If you’re interested in webmail security, you’ve probably heard of Lavabit.
It’s a boutique webmail provider based in Texas, USA.
Lavabit differs from the big cloud email players, such as outlook.com and Gmail, by using encryption a bit differently.
It uses public key cryptography not only when you view your messages in your browser (that’s the https:// part in the URL), but also when it stores your messages on its servers.
→ Public key cryptography, secretly invented by the British in the early 1970s under the mildly confusing moniker of NSE (non-secret encryption), uses two keys, not one, to secure your data. Anyone can lock a file for you to read later, using your public key. You may publish this key openly. But only you can unlock the file, using your private key. As the name implies, this is the one you keep to yourself.
What that means is that the contents of your messages aren’t just encrypted on Lavabit’s disks so that they are protected from abuse if someone steals the servers.
The theory is that they can’t be decrypted “in the cloud” by Lavabit, or anyone else at all, unless you hand over your private key, or someone takes it from you, lawfully or unlawfully.
If this sounds like something you’ve heard a lot about lately, that’s probably because larger-than-life Kiwi entrepreneur Kim Dotom uses something similar in his MEGA file locker service, which opened with some fanfare early in 2013.
(Dotcom therefore not only keeps your content safe from surveillance or theft from his servers, he’s also able to put his hand on his heart and say, “Your Worship, it was not possible for me to have known that those files were the complete works of Gene Roddenberry in remastered full HD video.”)
Anyway, jumping back to the present: when I said that Lavabit “is a boutique webmail provider,” that’s not strictly true.
It used to be, but it isn’t any more.
Founder Ladar Levison shuttered the service this week, or at least suspended it pending the outcome of some legal wrangles:
I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what's going on - the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.
What can one say to that? (That’s a rhetorical question. You’re welcome to answer it in the comments, but please try to be brief.)
Will existing users, seemingly including at least 350,000 people, ever get their data back?
Levison certainly seems to hope so, noting that:
We've already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.
What do we make of this?
If you know your Latin, you’ll be familiar with the phrase post hoc ergo propter hoc.
It means “afterwards, therefore on account of,” a logical fallacy that reminds you that you can’t assume X caused Y simply because Y followed X.
Otherwise you’d be able to reach ludicrous conclusions such as that last night’s high tide was the reason I had a cup of coffee after getting up this morning.
So the connection between Snowden and the suspension of Lavabit is so far merely chronological, not necessarily causal.
Let’s hope, then, that Levison is able to revive the service, not just so his users can get back into their data, but also so we can find out the true cause-and-effect in this story.
Of course, there’s a technological lesson in here for all of us, too.
Lots of people seem to think that cloud services remove the need for you to keep your own backups, on the principle that “you don’t buy a dog and bark yourself.”
But even if your cloud provider has impeccable credentials in respect of integrity and confidentiality, the availability of your data may be threatened by circumstances outside the control of either of you.