TL;DR
Edward Snowden was using lavabit, so the only choices left for the owner were to give all of the user’s data to the NSA or to shut down the service. He chose the latter, but isn’t allow to say anything about what has actually happened. And let me say that I am quite happy he did so.
This means that the privacy of 400 000 lavabit customers who didn’t do anything wrong would have been compromised if Ladar hadn’t shut down lavabit in beforehand. This also means that no cloud provider located in the US can keep their promises concerning the security of the data you hand over to them.
As a consequence, I now run my own mail server for a month, and you can reach me at briefe {ÄT} florianjacob [Punkt] de or my private address that I gave you in case I know you in person. ;)
posteo is a good german mail provider.
How I found lavabit
Many years ago, I was in search of a new email provider, as my first one provided me with no more than 12MB of space for years and didn’t offer IMAP acces.
I didn’t want to use Google Mail, because even at that time they were somewhat suspicious to me. So I searched for alternatives, and found lavabit, a provider with the defined goal to be better than Google Mail, but with privacy and even encrypted mail boxes - at that time, I didn’t even know what that meant.
What has happened
On the 8th of August, I noticed that I couldn’t connect to my post boxes anymore - at first I thought my mail client had problems, or that it was just a temporary outage, but the problem persisted for a day, and on lavabit.com, I found this explanation:
My Fellow Users,
I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.
What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.
This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.
Sincerely,
Ladar Levison
Owner and Operator, Lavabit LLC
At this point, I was very glad that I did a few months ago what I wanted to do for a long time, but always thought I could delay until I had my own mail server: I created an unattended backup system for my mail boxes. So remember: Don’t delay your backup system, it might get important sooner than you think.
Additionally, now I know for sure that my mail provider, even if located in the USA, would even go as far as to shut down everything they worked on in the last decade when it’s their only option left for protecting their users.
It was indeed quite shocking how, suddenly, I was directly affected by the impact of what Snowden’s publications have shown the world.
Research
As he stated above, Levison isn’t allow to say anything about what has happened, even to his lawyer he can’t say everything. So Levison has to rely on the public and the media to find out what happened by themselves.
I found out that the mail address used by Edward Snowden for entering the Moscow Airport and sending the invitations to the human rights activits for the meeting he had there was edsnowden@lavabit.com. Well, that explains a lot.
With that in mind, „the last six weeks” in the announcement have a meaning: This was exactly the time since the Snowden Leaks. So I came to the conclusion that I was using Edward Snowden’s email provider of choice for the last years without even knowing that until six weeks after the world knows his name, and now, the NSA wanted to have everything lavabit had stored about anybody.
The following video is an interview with Lewison and his lawyer, which shows very impressively in what absurd consequences those gag orders actually result in. He has to describe everything hypothetically and indirectly, he can’t say what they actually wanted from him, he has to say things like “I always said, the only way someone could do eavesdropping on lavabit is to force me to give them my private SSL keys or to modify the software I’m running on the servers, and I thought that this was something that’ll never gonna happen.” - or he is committing a crime he could and would be convicted for.
Today, court documents were unsealed which showed what really happened and how Ladar Levison was fighting by all available means: You can read the full articles at wired or golem (german). After he was forced to give out the keys, he even did so when he had no legal choice left - in the form of 11 printed pages in 4 point font size, which a person would have to type in manually, character by character, with even a single incorrect keystroke rendering the key completely useless. Hats off for such epic trolling!
But as those printed keys were indeed useless, at the 6th of August, he was forced to hand out an electronic copy, with a 5000$ fine for every day until he hands over the keys. At the 8th of August, lavabit closed its doors.
This court decision means that the privacy of 400 000 lavabit customers who didn’t do anything wrong would have been compromised if Ladar hadn’t shut down lavabit in beforehand. This also means that no cloud provider located in the US can keep their promises concerning the security of the data you hand over to them.
Ladar was even willing to provide the authorities, which could show a judicial order, with the mails of Snowden, as he is legally obliged to. But the agents wanted access to all the data and all the mails of every customer, and Ladar didn’t betray his promises.
One upside
I now have my own mail server running at wolkenplanet.de
While I have planned it for about two years, but didn’t do it because lavabit was so convenient, I was finally forced now to set up my own mail server. But just after the day that I heard that lavabit is no more, I went on vacation and had no time to set it up.
This resulted in a whole month without checking mail, with the knowledge that no pile of mail wil be waiting for me after that. Quite an interesting and liberating experience, but nothing that could stay this way for a longer time.
Now I have postfix + dovecot running for a month, and so far, no problems did arise. :) Maybe I’ll write about my setup in a separate blog post later.
It’s a really tedious work to go to every webservice you ever registered an account with, and change your mail addresses. Actually I feel a little sad when I have to delete my old addresses, as I got quite used to them in the last years.
But as as I have my mail addresses on my own domains, I can be sure I’ll never have to change them in the future, even if I switch servers or go back to a provider.
Recommending posteo
By the way, I still have a backup mail address for emergencies from a provider I found in a recent edition of c’t, probably the most influental german computer magazine: It’s called posteo and was the one of the few providers that had perfect forward secrecy enabled for everything - this means that even if someone steals their private key, they can’t decrypt recordings of your communication with posteo - So no “intercept now, decrypt later” here, thanks to the Diffie-Hellman key exchange.
The one feature I miss is the usage of own domains, but if they would allow that, they would need to store your name and post address in their inventory data which they then would need to forward to security agencies - so they don’t want to have that data in the first place. But that beside, they have everything you want.
Final thoughts
Of course one could call me a hipster for being the only one on the usual course mailing lists whose provider isn’t one of the usual: Google Mail, gmx, web.de and maybe Hotmail and t-online (which make up >95% of german email addresses), but for me, it was a sign of resistance, showing that there are decent alternatives out there.
Somehow that feeling is very similar to the feeling of showing, explaining or defending the usage of Linux. Somehow the fact that Edward Snowden used lavabit makes me feel justified in front of others for using such a “strange mail provider” in their eyes.
Now, there’s only one step left to complete independence in the mail area - moving the mailserver from my rented vServer to my server at home under my desk.