On August 8, anyone attempting to login to Lavabit found the secure email service’s homescreen replaced by a disturbing message from owner Ladar Levison:
“I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on–the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.”
Texas-based Lavabit is still fighting those mysterious “events” in the Fourth Circuit Court of Appeals, Levison added, where a favorable decision would allow him to revive the service as an American company.
He concluded his message on a particularly ominous note:
“This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.”
A few hours later, Silent Circle—a company that provides a variety of encrypted products—announced that it would shut down its own secure mail service.
“Today, another secure email provider, Lavabit, shut down their system lest they ‘be complicit in crimes against the American people,’” read Silent Circle’s note. “We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.” Email services that leverage SMTP, POP3, and IMAP simply can’t be secured anymore.
But why did Lavabit get hit with some sort of shadowy government lawsuit? That’s an excellent question, and one that probably has everything to do with Edward Snowden, the former government contractor who leaked information about several top-secret NSA surveillance programs. Soon after dumping that information on The Guardian, Snowden fled to Russia, where he successfully obtained temporary asylum. During his asylum fight (which took place at Moscow’s Sheremetyevo Airport, where he was holed up in a legal netherworld outside of customs), Snowden reportedly emailed reporters from a lavabit.com email address.
Lavabit was a natural email service for someone obsessed about encryption, but all the advanced algorithms in the world are pretty much useless against a court order. In an August 8 posting on his Google+ page, CNET reporter Declan McCullagh guessed that the FBI had sent Lavabit a federal court order for Snowden’s passwords: “The order can also be to install FedGov-created malware. Lavabit fights FBI surveillance demand in district court for the last six weeks, loses. Shuts down to avoid compliance while simultaneously appealing to the 4th Circuit.”
He added: “It likely wasn’t a national security letter (NSL) because those are limited in scope and don’t apply to prospective surveillance, meaning a shutdown wouldn’t accomplish anything.”
Snowden himself has some choice things to say about all this. In a statement to The Guardian, he applauded Lavabit’s action while condemning the tech titans’ refusal to do more to lock down users’ data:
“America cannot succeed as a country where individuals like Mr. Levison have to relocate their businesses abroad to be successful. Employees and leaders at Google, Facebook, Microsoft, Yahoo, Apple, and the rest of our internet titans must ask themselves why they aren’t fighting for our interests the same way small businesses are. The defense they have offered to this point is that they were compelled by laws they do not agree with, but one day of downtime for the coalition of their services could achieve what a hundred Lavabits could not.”
The question now is whether individuals and businesses will stop using cloud-based services they view as vulnerable to surveillance by third parties such as the NSA and FBI. If that becomes the case, it could seriously affect the business models of Google, Microsoft, and other IT firms that have wholeheartedly embraced the cloud in recent years. It also remains to be seen whether more encrypted-services companies follow in Lavabit’s footsteps and shut down.