TrainACE - IT and Cybersecurity Training Blog

Exploring Secure Email After The Silent Circle And Lavabit Shut Downs

[fa icon="calendar"] Sep 24, 2013 5:25:28 AM / by Ryan Corey

Both Silent Circle and Lavabit recently shut down their encrypted email services. Lavabit was the first to take action following word that the United States government wanted data handed over that would violate customers' privacy. Ladar Levison, owner of Lavabit, said he faced the decision of complying with the government and betraying the American people or ending the email service he worked hard to build. He also said that he was legally unable to explain the events leading up to his decision due to recent laws passed by congress blocking his freedom of speech.

The pressure on Lavabit came after it was made known that NSA whistleblower Edward Snowden was using the encrypted email service when he was stranded in Sheremetyevo Airport in Moscow. After hearing that Lavabit had shut down, Silent Circle followed suit. Silent Circle eliminated Silent Mail as a preemptive measure and had not yet received any demands for handing over customers' information.

Is Encrypted Email Really Safe?
Two of the main purposes of using secure email are keeping the message safe and keeping the sender's password safe. When an email is sent out in unencrypted or plain text form, it includes authentication information, which includes a person's password. After being sent, an email is stored on a server until the recipient opens it. This is part of what creates such a challenge for keeping data secure. While people can encrypt their own emails with the proper tools prior to sending them, they must still share an encryption key with each recipient.

Downloadable encryption tools can be difficult for the average person to set up and use, and some methods do not keep all of the data encrypted while it is stored on servers between the sender and recipient. Using these tools and learning the various encryption methods can be a hassle, so most people simply opt for using a secure email service. However, as whistleblower Edward Snowden stated in one of his leaks, email is not the best way to send communications to keep them completely private. As he explained, the NSA has loopholes for collecting and searching data for American citizens.

Not even encrypted messages used in secure email services may be completely safe. If any country's government decided to ask for an email service's data and had legal power to do so, the company would have to hand it over. If the data is encrypted, only metadata would be available. This includes the plain text of the subject line and shows the sender and recipient. While the message itself is encrypted, the government could demand a company decrypt it or ask for their encryption key.

When people learn that even their encrypted messages are not really secure, it is easy to understand their frustration. Nobody likes the idea of being spied on for no reason. The founder of Silent Circle and many other security experts say that text messaging can actually be far more secure with the right tools. Silent Circle offers a service called Silent Text, which sends secure mobile messages. Unlike the email service, the owner said that they do not hold encryption keys, so they would be unable to provide anything if a government agency made a request for keys.

Secure Email: To Use Or Not To Use?
The owners of both Lavabit and Silent Circle warn those who want to continue using email to be aware of what country the service operates in. Each country has its own privacy laws for electronic information. While Germany has excellent laws on the books, they work in compliance with some of the United States government's questionable surveillance agencies. Canada also works with U.S. courts for electronic data releases, but their privacy commission will only honor reasonable search requests. Switzerland does not have the same data collection policies as the rest of the EU, so it is a favorable choice. While Lavabit is seeking to reopen its email service in the near future, there are a few secure email services people can still use. These include Hushmail, Counter Mail and Bitmessage. Mail Pile is another option that is set to launch soon. However, it is important to remember encryption limitations.

_____________________

Check out our Cyber Security Training Class Offerings and Security Services!

Topics: advanced security, Cisco, cyber war, cybersecurity, hacking, information assurance, secure email, security training

Ryan Corey

Written by Ryan Corey

Need IT Certifications?
Want more info?

Call (301) 220-2802


or

TrainACE Catalog

Lists by Topic

see all