Why loosing Lavabit and Silent Mail doesn’t change anything.

Here’s a non-concept for you: secure email. There’s a lot of media frenzy surrounding the recent shuttering of Lavabit and Silent Mail and most of it is unwarranted (see what I did, there? Warranted?) While any security is certainly better than no security, the media is presenting the loss of these services as something that matters and honestly, it really doesn’t. Email is so inherently insecure and the laws of most countries allow law enforcement to warrant emails anyhow, so there’s almost no advantage to using a secure email service if your intention is to be bad. In short, there is no such thing as secure email.

I had never heard of Silent Mail before a few days ago but I have both a Lavabit (had) and a Hush Mail account; both provide encryption bundled into their email service and from the press surrounding Silent Mail, I assume it offered a similar service.

Why doesn’t secure email exist?

The Simple Mail Transfer Protocol (SMTP) that is used to send email around the Internet does not support security. Over the years, security processes like Transport Security Layer (TLS) and Secure Sockets Layer (SSL) have been bolted on to SMTP to offer some semblance of security during transmission across the Internet, but most Internet Service Provider (ISPs) and many of the large email providers do not use these security add ons. When you send an email, your server connects to the server belonging to whomever you’re sending the email to and says “what encryption do you support?” If the receiving end says “none”, then your server says “OK, I will just send this to you unencrypted” and sends your email in plain text across the rather hostile Internet. Supporting encryption is expensive (meaning it takes time and computer resources to keep setting up and tearing down secure connections) so the vast majority of email providers do not support it. Therefore, we can extrapolate that a good chunk of email on the planet is sent in the clear.

So what do these secure email services offer?

They offer encryption “at rest”. This means that once your email is received on their servers (when it is at rest), they encrypt it for you until you pick it up. When you log in to pick it up, they decrypt it and send it to you. If you’re using POP to pick up your email, that’s the end of it: the unencrypted email is sent down the pipe to your email client and typically erased from the server. If you’re using IMAP or webmail, then the email generally stays on the server so it is decrypted many times – every time you call up an email to look at it – and an encrypted copy stays on the server until such time as you purposely delete it.

How do they encrypt my email?

When you create an account on these services they generate an encryption keypair for you as part of the signup process. The keypair consists of a public and a private key which are two separate files. The private key is the valuable one because it can be used to decrypt your emails and they will protect that key by locking it with the password or passphrase that you supplied when you signed up. Your private key is necessarily stored on the mail server because if it were not, then they could not decrypt your email before sending it to you when you log in to view it. However, what is NOT on the server is the password or passphrase required to unlock that private key so that it can be put into use. Your private key cannot be used to decrypt your email until you log in at which time the server then knows your passphrase to unlock your private key. A passphrase is essentially the same thing as a password except that it can consist of many words as the name suggest. A password is “thisisagreatpassword” a passphrase is “On December 12th, 1857 there was a huge explosion in Norway” (probably not a fact).

So if my email is encrypted it’s protected from prying eyes, right?

No. Not all prying eyes.

If Lavabit or Hushmail or Silent Mail were to be hacked or if they lost a hard drive during an upgrade or something like that, your email would be protected because the person who gained access to the hard drive or system would presumably not know your individual passphrase. Therefore, all they would see when they looked in your mail directories is a bunch of random encrypted gibberish. “Psuedo-random noise” as us geeks like to call it.

However, if someone with legal authority came along and said “give me all of Jon’s email” then there is simply no protection. Lavabit claims that their “system [is] so secure that even our administrators can’t read your e-mail.” which is disingenuous at best. Keep in mind that in order for you to be able to read your email when you log in, these secure email providers have to decrypt the email for you first. Since your passphrase is not permanently present on the server, the claim that administrator can’t read your email teeters on the bad side of disingenuous but doesn’t quite tip over the line.

But let’s get real; when Joe FBI shows up and this secure email provider says “Gosh, Joe FBI, there’s just no way I can decrypt that email for you, sorry” nobody is going to believe that. Since these secure email providers must, by necessity, be able to use your private key on their server it’s quite obvious that they can indeed decrypt your email under some circumstances so Joe FBI says “the next time Jon logs on, trap his passphrase and use it to decrypt his email and send it to me”. There’s no way that any of these secure email providers can convince anyone that this is not completely possible and, let’s face it, pretty trivial to do. I am reasonably sure that this is why Lavabit and Silent Mail shut down: once faced with the very real specter of being forced to decrypt, they realized there was simply no way to avoid being forced to do it. Given the information at hand it would appear that Silent Mail went through this exact same thought process and shut down pre-emptively. On the other hand, given Lavabit’s abrupt shutdown and very vaguely worded explanation, it seems likely that they were actually served with a warrant or a National Security Letter which typically carry a gag order along with it.

But didn’t Edward Snowden use Lavabit?

Maybe. One media outlet reported that he might have and now every media outlet says he did so it’s not really easy to tell. What IS really easy to tell is that if Snowden did use Lavabit, he did it with eyes wide open. There’s no way an NSA analyst who spent his waking hours trolling through millions of captured emails does not know how email works and what its security limits are.

So secure email is a waste of money?

It depends what you want from it. If you want privacy for your every day life then there is some value. If you want protection from the government for illegal activities, you should stop using email altogether. And hang your head in shame.

I use Hushmail which is a Canadian based private email company (note how they use the word private and not the word secure). I am more than happy to pay for the service for a few reason:

Full disclosure: I am just a happy Hushmail customer. Sadly, they have given me no money, anything of any value or provided me any benefit above what I am normally entitled to due to my paid account for writing this next bit.

  • I am not attempting to conduct any illegal activity. This is critical because if I’m not involved in anything illegal it’ll be harder than hell to get a warrant to get at my email.
  • Hushmail is Canadian and I am Canadian. Typically, your government is not allowed to spy on its own citizens so it’s usually better to deal with companies in your own country where possible. Citizens are usually afforded a slightly higher level of protection than foreign nationals. I realize there are some large and angry discussions about how the U.S. is handling this at the moment, but in the rest of the free world, it’s better to be a citizen than not. If someone wanted my emails, they would have to get a warrant from a Canadian court and give it to my Canadian company to get my Canadian email. That’s a better deal than storing my email in the U.S. where I am just another foreign national with little protection.
  • I know exactly what protections I am getting so I can evaluate what I am paying for. Hushmail is very transparent about what protections I can expect and they have a handy-dandy chart that essentially explains in a simple way what I explained in a very complicated way above.
  • I know exactly how they will handle a court order because they tell me exactly how they handle court orders.
  • I can send encrypted email to people who do not have a Hushmail account, people who have never heard of encryption, and people that have no idea how to do anything other than load a web page.
  • I have a variety of really neat advanced Hushtools which makes life easier for me and for other people who have to deal with my insistence on encrypting my email.
  • Hushmail’s spam filters actually work. I’m accustomed to GMail’s great spam filters but every time I use another email provider I am always amazed at how much spam ends up in my inbox. Hushmail’s spam filters are as good as GMail’s.
    This is not Hushmail specific, but after 6 years of using GMail, it’s really nice to use a provider that does not shuffle through my email in order to put ads in front of me.This is the difference between paying for email and using a free service. If you aren’t paying for something, then you are the product. I like not being the product.

There are some really good reasons for using a private email service, but they’re not the reasons the media is spewing out. Like any product, it’s a good fit for some uses and a poor fit for others. For me, Hushmail’s tools, their transparency about both the product itself and their action to information requests, and the very reasonable pricing makes it a no-brainer for me. My paranoid tin-foil hat wearing mind loves it. Your mileage may vary.

Final thoughts

I find it very weird that both Lavabit and Silent Mail shut down with basically the same story. Lavabit’s vagueness seems to indicate they had been served with a warrant of some kind, and Silent Circle outright says that they shut down Silent Mail because they came to realize that “Email as we know it with SMTP, POP3, and IMAP cannot be secure” and they did not want to be faced with the prospect of being forced to turn over customer emails. The weird part is not that these guys figured out they could not resist being compelled to turn over customer email; the weird part is that they apparently did not plan for how they would react to these warrants when they came. Co-operating with law enforcement is required by humans and businesses alike; any business needs to have some sort of plan or policy in place about how they are going to handle their legal obligation to cooperate with law enforcement. For two services to simply throw up their hands and say “Gosh! I never saw THIS coming” shows a really short-sighted approach to doing business in my humble opinion. There are no anarchistic businesses, my friends. Anarchy is for humans.