Internet Privacy Company Ends Service To Avoid Government Surveillance

J.D. Tuccille | 10.23.2013 3:48 PM

(Public Domain)

Remember Lavabit and Silent Circle, the encrypted email providers that shuttered services because they faced government pressure to enable government snooping on their customers (Silent Circle still offers other privacy services)? Well, you can add CryptoSeal to the mix. The company has ended its CryptoSeal Privacy virtual private network (VPN) service (it still offers enterprise-lever services), which was advertised as "keeps prying eyes off of your internet usage while you're at home, in a coffee shop or even another country," also over concerns about the legal environment and government snooping.

According to a note on the CryptoSeal site:

With immediate effect as of this notice, CryptoSeal Privacy, our consumer VPN service, is terminated. All cryptographic keys used in the operation of the service have been zerofilled, and while no logs were produced (by design) during operation of the service, all records created incidental to the operation of the service have been deleted to the best of our ability.

Essentially, the service was created and operated under a certain understanding of current US law, and that understanding may not currently be valid. As we are a US company and comply fully with US law, but wish to protect the privacy of our users, it is impossible for us to continue offering the CryptoSeal Privacy consumer VPN product.

Specifically, the Lavabit case, with filings released by Kevin Poulsen of Wired.com (https://www.documentcloud.org/documents/801182-redacted-pleadings-exhibits-1-23.html) reveals a Government theory that if a pen register order is made on a provider, and the provider's systems do not readily facilitate full monitoring of pen register information and delivery to the Government in realtime, the Government can compel production of cryptographic keys via a warrant to support a government-provided pen trap device. Our system does not support recording any of the information commonly requested in a pen register order, and it would be technically infeasible for us to add this in a prompt manner. The consequence, being forced to turn over cryptographic keys to our entire system on the strength of a pen register order, is unreasonable in our opinion, and likely unconstitutional, but until this matter is settled, we are unable to proceed with our service.

We encourage anyone interested in this issue to support Ladar Levison and Lavabit in their ongoing legal battle. Donations can be made at https://rally.org/lavabit We believe Lavabit is an excellent test case for this issue.

We are actively investigating alternative technical ways to provide a consumer privacy VPN service in the future, in compliance with the law (even the Government's current interpretation of pen register orders and compelled key disclosure) without compromising user privacy, but do not have an estimated release date at this time.

To our affected users: we are sincerely sorry for any inconvenience. For any users with positive account balances at the time of this action, we will provide 1 year subscriptions to a non-US VPN service of mutual selection, as well as a refund of your service balance, and free service for 1 year if/when we relaunch a consumer privacy VPN service. Thank you for your support, and we hope this will ease the inconvenience of our service terminating.

For anyone operating a VPN, mail, or other communications provider in the US, we believe it would be prudent to evaluate whether a pen register order could be used to compel you to divulge SSL keys protecting message contents, and if so, to take appropriate action.

The company's promise to consider restoring service "in compliance with the law (even the Government's current interpretation of pen register orders and compelled key disclosure)" may not be entirely encouraging to customers especially concerned about the surveillance state. Such a restored service would very likely shield users from everybody except the U.S. government and its established snooping habits as administered by the NSA, the FBI and an alphabet soup of other agencies, federal state, and local. That is, it's unlikely to be able to truly protect user privacy. Lavabit owner Ladar Levison compares the modern American surveillance state to the McCarthy era and recommends "against anyone trusting their private data to a company with physical ties to the United States."

But it's a big world, and one in which Google now offers VPN tools intended to frustrate governments outside the United States. Certainly, a company or two based elsewhere should be willing to return the favor.

The Rattler is a weekly newsletter from J.D. Tuccille. If you care about government overreach and tangible threats to everyday liberty, this is for you.

NEXT: Germany Fears US Monitored Merkel's Cellphone

Hide Comments (25)

Editor's Note: As of February 29, 2024, commenting privileges on reason.com posts are limited to Reason Plus subscribers. Past commenters are grandfathered in for a temporary period. Subscribe here to preserve your ability to comment. Your Reason Plus subscription also gives you an ad-free version of reason.com, along with full access to the digital edition and archives of Reason magazine. We request that comments be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of reason.com or Reason Foundation. We reserve the right to delete any comment and ban commenters for any reason at any time. Comments may only be edited within 5 minutes of posting. Report abuses.

SugarFree 11 years ago

"If you like your business, you can't keep it.
1. Bam! 11 years ago
  
  To be fair, he didn't build it.
Paul. 11 years ago

Breaking: ACA exchange Website actually giant Keylogger set up by NSA.
1. Tonio 11 years ago
  
  Badoosh!
2. Mr Whipple 11 years ago
  
  But it only affects people using IE 4 or earlier on WinME with Panda Security.
  1. Paul. 11 years ago
    
    I hear people who use IE4 on WinME get a lot of double posts in forums. True?
    1. Mr Whipple 11 years ago
      
      No. It happens sometimes when you are using Gentoo behind 7 proxies.
    2. Mr Whipple 11 years ago
      
      http://uncyclopedia.wikia.com/wiki/Gentoo
3. Mr Whipple 11 years ago
  
  But it only affects people using IE 4 or earlier on WinME with Panda Security.
Paul. 11 years ago

ls a Government theory that if a pen register order is made on a provider, and the provider's systems do not readily facilitate full monitoring of pen register information and delivery to the Government in realtime, the Government can compel production of cryptographic keys via a warrant to support a government-provided pen trap device.

Yep, I remember sayin' it... or at least thinkin' it. All it takes is a couple of guys in wingtips from the government entering your office, and most of these services will just shut down.

The government doesn't have to crack your encryption, they just have to throw you in a hole until you give it up or turn it off.

Never underestimate the government's ability to yadda yadda. It never gets old.
1. Austrian Anarchy 11 years ago
  
  But this is just ungentlemanly, unseemly, unAmerican, unEnglish. It sounds French. In the old days, the crypto guys cracked each other's cyphers and implementations. Going in with a note from a judge to hand over the keys is just cheating.
  1. Paul. 11 years ago
    
    It's certainly not cricket.
2. Mr Whipple 11 years ago
  
  Tor, I2P, and GnuPG have no office.
  1. Paul. 11 years ago
    
    Serious question, do you ever wonder how many whiz kidz working on these open source projects work for the NSA?
    
    I remember reading an article years ago about some of the security flaws found in open source projects, and some of the people finding them were talking about the many eyes theory-- especially when some of the security flaws had been there for years.
    
    The complaint from some within the open source community was that the many eyes weren't always looking at all the code. Most of the eyes were looking at some of the code, some of the eyes were looking at another smaller part of the code, and none of the eyes were (in some cases) looking at the really dreary stuff.
    
    The problem, one person wrote, was that most of the open source developers wanted to work on the rock-star code, no one wanted to do audits of the dreary back-end stuff.
    
    I fear that the open source community may be full of NSA posers, sticking in obscure mathematical back doors that won't be caught for years.
    1. Mr Whipple 11 years ago
      
      As far as anyone knows, they have not been compromised. The guy from Silk Road was caught due to old fashioned "police work", not a weakness in the code. The "Clipper Chip" was exposed and the EFF was born. And law enforcement is fighting in the courts to compel a suspect to turn over his passphrase to access his files.
    2. Mr Whipple 11 years ago
      
      What you really have to watch out for is the government putting an exploit on your computer. You are your own worst enemy.
      
      Google "FinFisher".
Fist of Etiquette 11 years ago

But it's a big world, and one in which Google now offers VPN tools intended to frustrate governments outside the United States.

VPN tools provided by NSA engineers, for sure.

There are a few VPN services based outside the United States that people can use. How well those foreign companies defend against DoJ coercion, I don't know.
1. Paul. 11 years ago
  
  I was just typing it and then deleted my comment because I didn't think it needed saying. But it needs saying. Thanks for that.
2. R C Dean 11 years ago
  
  No kidding. I assume Google gives full access to the Total State. Which has significantly cut down on my use of their products.
  
  For me, the breaking point was when we learned that any Android device is scraping all your passwords, including the password to your home network, and sending them to Big Goog.
  1. Paul. 11 years ago
    
    Can you provide a link to this?
Loki 11 years ago

So basically they can either comply with current interpretations of US law, or they can protect their customer's privacy, but not both. Fantastic. We are so fucked.
Invisible Finger 11 years ago

Some people LIKE the chilling effect.
DEATFBIRSECIA 11 years ago

"For any users with positive account balances at the time of this action, we will provide 1 year subscriptions to a non-US VPN service of mutual selection."

non-US. Get used to the sound of that.
1. Paul. 11 years ago
  
  Yep, that would be the non-US law enforcement that 'cooperates' with U.S. officials and hands over keys or images of foreign-located servers.
Steven French 6 years ago

Are you looking for a good VPN service? Read this Nord VPN review and decide!

Please log in to post comments

Internet Privacy Company Ends Service To Avoid Government Surveillance

Latest

No Other Land Won an Oscar. Miami Beach's Mayor Is Trying To Evict a Movie Theater for Screening It

Are Democrats Regretting Trying To Out-Hawk Trump?

Everything's Computer

Is This the Beginning of the End for the Department of Education?

Biden Rushed Out Billions for Green Energy Projects Before Trump Took Office

Recommended

Login Form