Lavabit founder: 'If you knew what I know about email, you might not use it'

“I’m taking a break from email. If you knew what I know about email, you might not use it either.”

This comment was made by Ladar Levison during a phone call with a Forbes reporter on Friday. As the operator and founder of anonymous email service Lavabit, he is more than qualified to talk about the subject.

Readers will remember that Lavabit shut down recently, with an open letter to users. Hours later, Silent Circle also shuttered its email service. In his letter, Levison said he preferred to close the service than to “become complicit in crimes against the American people”.

Edward Snowden was a user of Lavabit's services when he revealed the NSA's covert surveillance to journalists at The Guardian and Washington Post. In typical Internet fashion, it received a surge of popular uptake. More than $12,000 in paid subscribers signed up, tripling his monthly earnings.

Levison is highly restricted in what he can say about Lavabit's closure, though he says that he plans to appeal in the Fourth Circuit, with a request for supporters to donate. As of this morning, Lavabit's defense has reached $90,000 in donations. As Levison says himself, a victory would set a precedent: "If we win, we win for everyone".

As a result of the closure, Forbes has been able to share insight about how Lavabit worked. Customer data was encrypted, with a public and a private key. The private key was password protected. Supposedly decrypting the data was impossible, though if an email was intercepted the password could be harvested and used.

Source: Forbes

Report a problem with article
Previous Story

Study: 64% of top 100 iOS apps available for Windows Phone; 54% on Windows 8

Next Story

Netflix app for Xbox 360 updated with new design, profiles

67 Comments

Commenting is disabled on this article.

Everybody should care about this. Your constitution forming your country and government starts with the words "We the people". Fast forward a few hundred years and many here seem to have forgotten they are still there to represent you as people. I may be British but I care about this passionately because the rest of the world will largely follow suit.

If this article is enough to make people even think for a moment about this erosion of liberty and free speech then it serves a great purpose. Encouraging others to back Levison's legal fees is again a thing to be praised.

If your perception of discussion on such a fundamental freedom is that this is "moaning" "on a website" then I really fear for our future. I may not agree with what you say, but (just as my fathers and grandfathers have) I will fight to the death for your right so say it. Why should we simply roll over as a civilization when this communication is electronic?

I am not really sure why anybody cares about this? If the government want to read my emails they will do so!! No amount of moaning is going to stop that and comments on a website are certainly not going to stop it happening!

spenser.d said,
And? Your point is wholly flawed so I'm not sure what you were expecting.

I was expecting exactly what I got.....nothing

Still, why make it *easy*, or easier, for them? That is the entire reason for programs such as PGP - even intelligence agencies got that. (Not NSA, but CIA and DIA - the military's equivalent; all the while NSA was trying to get PGP closed down, both agencies were among PGP's biggest customers. Part of the problem facing intelligence agencies is keeping their information from those that are up to no good - in their own government.)

if you don't pay for your email service then maybe there's less to complain about.. if there's any good time to properly monetise email, it's now. I hope dozens of new paid for email services start up to replace lavabit.

Northgrove said,
Judging by this comment thread, there's no hope for change in the USA and basic democratic rights.

As technology exists, there is no hope for anyone in the world. If you are a US citizen, you can at least have some comfort that it is your government with more tools and data than other countries at this time.

Privacy and personal security are something that can so easily be compromised. A delivery person could literally fire a dart into your ceiling that would monitor your conversations and even relay video of the inside of your house.

Some privacy always has been an illusion and will always be an illusion. Even take a psychological mentalist from 100 years ago that could watch you for a few moments and pull information from microexpressions and lip reading your conversation.

The only privacy or security is that you aren't important and there is too much data to track everyone.

Spicoli said,
Closed site for now which will soon reopen promising some super secure whatever. It's right out of the viral marketing playbook.

Time will tell... although, based on what stated in the full article, the scenario you are predicting seems very unlikely.

Honestly if you want to read my emails go ahead however I warn you the boring financial reports I have to write each day TRUST ME you will be snoozing in no time at all................

If someone is spying on my email, I feel pity for them having to comb through my boring correspondence. Maybe some things like some dumbass site sends a plain text password or something. Meh.

I don't remember the last time I've sent an email. I just use it for email verifications, home depot/lowes daily deals, and that's about it.

GRR rule breaking banner...I know what to do and what not to do! FRUSTRATING! Please neobond, make it go away. I mean I get it. I do. I've been a good boy. It's affecting my postst, though. Almost made duplicate posts because of it. Show it once, and let us neowinians move along. We don't need to see it on EVERY post we write....just sayin'. Well, maybe the newbs do, but man....c'mon!

Well...we're waiting! Give us the details...that'd be like me saying, well, you can't use neowin if you knew what I knew! (And I don't know anything, just an example)

Obi-Wan Kenobi said,
Well...we're waiting! Give us the details...that'd be like me saying, well, you can't use neowin if you knew what I knew! (And I don't know anything, just an example)

I am sure that even if some government minions visited you and told you to keep your mouth shut about what was discussed you would stand straight and publish all the details here on Neowin....

Fritzly said,

I am sure that even if some government minions visited you and told you to keep your mouth shut about what was discussed you would stand straight and publish all the details here on Neowin....


Actually, no I wouldn't. I'd go to the biggest weblog and newspaper in my country, because that would be such an incredible event that everyone should know about it.
There's no such thing as secret courts over here and no legislation that could force anyone to shut up. Isn't really necessary because no-one would believe anything like that happened anyway. :-)

anyone who hasn't got a problem with email security, can you please PM me your email password, or set a forwarding rule to me. Thanks.

If I don't get any passwords, I will assume you are all trolling and do actually care.

glen8 said,
anyone who hasn't got a problem with email security, can you please PM me your email password, or set a forwarding rule to me. Thanks.

If I don't get any passwords, I will assume you are all trolling and do actually care.

There is a difference between caring and understanding the pitfalls of how email works.

Anyone that has been around the IT world in the last 30 years, should understand that mail protocols like SMTP are NOT designed to be secure and are not secure.

So everyone should have the basic understanding that once email leaves your server or is relayed it can easily be monitored by just viewing the packets.

People should also realize the trust they have placed in the hands of their email provider or ISP as most systems are human readable by the operator.

Ironically, Gates once tried to push for more robust protocols that would have added security and also removed a lot of SPAM. However it was during the magic timeframe when Sun and others were in a political battle with Microsoft regarding Internet standards, so everything Gates and Microsoft proposed was dismissed.

Email using the antiquated protocols has NEVER been secure, this should not be a surprise to anyone and they should always use caution and concern on what they email.

SSL SMTP/POP/IMAP are about securing your connection not the content, recipient, etc of the mail. The message, etc. is still sent in plain text between the mail servers and if the recipient is not using an SSL based connection it is access and retrieved via an unsecured connection too.

Email security is hard and an SSL connection isn't the answer.

glen8 said,
anyone who hasn't got a problem with email security, can you please PM me your email password, or set a forwarding rule to me. Thanks.

If I don't get any passwords, I will assume you are all trolling and do actually care.

Until you post your email address for us to set the forwarding rule, you're the one trolling here.

n_K said,
Not designed to be secure?
Have you never heard of SSL-SMTP or SSL-POP3 or SSL-IMAP ?

Another post has already given you some insight. I suggest you do further research on this subject if you want to understand the security better.

Also remember that the original protocols were NOT designed to be secure, heck even NFS was not designed to be secure and still has problems trying to compensate for fundamental flaws in its design.

Also do some research on SSL, it is not as secure as it once was, especially research how the certificates are generated and managed along with various backdoors identified over the years.

The bottom line is that email is NOT secure.

Also realize that even sending encrypted content, the keys used (even by Lavabit) have NSA backdoors.

Not necessarily traditional backdoors, but the NSA is using technologies that can easy crack most encryption due to flaws/exploits in the encryption and techniques the NSA has devised to open them. Reference the histories of AES, SSL, etc.

The NSA has a lot of powerful systems designed to do nothing but break codes. Some of this was revealed back in 2005/2006 in Microsoft's dispute over Bitlocker and not providing a backdoor technology. Microsoft referenced the NSA's ability to crack most encryption up to 256bit if there was truly a need to see the content, ie a terrorist threat or warrant, and declined to add a backdoor citing that the NSA could still access the content if there was a serious threat.

Edited by Mobius Enigma, Aug 11 2013, 4:26am :

Mobius Enigma said,

The NSA has a lot of powerful systems designed to do nothing but break codes. Some of this was revealed back in 2005/2006 in Microsoft's dispute over Bitlocker and not providing a backdoor technology. Microsoft referenced the NSA's ability to crack most encryption up to 256bit if there was truly a need to see the content, ie a terrorist threat or warrant, and declined to add a backdoor citing that the NSA could still access the content if there was a serious threat.

I agree with some of what you say, but I do challenge some too. You are somewhat correct in the weakness of AES, however a key-attack on AES256 requires 2^254.4 operations, or nearly 4x10^76 operations. Even if one operation was one flop, Chinas new supercomputer, at 54x10^15 FLOPS (54petaflops), would take 2x10^52 years...which is slightly older than the universe. So no, AES cannot be realistically mathematically broken, and if you pick a reasonable password, it cannot be brute-forced.

Mobius Enigma said,

<snip>

Supercomputer or not, the length of the key vastly increases the required computation time needed.
SSL isn't broken, some methods used in older SSL certificates are weak, like MD5 which is why no certs issued in a very long time have used MD5, email sent over SSL is not sent in plain text, do u even read tho?
'oh herp derp let me do all this ssl stuff with this server and just forget about it whilst I sent it all plain text...'.
Some intermediaries might use plain text if they don't support SSL, but that's unrelated to SSL itself.

n_K said,

Supercomputer or not, the length of the key vastly increases the required computation time needed.
SSL isn't broken, some methods used in older SSL certificates are weak, like MD5 which is why no certs issued in a very long time have used MD5, email sent over SSL is not sent in plain text, do u even read tho?
'oh herp derp let me do all this ssl stuff with this server and just forget about it whilst I sent it all plain text...'.
Some intermediaries might use plain text if they don't support SSL, but that's unrelated to SSL itself.

You are correct, that in theory it would take billions of years to crack even a 256bit encryption.

However, the NSA knows every trick/exploit just in the math that chops the computing power required down to a manageable level.

They also have access to computing technologies that are classified.

This is where even my experience with companies like Lockheed and NASA will come across sounding like tinfoil hat conspiracies.

One example: I have see storage devices from the 1970s used in fighter jets that were bacteria based packs and capable of 100s of MB of storage when 16KB was considered large.

We see the world of technology from what research we see and technology available from our leading technology companies. There is a another level of technology that has to remain classified as it would be the technology equivalent of the nuclear bomb and shift global powers.

Imagine quantum entanglement being used for sending and receiving data as one semi-known example. This technology alone is beyond even Star Trek's 'subspace communication'.

Quantum computing technologies are far more advanced than we have access.

I love how everyone(mostly the younger guys) say "blah blah", it's the Internet." There's a bigger picture here folks. If you don't care about your privacy, then there's no hope for society. Give the government an inch and see how much they really take.

I don't worry about it, and here is the reason: You couldn't convince me that the government does NOT have the ability to view the data that's being transmitted over the Internet. If you have data that you're genuinely worried about the government seeing, never expect a day when you could just send it unencrypted over email or save it unencrypted in a cloud storage provider without the least bit of concern.

That doesn't mean you should avoid email or cloud storage altogether. Just always take that fact into consideration as you use those services.

You know what I think is cool? Mail.com. They have so many domains to choose from it's not even funny. I choose the @linuxmail.org one. I'm not sure if it's tapped or not, but still cool none the less.

Tyler R. said,
You know what I think is cool? Mail.com. They have so many domains to choose from it's not even funny. I choose the @linuxmail.org one. I'm not sure if it's tapped or not, but still cool none the less.

Doesn't look like mail.com uses encryption, which doesn't make it any different than a Gmail or Hotmail account; they even state with the free package they target you with ads, so it's identical to currently-available platforms, and probably just as in-secure.

How about you show us one that was comparable to Lavabit?

Blah Blah Blah, everyone can read what I send. I get I already and I really don't care.

Edit: I make this statement against Ladar's statement, not the posting of the article on Neowin.

LightEco said,
Blah Blah Blah, everyone can read what I send. I get I already and I really don't care.

Edit: I make this statement against Ladar's statement, not the posting of the article on Neowin.


I do not understand how *anyone* could be so complacent and not care about such an infringement into our personal freedoms...

It just goes against the assumption that people visiting tech sites such as Neowin are informed and knowledgeable...

LightEco said,
Blah Blah Blah, everyone can read what I send. I get I already and I really don't care.

Edit: I make this statement against Ladar's statement, not the posting of the article on Neowin.

Agreed. Any one with any common sense should understand you don't put anything on the web that you want kept a secret. In any way shape or form.

Says the person who immediately insults me. Thanks bud!

Anyways, I've come to conclusion that A) No matter how much people whine and complain about this, it isn't going to change, B) If someone is going to sit down and read every email I send, good luck to them, they'll die of boredom before they get 2 pages in, and C) I seriously can't believe people didn't know this was going on before the Snowden leaks. I mean, did you really think you had complete privacy online?

There's two levels of discussion here: the sociolegal one, and the technical one. We all knew since the beginning of time that email is woefully insecure and anyone on the line can read them (except PGP, but that only encrypts content). This isn't news at all and really hasn't stopped any of us from using email. Thus, it'd be fair to say that we all did, in deed, not care that email sends everything in plaintext. However, that's different than the fact that the government actually spies on everyone's emails indiscriminately, which is something that the tech circles should really care a lot about.

A) So we stop fighting, give up our liberties?
B) Give me your email and password so that I can follow you. You wouldn't do that, because it's private.
C) Not to this scale.

LightEco said,
Says the person who immediately insults me. Thanks bud!

Who insulted you? Please, dont act like a child.

Your attitude is indeed complacent and problematic.

yawn.. Wrong. The point being, you re being snooped and recorded whether you like it or not. then when you do something wrong, they have you all recorded nice and neatly.

Buh, buh, buh.. I didn't do anything wrong.. your phone calls are recorded, emails, surfing habits, TV watching habits.. and they can see what you do through your electric companies smart meters now. I love people who are willfully ignorant.. they let themselves become easy targets

chrisj1968 said,
yawn.. Wrong. The point being, you re being snooped and recorded whether you like it or not. then when you do something wrong, they have you all recorded nice and neatly.

Buh, buh, buh.. I didn't do anything wrong.. your phone calls are recorded, emails, surfing habits, TV watching habits.. and they can see what you do through your electric companies smart meters now. I love people who are willfully ignorant.. they let themselves become easy targets

Perhaps you should educate yourself on smart meters before calling other ignorant. A smart meter only measures how much gas or electricity you use and when you use it...nothing more or less.

^ Save for determining daily schedules of your and nearby households based on consumption. Very valuable data for burglaries. And that's just one example.

SharpGreen said,

Perhaps you should educate yourself on smart meters before calling other ignorant. A smart meter only measures how much gas or electricity you use and when you use it...nothing more or less.

Actually, they already know what the average use is from appliances and other devices, so they pretty much can assume what you have in your home. Washer, Dryer, dishwasher or not, average TV watching times, garage door usage spike, air conditioning being turned on at 3, they can assume you are home around that time, oooo, air up and lights off...bed at 10. Nice to know.

Too much power being drained at your place, well, you may have a server farm taken off the grid, or you are growing the drugs. Either way, we will cross-check your e-mail and phone calls and get to arresting you for your misdeeds.

Exaggerating? Sure. Far from the truth? Not as much as you think. People are busted after pulling notice from unusual energy draw all the time.

ccoltmanm said,
...
B) Give me your email and password so that I can follow you. You wouldn't do that, because it's private.
...
Not exactly an equivalent, is it? You are asking for ownership with that request.

You should have asked to be cc'd on all of his email. LightEco might oblige you on the "cc" thing. Probably not to the password.

LightEco said,
Blah Blah Blah, everyone can read what I send. I get I already and I really don't care.

You don't care ?

You do realise your father and his father and the father of his father fought hard to build to society we have today.

The total lack of respect people give today to the founding fathers is disturbing.

M_Lyons10 said,

I do not understand how *anyone* could be so complacent and not care about such an infringement into our personal freedoms...

What about my personal freedom to read whatever I want? If I want to read your email, I will.

LaP said,

The total lack of respect people give today to the founding fathers is disturbing.

While I am not American...what are you on about?! You talk about founding fathers...however your hallowed constitution, as far as i can see, talks about liberty and freedom - NOT privacy!

Complaining that people can see your emails is like complaining that people listen to your private conversations in a mall - what do you expect!? there is a time and place for everything. Emails are not the place for confidential conversations! If you want private, stick a 'read password' on a word document, chuck it in a passworded 7zip file, speak to them in person - not too hard people!

M_Lyons10 said,

I do not understand how *anyone* could be so complacent and not care about such an infringement into our personal freedoms...

It just goes against the assumption that people visiting tech sites such as Neowin are informed and knowledgeable...


If it isn't the government(s) reading my emails, it is work and if it isn't work then its some hacker somewhere who wants something far worse than any government or my employer does. I say that as someone who doesn't do anything that would land me on a terror watch list, suspected of treason or corporate espionage.

It's going to happen, someone is going to read them; I'd rather the party who has access to them is looking for trigger words and not anything that could be used to steal my identity.

In the meantime, I won't post my password on a billboard (Facebook, Twitter...) and will continue using the security options put forth to make it as difficult as possible for someone who is bored enough to get in my accounts.

M_Lyons10 said,

I do not understand how *anyone* could be so complacent and not care about such an infringement into our personal freedoms...

It just goes against the assumption that people visiting tech sites such as Neowin are informed and knowledgeable...

im with you, its not about having something to hide.. its about respect... you put your trash out once a week you kind of assume people will have the respect not to go through it ... why should people be allowed to see what I am doing online?

LightEco said,
Says the person who immediately insults me. Thanks bud!

Anyways, I've come to conclusion that A) No matter how much people whine and complain about this, it isn't going to change, B) If someone is going to sit down and read every email I send, good luck to them, they'll die of boredom before they get 2 pages in, and C) I seriously can't believe people didn't know this was going on before the Snowden leaks. I mean, did you really think you had complete privacy online?


you sound like a Dutch person...,,, Like me