Lavabit and Silent Circle form "Dark Mail Alliance" to thwart email surveillance

Filed Under: Cryptography, Featured, Privacy

Dark Mail Alliance logoTwo encrypted-email companies that shut down while struggling to keep metadata out of the US government's hands have announced that they're teaming up to create a new, open-source email protocol based on security and privacy and that they plan to help the world to hopefully ditch the old one: Simple Mail Transfer Protocol (SMTP).

The collaboration, dubbed the Dark Mail Alliance, between founding companies Lavabit and Silent Circle, will be focused on maintaining and organizing the open-source code for the new email protocol.

The companies announced the alliance at Wednesday's Inbox Love conference, held at Microsoft’s Silicon Valley campus, saying that they hope to "change the world of email completely by putting privacy and security at its core."

The two founding companies also plan to bring other members into the alliance and to assist future recruits to implement the new protocol.

Specifically, Lavabit and Silent Circle will work jointly to help email software developers and service providers proliferate what they're calling Email 3.0, a "private, next-generation, end-to-end encrypted alternative."

As it is, email is now "fundamentally broken from a privacy perspective", Lavabit said in its press release:

What we call ‘Email 3.0.’ is an urgent replacement for today’s decades old email protocols (‘1.0’) and mail that is encrypted but still relies on vulnerable protocols leaking metadata (‘2.0’).

Our goal is to open source the protocol and architecture and help others implement this new technology to address the privacy concerns over surveillance and back door threats of any kind.

Ars Technica's Cyrus Farivar reports that the new protocol is set for a mid-2014 release.

Silent Circle CTO Jon Callas told Ars that it's high time to boot the antiquated SMTP out the door:

This is just another transport - what we’re getting rid of is SMTP. We like to laugh at it, but there are reasons why it was a good system. We’re replacing the transport with a new transport. E-mail was designed 40 years ago when everybody on the Internet knew each other and were friends.

The new protocol will be based on Extensible Messaging and Presence Protocol (XMPP), a set of open Extensible Markup Language (XML) technologies for real-time online communication, including instant messaging, presence, multiparty chat, voice and video calls, online collaboration, gaming, file transfer, Internet of Things applications including the smart grid, and social networking services.

As Cisco describes it, the core technology behind XMPP was refined in the Jabber open-source community in 2000 and formalized by the Internet Engineering Task Force (IETF) in 2002 and 2003.

Silent Circle's Callas told the conference that the company's existing Silent Circle Instant Messaging Protocol (PDF) was a rough "alpha" of the new Dark Mail protocol.

Dark Mail will be available as an add-on or an option to existing email providers, which means that companies such as Google could opt to use it with Gmail, for example.

That's not an entirely unimaginable outcome, I would say, given how furious Google reportedly is over new documents from NSA whistleblower Edward Snowden that point to the US's National Security Agency (NSA) having infiltrated links to Yahoo and Google data centers worldwide.

Lavabit founder Ladar Levison told Ars that he will soon launch - possibly as soon as Tuesday - a Kickstarter campaign to fundraise for the Dark Mail Alliance to open-source Lavabit’s code "with support for Dark Mail built-in."

Farivar reports that the first 32 companies to donate $10,000 will get a pre-release 60 days before the public gets it and thus will be able to be the first companies to integrate it into their systems.

Lavabit, Snowden's former email provider, shuttered its service in August following court orders demanding metadata about an unnamed user who many assume was Snowden.

Levison did, actually, end up giving the government Lavabit's crytopgraphic key in digital form, after having first printed out and handed over a copy of the key in 4-point type that didn't quite fly with the government's judge.

Shuttering Lavabit's service meant that even though the government had the key, they didn't have anything to open with it.

Silent Circle, for its part, in short order followed Lavabit's example, pre-emptively shutting down its Silent Mail service in anticipation of the government getting its hands on the metadata that is, for now, inevitably associated with email.

The goal of ditching SMTP is ambitious: it's now used for almost all email that travels on the Internet.

But as Ars reader Major General Thanatos commented, the NSA's vigorous surveillance propensities well might have provided the world with a good reason to put its shoulder to the task and make the switch.

Would switching to XMPP stop spying once and for all? If so, how painful would such a switch be? Can you imagine the world actually doing it?

Let us know your thoughts in the comments section below.

, , , , ,

You might like

10 Responses to Lavabit and Silent Circle form "Dark Mail Alliance" to thwart email surveillance

  1. LonerVamp · 668 days ago

    While email is indeed insecure and there is a layer of metadata that may be useful to third party entities, the weak point is still going to be the business that brokers or displays the email and more than likely will have some sort of access to the desirable data. An improved protocol does not help when a government pressures a legitimate business into cooperation on the back end.

    • Moeyebus · 457 days ago

      While being very true, you seem to forget that you can use OTR or PGP to further protect your XMPP converstations. What XMPP does is protect the metadata. So, in fact, if people don't change, nothing changes. And no amount of technological advance can change that.

  2. interesting idea long overdue, but...

    i view the internet much like mt. everest. as long as it is there 1) people will always attempt to "hack it" and that includes NSA (and other countries that pretend they have no such nefarious black-op techies, US-allies included), and 2) nothing, that is NOTHING, is truly safe/secure on the internet.

    i do not live on the bleeding-edge; just because you can does not make it a good idea...for anything and everything. and while i am a skeptic and cynic on most application of internet based technology, i am that to a power of 1000 for governments behaving themselves.

    • George · 667 days ago

      That is the way to go. Privacy in my opinion is a fundamental right and should be protected at all costs.

  3. Gavin · 668 days ago

    XMPP-based email would not stop spying forever any more than TLS over HTTP stopped spying forever. But it (or something comparable) is the right thing to do and -- assuming everything works out -- will at least allow those that adopt it to not be "low-hanging fruit".

    I don't know anything about the proposed protocol but I assume and hope that a side-benefit could be to put significant hurdles in the way of spammers too.

    I can then envision that in a few years time companies and individuals would start to block SMTP as the insecure crime-ridden protocol in much the same way that many choose to block FTP and Telnet today.

    SIgn me up for some of that!

    • Mark · 667 days ago

      SMTP and IP4 should have been dropped ages ago.
      They're simple and work well. But have no security.

    • Hearth · 665 days ago

      Not to mention the protection so desperately needed for emailing documents - business, personal, legal, health, banking - all important information sent by email today that can easily be eaves dropped on by hackers, identity thieves, or a host of others (not just the NSA). Secure email is years if not decades overdue, and if these recent bombshells finally trigger a change, then that's good for everyone.

  4. Plus 1 for XMPP! I plan to use that protocol for tons of projects in the future; it's time for it to dominate.

  5. Robert · 662 days ago

    We have to do this. There is no choice. However, I strongly suspect that US based companies will no longer be involved in the development or initiation of these services. They are forever corruptible by a corrupted state (the US) and can never be trusted.

  6. Andrew · 649 days ago

    looking forward to it's release.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.