My Fellow Users,
I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.
What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.
This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.
Sincerely,"Dad," asked my son in anticipation of his upcoming birthday, "I'm planning on starting over online. I want to delete my email accounts, YouTube accounts, etc." As we discussed all the things he wanted to do (and why), I made a few suggestions based on recent changes that I've made in my own habits.
Owner and Operator, Lavabit LLC
Defending the constitution is expensive! Help us by donating to the Lavabit Legal Defense Fund here.
For fun, I've captured them in a Gliffy.com diagram (wow, this is an AWESOME diagramming tool!) that I made using their free account. One of the questions I have is, What have I left out? On first look, I wonder if this is too complicated. But then, the reality sinks in. It's important to plan your virtual presence with security and encryption in mind.
Here's the diagram, and I've included a list of the various sites:
As you can see, there are two strategies discussed in the diagram.
1) Lavabit Account:
The rationale for getting a Lavabit.com account is the security. They offer free webmail accounts that can also be accessed on your mobile device via POP/IMAP. What makes them unique is that statements like this:
In an era where Microsoft and Yahoo’s e-mail services sell access past their spam filters, Google profiles user’s inboxes for targeted advertising, and AT&T allows the government to tap phone calls without a court warrant; we decided to take a stand.
The key element of the PATRIOT Act is that it allows the FBI to issue National Security Letters (NSLs). NSLs are used to force an Internet Service Provider, like Lavabit, to surrender all private information related to a particular user. The problem is that NSLs come without the oversight of a court and can be issued in secret. Issuing an NSL in secret effectively denies the accused an opportunity to defend himself in court. Fortunately, the courts ruled NSLs unconstitutional in 2005; but not before illustrating the need for a technological guarantee of privacy.
Lavabit believes that a civil society depends on the open, free and private flow of ideas. The type of monitoring promoted by the PATRIOT Act restricts that flow of ideas because it intimidates those afraid of retaliation. To counteract this chilling effect, Lavabit developed its secure e-mail platform. We feel e-mail has evolved into a critical channel for the communication of ideas in a healthy democracy. It’s precisely because of e-mail’s importance that we strive so hard to protect private e-mails from eavesdropping.Their security description continues as follows, but you can read the whole thing online:
The short description is that for users of this feature, incoming e-mail messages are encrypted before they’re saved onto our servers. Once a message has been encrypted, only someone who has the account password can decrypt the message. Like all safety measures, encryption is only effective if it’s used. To ensure privacy, Lavabit has developed a complex system that makes the entire encryption and decryption process transparent to the end user.
As you might guess, I didn't explain ALL of this to my son, but I did help him come up with a secure password. What fun it was to see his expressions when he'd try some sample passwords in the How Secure Is My Password web site, only to see they could be cracked in 2 hours or 10 days. "We're trying for infinity, right?"
Of course, I will eventually introduce my son to tools like SSE File Encryption and AESCrypt.com for encrypting files, folders, etc. As we head into high school, being able to transmit encrypted files becomes a greater necessity. I can't tell you how many times my daughter had to send me files, or vice versa. Simply dropping unencrypted content in cloud storage solutions like Dropbox or GoogleDrive isn't recommended!
Google Drive does not currently encrypt files on the server. Our team and our company take the security and privacy of our users very seriously. For example, we support 2-factor authentication, and as Julio mentioned, all transmissions to and from your device using HTTPS and TLS. However, you can encrypt a file (or all your files) before you add it to Google Drive, and Drive will sync any file (whether it's encrypted or not) to all your devices.
Security researcher Christopher Sogohain believes Dropbox is lying in claiming that they encrypt uploaded files and keep them from employee eyes. So he filed an FTC complaint against them. According to Wired, the complaint alleges that the lack of encryption means that your files could be involved in possible government searches, copyright infringement lawsuits, or the machinations of Dropbox employees.
Rather than use GoogleMail for help manage social media, Lavabit email account (they provide 2 free accounts) will be used to manage the various social media accounts he uses.
Those accounts include:
- Kik - an instant messaging service popular with youngsters.
- Instagram - photo sharing site
- YouTube - video sharing. We think we can use YouTube with a 3rd party email account.
- Cloud Storage solutions
- Apple ID - Since he's an avid Apple user (sigh), switching over to Lavabit shouldn't be difficult. I went through the process prior to writing this email and it was pretty straightforward.
One of the points I shared with him was that while he could point most folks to Lavabit email, he probably needed to keep a Gmail account active for now. The reason why is that he's already established his eportfolio online, and having a Gmail account could also help when setting up new accounts in "throwaway" services that require OAuthID (such as Gliffy).
You know, I wonder what far-reaching consequences of knowing how to do all this will have on my children's lives. When I was 13--my son's current age--I learned how to use an Apple //e computer. It started me down a path I couldn't have imagined at the time. What impact will knowing these things have on him?
Check out Miguel's Workshop Materials online at http://mglearns.wikispaces.com
Everything posted on Miguel Guhlin's blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure