Two shuttered encrypted email service providers are joining forces in the aftermath of the US National Security Agency (NSA) spying scandal. Lavabit and Silent Circle have set up the Dark Mail Alliance to restore privacy to inboxes.
They're developing an open-source tool that could make peer-to-peer, end-to-end encryption a simple add-on for any email service — and they’re hoping major providers like Google and Microsoft will come on board.
There are many interesting aspects to this new alliance, starting with the fact that the two founding vendors both closed down in August over concerns about the NSA. They claimed they couldn’t stay in business knowing they were vulnerable to surveillance from a dedicated enough attacker ... like the US federal spy agency.
The NSA is, or at least was, systematically harvesting information from telephone and email records.
To be completely accurate about this, the NSA insists it was just harvesting metadata — the data about the information itself. What the agency has failed to acknowledge is that this information can be far more revealing than the information contained in the email message or call itself.
One of the problems with email is that even when used with encryption services, a portion of the metadata must be sent unencrypted for the messages to pass from one user to another.
Enter the Dark Mail Alliance
But the Dark Mail Alliance wants to change the status quo. According to cofounders Jon Callas, CTO of Silent Circle, and Ladar Levison, founder of Lavabit, the goal is to build a secure, encrypted email system that's virtually surveillance-proof.
The alliance was announced Wednesday at the Inbox Love conference in Mountain View, Calif. Mike Janke, CEO of Silent Circle, said during a speech at the conference that the founders hope to get at least a dozen email providers to run the Dark Mail architecture to provide multiple options to users in search of an encrypted option.
The mission of the Dark Mail Alliance, according to a statement on its website, is to:
... work to bring other members into the alliance, assist them in implementing the new protocol and jointly work to proliferate the world’s first end-to-end encrypted 'Email 3.0' throughout the world's email providers. Our goal is to open source the protocol and architecture and help others implement this new technology to address privacy concerns against surveillance and back door threats of any kind.
Until now, vendors like Lavabit and Silent Mail have kept too much information on the provider’s server. As a result, under court order, they could be forced to turn over encryption keys that would enable third-parties including government agencies to access email.
This is effectively what happened Lavabit. After it was identified as the service used by whistleblower Edward Snowden, the government forced it to hand over the keys to all of its users' data. That's why Levison decided to shut down Lavabit’s servers.
With the Dark Mail Alliance, users will be able to send email securely between two accounts managed by alliance members. The messages will be encrypted automatically and sent directly from one person to the other without going through a provider’s server. The system would make the systematic harvesting of metadata just about impossible.
Will Email Providers Sign Up?
The questions: Will this new protocol work — and will major email providers jump on board? Keep in mind that Google, in a SEC filing some months ago, stated that no one using its Gmail service should expect privacy. Google machine-reads email to obtain customer information and provide personalized services. Microsoft does the same with its Outlook email service.
It is not clear whether Google and Microsoft think there is enough for them to gain by joining the Dark Mail Alliance. And if the major email providers fail to sign up, can the alliance realistically survive? Could users exert enough pressure to force the big email providers to get on board?
Share your thoughts on the message board below.
One way or the other, the alliance is moving ahead. Once it has its technology in place, which is expected to be in early 2014, Silent Circle plans to reboot its email service through servers in Canada and Switzerland.