In 2013, Ladar Levison, founder of the encrypted email service Lavabit, took the defiant step of shutting down the company’s service rather than comply with a federal law enforcement request that could compromise its customers’ communications.
The FBI had sought access to the email account of one of Lavabit’s most prominent users — Edward Snowden. Levison had custody of his service’s SSL encryption key that could help the government obtain Snowden’s password. And though the feds insisted they were only after Snowden’s account, the key would have helped them obtain the credentials for other users as well.
Lavabit had 410,000 user accounts at the time.
Rather than undermine the trust and privacy of his users, Levison ended the company’s email service entirely, preventing the feds from getting access to emails stored on his servers. But the company’s users lost access to their accounts as well.
Levison, who became a hero of the privacy community for his tough stance, has spent the last three years trying to ensure he’ll never have to help the feds break into customer accounts again.
“The SSL key was our biggest threat,” he says.
On Friday, he’s relaunching Lavabit with a new architecture that fixes the SSL problem and includes other privacy-enhancing features as well, such as one that obscures the metadata on emails to prevent government agencies like the NSA and FBI from being able to find out with whom Lavabit users communicate. He’s also announcing plans to roll out end-to-end encryption later this year, which would give users an even more secure way to send email.
The new service addresses what has become a major fault line between tech companies and the government: the ability to demand backdoor access to customer data. Last year when the FBI sought access to an iPhone used by the San Bernardino shooter, Apple couldn’t get into the phone because the security scheme the company built in to the device prevented it from unlocking the phone without the shooter’s password. (Eventually, the FBI found another way to access the phone’s data, ending the dispute with Apple.)
“This is the first step in a very long journey,” Levison told The Intercept prior to the re-launch. “What we’re hoping for is that by the end of this year we’ll be more secure than any of the other encrypted messaging apps out there on the market.”
A number of encryption services and apps make this claim, but Lavabit has a particular claim to fame: It was an encrypted email service that Snowden used before the shutdown.
Snowden told The Intercept that he plans on reactivating his Lavabit account once it relaunches, “if only to show support for their courage.” But he says he can’t speak for the security of the revamped Lavabit before the service is available.
Today’s launch is only for existing users to reinstate their old accounts under the new architecture so they will work with the end-to-end encryption client software when it’s rolled out. Lavabit is asking account holders to log in over IMAP or POP, so their encrypted passwords, usernames, and keys can be regenerated under the new architecture.
Although Lavabit has some 50 million encrypted email messages on its servers belonging to these users, account holders won’t be able to access their old correspondence. Levison isn’t sure if they will migrate old emails to the new platform, since they’re stored in a different data format.
With the new architecture, Lavabit will no longer be able to hand over its SSL key, because the key is now stored in a hardware security module — a tamper-resistant device that provides a secure enclave for storing keys and performing sensitive functions, like encryption and decryption. Lavabit generates a long passphrase blindly so the company doesn’t know what it is; Lavabit then inserts the key into the device and destroys the passphrase.
“Once it’s in there we cannot pull that SSL key back out,” says Sean, a Lavabit developer who asked to be identified only by his first name. (Many of Lavabit’s coders and engineers are volunteers who work for employers who might not like them helping build a system that thwarts government surveillance.)
If anyone does try to extract the key, it will trigger a mechanism that causes the key to self-destruct.
The hardware security module is a temporary solution, however, until end-to-end encryption is available, which will encrypt email on the user’s device and make the SSL encryption less critical.
Once Lavabit becomes open to new users, customers will have three modes of service to choose from: Trustful, Cautious, and Paranoid.
Trustful is aimed at people who don’t have a lot of risk and want ease of use. It works a lot like the old Lavabit, where the email encryption is done on Lavabit’s server.
Users have to trust that Lavabit has designed the system so the company can’t obtain their password and see their communications. For many, Levison’s decision to shut down his business to defy the feds is enough to earn their trust. But Levison and his team have made the code for their server open source, so users can see how it’s designed and verify the architecture prevents the company from learning their passwords.
If someone doesn’t want Lavabit running the server, they can also download the open-source software and install it on a server of their own.
“What other encrypted messaging system allows you to download the server and use it yourself?” Levison asks.
For people who don’t want to trust Lavabit and don’t want to run their own server, Cautious mode will offer end-to-end encryption. This moves encryption off the server and onto the user’s device. It’s designed for people who want more security and the ability to easily use their account on multiple devices, such as a phone, laptop, and desktop computer.
The user installs Lavabit client software on his or her device to generate an encryption key. That key is encrypted using a passphrase the user chooses and is sent to Lavabit where it’s stored. Lavabit can’t access and decrypt it; only the client software on the user’s device can. If the user installs the client software on another device, the client will obtain the encryption key from Lavabit’s server and the user will unlock it with his or her passphrase and import it into the client software, which will use the key to encrypt the user’s email.
Some people who want more security — like activists, journalists, and whistleblowers — might balk at having their key stored on a third-party server. That’s where Paranoid mode comes in. The key for doing end-to-end encryption remains on the user’s device and never goes to Lavabit’s server. But to use another device, the user has to manually move the key to it. And there’s no way to recover the key if the user loses it or deletes it.
All three modes will use another new architecture feature called Dark Mail to obscure email metadata.
Metadata is the transaction data that includes the “to,” “from,” and “subject” lines. It’s generally not encrypted, even when email content is. Spy and law enforcement agencies can draw connections between people and derive information about someone from metadata.
Dark Mail obscures metadata using a design modeled on Tor — the Onion Router. The metadata is encrypted, and the sender’s ISP knows which account is sending the email but not the destination account, only the destination domain. When it reaches that domain, the server there decrypts the “to” field of the email to deliver it to the right account. The destination domain doesn’t know the account that sent the email, only the domain from which it came.
Given the increasingly crowded landscape of encrypted services and apps, it may be hard for Lavabit to stand out. But its most famous one-time user believes it has at least one major advantage.
Lavabit’s greatest offering is “a proven willingness to shut down the company rather than sell out their users, even if a court makes the wrong call,” says Snowden. “That’s actually a very big deal: They might be the only ones in the world that can claim that.”