

E-mail is encrypted before it is sent to the company’s servers. The result of the encryption process means that a message is, in theory, cryptographically impossible to read without a password, Lavabit wrote.

“We say cryptographically impossibleA because, in theory, an attacker with unlimited computing resources could use brute force to decipher the original message,” according to the description.

It appears from the description that Lavabit only retains a Secure Hash Algorithm (SHA) representation of a person’s password. The hash, even if it was obtained by investigators with a court order, would likely not be of use to investigators seeking to decrypt Snowden’s email.

Lavabit warned that the encryption’s strength also relies heavily on a secure password selected by a user. Attackers could also intercept a message in transit if SSL (Secure Sockets Layer) encryption is not used for the communication between a user and Lavabit’s servers. Unencrypted messages could also be potentially pulled from a user’s hard drive.

“Our goal was to make invading a user’s privacy difficult, by protecting messages at their most vulnerable point,” Lavabit wrote. “That doesn’t mean a dedicated attacker, like the United States government, couldn’t intercept the message in transit or once it reaches your computer.”

Levison could not immediately be reached for comment. In closing, he wrote: “This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.”

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk