Group items tagged

This whole morning, while all these stories of the NSA hacking directly into Google and Yahoo's network have been popping up, I've been at the Inbox Love conference, all about the future of email. The "keynote" that just concluded, was Ladar Levison from Lavabit (with an assist from Mike Janke from Silent Circle), talking about the just announced Dark Mail Alliance, between Lavabit and Silent Circle -- the other "security" focused communications company who shut down its email offering after Lavabit was forced to shut down. Levison joked that they went with "Dark Mail" because "Black Mail" might have negative connotations. Perhaps just as interesting, Levison is going to be releasing the Lavabit source code (and doing a Kickstarter project to support this), with the hope that many others can set up their own secure email using Lavabit's code, combined with the new Dark Mail Alliance secure technology which will be available next year. As noted, the Alliance is working on trying to create truly secure and surveillance-proof email. Of course, nothing is ever 100% surveillance proof -- and both members of the alliance have previously claimed that it was almost impossible to do surveillance-proof email. However, they're claiming they've had a "breakthrough" that will help.

The newly developed technology has been designed to look just like ordinary email, with an interface that includes all the usual folders—inbox, sent mail, and drafts. But where it differs is that it will automatically deploy peer-to-peer encryption, so that users of the Dark Mail technology will be able to communicate securely. The encryption, based on a Silent Circle instant messaging protocol called SCIMP, will apply to both content and metadata of the message and attachments. And the secret keys generated to encrypt the communications will be ephemeral, meaning they are deleted after each exchange of messages. For the NSA and similar surveillance agencies across the world, it will sound like a nightmare. The technology will thwart attempts to sift emails directly from Internet cables as part of so-called “upstream” collection programs and limit the ability to collect messages directly from Internet companies through court orders. Covertly monitoring encrypted Dark Mail emails would likely have to be done by deploying Trojan spyware on a targeted user. If every email provider in the world adopted this technology for all their users, it would render dragnet interception of email messages and email metadata virtually impossible.

Importantly, they're not asking everyone to just trust them to be secure -- even though both companies have the right pedigree to deserve some level of trust. Instead, they're going to release the source code for public scrutiny and audits, and they're hoping that other email providers will join the alliance. At the conference, Levison recounted much of what's happened over the last few months (with quite a bit of humor), joking about how he tried to be "nice" in giving the feds Lavabit's private keys printed out, by noting that he included line numbers to help (leaving unsaid that this would make OCR'ing the keys even more difficult). He also admitted that giving them the paper version was really just a way to buy time to shut down Lavabit.

ne new email service promising "end-to-end" encryption launched on Friday, and others are being developed while major services such as Google Gmail and Yahoo Mail have stepped up security measures.A major catalyst for email encryption were revelations about widespread online surveillance in documents leaked by Edward Snowden, the former National Security Agency contractor."A lot of people were upset with those revelations, and that coalesced into this effort," said Jason Stockman, a co-developer of ProtonMail, a new encrypted email service which launched Friday with collaboration of scientists from Harvard, the Massachusetts Institute of Technology and the European research lab CERN.Stockman said ProtonMail aims to be as user-friendly as the major commercial services, but with extra security, and with its servers located in Switzerland to make it more difficult for US law enforcement to access.

"Our vision is to make encryption and privacy mainstream by making it easy to use," Stockman told AFP. "There's no installation. Everything happens behind the scenes automatically."Even though email encryption using special codes or keys, a system known as PGP, has been around for two decades, "it was so complicated," and did not gain widespread adoption, Stockman said.After testing over the past few months, ProtonMail went public Friday using a "freemium" model a basic account will be free with some added features for a paid account.

By locating in Switzerland, ProtonMail hopes to avoid the legal woes of services like Lavabit widely believed to be used by Snowden which shut down rather than hand over data to the US government, and which now faces a contempt of court order.Even if a Swiss court ordered data to be turned over, Stockman said, "we would hand over piles of encrypted data. We don't have a key. We never see the password."