Darkmail Pushes Privacy Into The Hands Of NSA-Weary Customers
Darkmail Pushes Privacy Into The Hands Of NSA-Weary Customers And Dark Wallet Hides Transactions Made With Bitcoin. Darkmail Pushes Privacy Into The Hands Of NSA-Weary Customers
Ladar Levison, founder of Lavabit, the now-closed encrypted-email service used by former National Security Agency contractor Mr. Snowden, is working with encryption company Silent Circle to create a new kind of messaging called Darkmail.
The technology changes email in a way Mr. Levison says could offer unprecedented protection from surveillance by governments and hackers.
The effort comes as tech firms seek to soothe consumer concerns about privacy. On Wednesday, new disclosures from Mr. Snowden intensified those concerns.
Documents he shared with the Washington Post indicated the NSA is capable of tapping even connections between some data centers run by major Internet companies.
Mr. Levison, 32 years old, learned firsthand about the challenges of keeping email private this summer when the FBI sought emails from Lavabit customer Mr. Snowden.
Mr. Levison received a request from the agency to hand over the encryption keys to Lavabit, according to court records that don’t mention Mr. Snowden by name.
In theory, sharing the keys would have allowed the FBI to monitor the information all of Lavabit’s 400,000 users, including their passwords, whom they communicated with and credit-card information.
The FBI Declined To Comment.
The Snowden investigation revealed an Achilles’ heel for encrypted email: government access. Mr. Levison had advertised Lavabit as secure from mass surveillance but then realized the government could legally force him to hand over access to all of his customers.
While he complied with the government’s request, he simultaneously closed Lavabit, making future access impossible. The move gave him celebrity status among hackers.
Shortly after, competitor Silent Circle closed its own encrypted-email service, Silent Mail, out of fear it could be forced to provide similar information to the government.
With Darkmail, set to launch formally next year, the two companies now are working to protect themselves from future records requests by creating an email system where they couldn’t handover readable user data even if a court asks them to do so.
Though they intend to charge for an email account, the code behind the technology will be available free for any company to duplicate.
Mr. Levison envisions creating a “Darkmail alliance” of providers using the tech. “We don’t want to be the wedge between people in a dispute,” Mr. Levison said in an interview. If the government asks him for records, Mr. Levison said he wants to be able to say, “We don’t have anything.”
Created decades ago, email was never meant to be anonymous. Even though some technology now allows users to encrypt the bodies of their messages, email still requires certain data—including the subject line, the sender and the recipient—to be left in unencrypted text.
The open nature of the technology also allows prying eyes to see who is talking to whom, even if they can’t read their encrypted messages below the subject line.
The first step to making email truly private, Mr. Levison said, is building software where only users—not email providers—have the keys to private messages.
To make things easy for consumers, most email services have users send their password to a company server, granting them access to their account and messages.
In Darkmail, users would encrypt messages with private keys kept only on their computers or mobile devices before sending them. It means that if the government asks a Darkmail company for user data, the company would only be able to offer garble.
Communicating with traditional email services like Google Inc. Google’s Gmail creates another problem: Since those services may not be using Darkmail privacy techniques, messages sent and received from these email systems would be subject to court orders.Darkmail’s creators imagine a kind of stoplight system built into email:
A green light means if two Darkmail users are talking to each other, indicating the message is entirely encrypted. A red light would indicate they are communicating with someone using a traditional email service.
Google, Microsoft, and Yahoo Inc. say they only provide emails to the government when part of a court order.
No privacy technology is a silver bullet. Hackers and governments could still gain access to a user’s computer or phone, to read encrypted messages over a suspect’s shoulder.
Some in the tech industry are skeptical Darkmail could be widely adopted because email, as we know it, has been established over decades.
“It’s a very admirable goal,” said Robert Shavell, co-founder of Abine, an online privacy company, who watched Mr. Levison introduce Darkmail on Wednesday.
Lavabit, based in Texas, and Silent Circle, based in Washington, D.C., both shuttered their encrypted email services. The companies said they couldn’t keep them running knowing they were vulnerable to surveillance if faced with a dedicated enough attacker… which for Lavabit came in the form of the federal government when it wanted access to NSA whistleblower Edward Snowden’s Lavabit account.
Now the companies are teaming up with plans to offer an open-source tool that could make peer-to-peer, end-to-end encryption an easy add-on for any email service.
The challenging part: they need to get other email providers – especially the heavyweights, Google, Yahoo, and Microsoft – to join them in offering the tool.
The easy part: the name, which sounds like a group of superheroes – or supervillains – depending on your perspective on monitoring and data-mining email.
Lavabit and Silent Circle are the first two members of the “Dark Mail Alliance,” a group of email providers who will give users control over the privacy of their email so that it can’t be handed over to third parties, scanned for ads, or easily hijacked by an interceptor.
“We’re taking our inspiration from the Rebel Alliance,” says Levison. “We’re the rebels who have decided privacy is too important to compromise on. We’re fighting to bring privacy back to the Internet.”
“We believe email is fundamentally broken in its current architecture,” says Silent Circle CEO Mike Janke, a former Navy SEAL. “This is an opportunity to create a new email service where the keys are created on the device and only the user can decrypt it.”
A Very Simple Logo For A Concept Dreamed Up Within The Last Two Months
The problem now is that – as the NSA leaks have made us painfully aware – almost all of us store our email with third parties and send it through a digital ether that has many stops along the way where it can be captured.
On top of that, there’s the possibility of our email being hacked, or being scanned by advertisers, or just being opened by a snoopy ex who has your password.
Google and others have tried to make email more secure with two-factor authentication, but that doesn’t solve that fact that the email sits “in the clear” on a server or in the cloud somewhere — a vulnerability that hackers can take advantage of.
According to a new report from the Washington Post, the NSA has taken advantage of that vulnerability by infiltrating the links to Yahoo’s and Google’s data centers.
Lavabit and Silent Circle think email should be unreadable – decodable only by the sender and the recipient. While it’s possible to set-up encryption on your own, it’s a laborious process – I know from experience; the Dark Mail Alliance hopes to streamline it.
Lavabit founder Ladar Levison and Silent Circle CEO Mike Janke got to meet and swap tales of encryption woe during a privacy event in Seattle in September.
Silent Circle’s impressive cryptography team had been working on a better email encryption system for some time, that wouldn’t leak metadata to the provider (or the NSA) nor depend on keys stored on a provider’s server.
Levison meanwhile had been fighting the feds for months over their request to fundamentally break the security of his email service in order to get access to one of his users’ accounts.
Levison, who has given up email since shutting Lavabit down, had downloaded Silent Circle’s encrypted text messaging service to have private bi-coastal conversations with his lawyer. He and Janke connected via Silent Circle and sat down in Seattle to talk about coming up with a new system together.
Levison then flew to Silent Circle’s headquarters for a week-long project-crunching session with his former-competitor’s engineering team, including master cryptographers Phil Zimmermann and Jon Callas.
The “Dark Mail Alliance” plans to release a white paper about their tool, which relies on SMTP and XMPP. While still a work in progress, it will assign a private key to a particular user and populate it across their devices; put public keys and addresses into a public server; and store encrypted email for pick-up in the cloud.
It’s not the first time technology of this sort has been deployed. What would make this different is that it, if successful, wouldn’t be sandboxed.
If Google, Yahoo, Microsoft, Hushmail, and others signed on – and that is a big if – you’d be able to send an encrypted email from one service to another “easily.”
Janke says the user interface is designed so that if you’re sending to an address that’s part of the system, it glows green, and if it’s not, it glows red.
“Features of PGP are built into the code itself so it can function like regular email,” says Levison. “We want to make it easy enough for your grandma to use.”
“We want community participation on the protocols,” says Silent Circle cryptographer Jon Callas. “But we are not going to be sitting around, waiting for permission to do it. We’re going ahead with it even if it’s just the two of us.”
“We’re going to try to get as many people involved as possible,” says Janke. Levison announced the formation of “the Alliance” Wednesday at Inbox Love, a conference at Microsoft’s Mountain View campus for, as you’d expect, mail geeks. “All of the major email service providers will be there,” says Levison.
But will they want to join the Alliance? Given Lavabit’s dramatic shutdown and the Snowden revelations about the extent of monitoring of our digital communications, there’s momentum right now for the cause of more private email.
And Lavabit and Silent Circle certainly have the industry’s attention. “Everyone knows now that email is broken and has to be fixed,” says Callas. But is that enough to get established providers to join their crew?
“We want to get the Googles, the Yahoos and the Microsofts to stand tall,” says Janke. “But it will be an interesting friction point. These companies make money by mining their free email.”
The dark mail tool would prevent scans of emails to deliver ads. Another potential downside from a provider perspective is that not being able to scan all emails will make it harder to root out spam, says Levison.
But they hope that the fact that all email would be signed with particular keys will make it possible to develop a trust system around identity.
Intelligence and law enforcement agencies meanwhile, who have been complaining for years (perhaps disingenuously) about the Internet “going dark,” might be the most frustrated with the Alliance.
It would make it much harder to monitor people’s emails or to read what they have stored in the cloud. I asked Lavabit – who is already fighting a court battle with the FBI – and Silent Circle whether they worried about the government reaction to their plan.
Levison says he does worry about criminals – terrorists and child pornographers – using the tool. “But I balance that with the need to speak privately as a fundamental part of any democracy,” says Levison. “Government has brought this on themselves, where this kind of security became a necessity.”
“That horse has left the barn. If law enforcement wants that data, they’ll have to subpoena an individual [rather than their email provider],” says Janke. “ I worry more about the big data processors. Google and Microsoft rely on data mining to make their profits. I worry more about them collectively because there is money on the line. I worry about that more than the nation states.”
The Alliance is not just focused on the big dogs. They’re also hoping to enlist smaller providers that want to offer more private and secure email services.
Levison will play crypto-prophet, with plans to rack up frequent flier miles to help providers and organizations get this up and running when they release the tool in 2014. “If we have to fly to Switzerland and South Africa, that’s what we’ll do,” says Janke.
“We think the world is ready to embrace a new system,” says Levison.
Software That Covers The Tracks Of Financial Transactions Made With Bitcoin
Cody Wilson rattled lawmakers and law-enforcement agencies with a plastic gun created from a 3-D printer, home computer and blueprints he posted online for anyone to download.
Now, the 25-year-old law-school dropout is about to launch software aimed at covering the tracks of financial transactions made with bitcoin, the virtual currency that has exploded in popularity among spenders and speculators—and raised concerns among regulators that it might be used for illegal activity.
“We need an anonymous cash online,” says Mr. Wilson, who oversees from his apartment near the University of Texas at Austin about a dozen self-described antiestablishment techies working on the software, called Dark Wallet. Some of them are paid in bitcoin.
“It’s not that I want you to buy drugs,” he says. “It’s just that I think you should have the freedom to do it.”
Bits And Pieces
Mystery still surrounds Bitcoin. Its creator — or creators — has remained anonymous and specific details surrounding the history of the virtual currency remain fuzzy. Still, buzz is growing. Here’s a rough timeline of the Bitcoin evolution.
Mr. Wilson is one of the most prominent examples in a band of hackers, programmers and agitators trying to deploy technology in ways that disrupt what they see as limits on personal freedom.
Even though they often live, work or mingle in Silicon Valley, they claim its rise has created too much technology that benefits corporate America or helps government snoop.
In the 1980s, such techies were known as cypherpunks and obsessed with using complex encryption to keep communications secret. The modern version is more consumer-oriented and often focuses on mainstream products, such as Web browsers, open-source software and iPhones, with the aim of having world-wide impact.
Mr. Wilson, who graduated from the University of Central Arkansas in 2010 and then started law school here, shuns political labels.
His bedroom features a Texas flag that says “Come and take it,” a bookshelf with copies of the Federalist Papers and Austrian-born economist Friedrich von Hayek’s libertarian treatise “Road to Serfdom,” and several random bullets.
While bitcoin critics claim the online currency is vulnerable to use to lawbreakers because people can make online transactions without giving their real names or addresses, Mr. Wilson and other bitcoin purists says it isn’t secret enough.
To prevent fraud, all transactions made with each jumble of computer code tied to the currency are automatically posted in a public ledger called the “block chain.” That means it is possible for authorities to track a person’s transactions if they can determine the user’s unique bitcoin address.
Dark Wallet is a no-frills, low-budget push led by Mr. Wilson to make bitcoin the electronic-commerce equivalent of a Swiss bank account.
Attached to a browser such as Google Inc.’s Chrome, Dark Wallet will try to scramble the long strings of numbers and letters that form bitcoins. The scrambling will occur as bitcoins are spent, making it harder to detect who is buying what.
The first version of Dark Wallet is set for release in early 2014, though a specific date hasn’t been decided. It will be free, though the developers are accepting donations.
Supporters concede it is likely impossible to make bitcoin transactions absolutely untraceable. Still, if Dark Wallet delivers as hoped and catches on with the virtual currency’s users, law-enforcement officials will have more trouble tracking the flow of online commerce, some people close to U.S. government officials say.
Scott Dueweke, a virtual-currency expert at consulting firm Booz Allen Hamilton Inc., includes a Dark Wallet video made by Mr. Wilson when he explains bitcoin to regulators and law-enforcement officials. Mr. Wilson’s video features ominous music and an image of Edward Snowden, the National Security Agency contractor turned leaker.
“It spooked the hell out of them,” Mr. Dueweke says.
Stephen Hudak, spokesman for the U.S. government’s Financial Crimes Enforcement Network, declined to discuss Dark Wallet, but says: “We’d be concerned about anything that would increase the threat level of money laundering.”
Federal officials also have said they see benefits from digital forms of money. Federal Reserve Chairman Ben Bernanke told lawmakers in November that online currencies “may hold long-term promise, particularly if the innovations promote a faster, more secure, and more efficient payment system.”
Jon Matonis, executive director of the Bitcoin Foundation, a nonprofit group that serves as unofficial curator of the online currency, released on the Internet in 2009, says the Dark Wallet project is consistent with his efforts to promote and develop the digital cash a private, government-free currency.
But some of Dark Wallet’s image and marketing are hard to stomach, he says. “I have a serious problem with what they named it,” he says. “The average person … will think it’s this criminal thing for buying drugs.”
Mr. Wilson focused on Dark Wallet after his plastic-gun effort was blocked. In 2013, he posted online instructions for how to make a gun called “Liberator” with 3-D printing. Three-dimensional printers use plastic materials to make objects as simple as a figurine or coffee cup.
Federal officials warned that new plastic guns could fool metal detectors and compromise security, and the State Department ordered him in May 2013 to remove his online gun blueprints, citing arms-export laws. He complied.
Bitcoin captured Mr. Wilson’s interest. PayPal founder Peter Thiel, a billionaire libertarian, invited Mr. Wilson to a private Wyoming retreat, where the two men discussed the future of bitcoin. Mr. Thiel sees promise in the young entrepreneur, a person close to the billionaire says.
In another sign of Mr. Wilson’s growing reach, he helped find a lawyer for Ross Ulbricht, the alleged ringleader of a popular Internet black market called Silk Road that used bitcoin as its currency.
In November, federal prosecutors filed criminal charges against Mr. Ulbricht that include conspiracy to traffic in narcotics and hack computers. His lawyer, Joshua Dratel, says Mr. Ulbricht is innocent.
Mr. Wilson says Mr. Ulbricht should be embraced by the libertarian community. Dark Wallet could make it harder to bust users of future Silk Roads of the future, Mr. Wilson says.
His closest partner in Dark Wallet is 25-year-old Amir Taaki, a computer coder in the U.K. who sometimes wears apparel—shirts, pins—with the online currency’s symbol: a “B” sliced by two vertical bars.
Mr. Wilson, who sometimes wears sunglasses at night, is the management and fundraising expert. “They’re literally the only prescription glasses I have right now,” he says.
An online fundraising effort for Dark Wallet has so far attracted about $100,000, Mr. Wilson says. All told, Mr. Wilson says he has raised nearly $250,000, most of it in bitcoin and through Defense Distributed, a self-described nonprofit group he began in 2012.
The Internal Revenue Service hasn’t approved the group’s application for tax-exempt status. The agency declined to comment on the reason or the application. Mr. Wilson says he has been asked to explain his dealings with the State Department.
Mr. Wilson dropped out of law school in May to work on plastic guns full-time. Later the same day, he got the government’s edict to remove his online gun blueprints.
Because of his suspicions of the government, Mr. Wilson had his home address removed from the University of Texas law school’s student directory. On business matters, he communicates with encrypted email or chat systems.
Dark Wallet “captures everything we want to do,” he says. “My particular brand of activism is crisis-forcing.”