Lavabit Confronts "Complicit or Close?" Levison Closes

August 9, 2013, 3:30 a.m.

This series includes:"Lavabit Confronts 'Complicit or Close?' Levison Closes," August 9, 2013; "A Simple Matter to Drag People Along," August 6, 2013; "The Future of Surveillance and How to Stop It," August 4, 2013; "Surveillance: Differences of Degree and of Kind," July 3, 2013; "Shooting the Messenger; Should Government Be Able to Keep Its Abuses Secret?," June 11, 2013; "From Zazi to Stasi; Trusting a Government That Doesn't Trust You," June 9, 2013; "Law's Losing Race With Technology," June 7, 2013.

We don't know much about the extent to which American companies have been complicit in the NSA's spying on American citizens. They are legally prevented from telling us, and have requested permission from the government to do so (but have consistently been denied their requests). Yesterday the owner of one such company, confronted with, as he put it, the choice "to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit," chose the latter. Here is the full text of his letter, posted on Lavabit.com, followed by some relevant stories and hundreds of comments. Hopefully, this courageous -- and costly -- decision of his, and the worldwide interest in, and support of, his case will help to bring these issues to a rational, and constitutional, conclusion. -- N.J. [Photo credit: Ladar Levison's Facebook page photo]

Letter to Customers from Lavabit Owner Ladar Levison

My Fellow Users,

I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

Sincerely,
Ladar Levison
Owner and Operator, Lavabit LLC

Defending the constitution is expensive! Help us by donating to the Lavabit Legal Defense Fund here.

# # #
First reported here, Xeni Jardin, "Lavabit, Email Service Snowden Reportedly Used, Abruptly Shuts Down," Boing Boing, August 8, 2013, The Guardian added a good bit to the story: "The email service reportedly used by surveillance whistleblower Edward Snowden abruptly shut down on Thursday [Aug. 8] after its owner cryptically announced his refusal to become 'complicit in crimes against the American people.' Lavabit, an email service that boasted of its security features and claimed 350,000 customers, is no more, apparently after rejecting a court order for cooperation with the US government to participate in surveillance on its customers. It is the first such company known to have shuttered rather than comply with government surveillance." Spencer Ackerman, "Lavabit email service abruptly shut down citing government interference," The Guardian, August 9, 2013.

Comments on the Guardian's story, almost exclusively supportive, increased another couple of hundred while I wrote this. You can go directly to them here.

The New York Times, also had a report, including Silent Circle's voluntary shut down: "A Texas-based company called Lavabit, which was reportedly used by Edward J. Snowden, announced its suspension Thursday afternoon, citing concerns about secret government court orders. By evening, Silent Circle, a Maryland-based firm that counts heads of state among its customers, said it was following Lavabit’s lead and shutting its e-mail service as a protective measure. Taken together, the closures signal that e-mails, even if they are encrypted, can be accessed by government authorities and that the only way to prevent turning over the data is to obliterate the servers that the data sits on." Somini Sengupta, "Two Providers of Secure E-Mail Shut Down," New York Times/Bits, August 8, 2013.

The Washington Post reports, among other things, that the NSA's invasion of formerly secure cloud services could cost American business as much as $35 billion. (Of course, Amazon's Bezos, now the owner of the Washington Post, is the owner of one of the nation's largest cloud service providers.)

"Silent Circle’s business is based on promising absolute confidentiality to its clients. 'There are some very high profile, highly targeted groups of people' among the firm’s customers, says Silent Circle CEO Mike Janke. 'We felt we were going to be targeted, without a doubt. We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now,' the company wrote in a Thursday blog post. 'We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.' . . . One recent estimate suggested that U.S. companies could lose as much as $35 billion as fears of NSA surveillance lead foreign companies to cancel their contracts with U.S. cloud service providers." Timothy B. Lee, "Another e-mail service shuts down over government spying concerns," Washington Post, August 9, 2013.

The Wall Street Journal's brief story notes that "In 2011, a telecom company fought the Federal Bureau of Investigation in court over a request for customer records. That same year, Sonic.net, a Santa Rosa, Calif.-based Internet provider, also fought a court order on a WikiLeaks supporter." Danny Yadron, " Snowden’s Email Service Shuts; SnowdenMail is No More," Wall Street Journal,. August 8, 2013.

In addition to which, the New York Times added its editorial voice today to criticism of the NSA's spying on Americans generally: "Apparently no espionage tool that Congress gives the National Security Agency is big enough or intrusive enough to satisfy the agency’s inexhaustible appetite . . .. Time and again, the N.S.A. has pushed past the limits that lawmakers thought they had imposed . . . guaranteed by the Constitution. . . . [I]it copies virtually all overseas messages . . . then scans them to see if they contain any references [that] might have a link to terrorists. That could very well include . . . family members expressing fears of a terror attack. Or messages between an editor and a reporter who is covering international security issues. Or the privileged conversation between a lawyer and a client who is being investigated. Data collection on this scale goes far beyond what Congress authorized . . .. [T]his practice . . . is unquestionably the bulk collection of American communications . . .. Despite President Obama’s claim this week that 'there is no spying on Americans,' the evidence shows that such spying is greater than the public ever knew." Editorial Board, "Breaking Through Limits on Spying," New York Times, August 9, 2013, p. A18.

# # #

Cybersecurity for You and Me

February 23, 2013 8:00 a.m.

Seven Steps to Computer Security

“I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”
-- Dmitri Alperovitch, Chief Technology Officer, Crowdstrike

With seemingly every major American institution under cyberattack, is it past time you and I review our own cybersecurity?

The Times reports that, "Computer security experts estimate that more than a thousand companies have been attacked recently." Nicole Perlroth, "Some Victims of Online Hacking Edge Into the Light," New York Times, February 21, 2013, p. A1. Once reluctant to report a breach, more companies are now coming forward. The Times provides quite a list -- including Apple, Google, Facebook, and Twitter.

In fact, the Times was the first of three major papers to acknowledge they'd been hacked, probably from China, followed by similar revelations from the Wall Street Journal, and the Washington Post.

Earlier this month President Obama signed an executive order "that promotes increased information sharing about cyberthreats between the government and private companies that oversee the country’s critical infrastructure . . .." Michael S. Schmidt and Nicole Perlroth, "Obama Order Gives Firms Cyberthreat Information," New York Times, February 13, 2013, p. A16; "Improving Critical Infrastructure Cybersecurity," February 12, 2013, whitehouse.gov. (And see "Cybersecurity," National Security Council; "The Comprehensive National Cybersecurity Initiative," National Security Council; "Cyberspace Policy Review," White House (2009).) [Photo credit: multiple sources.]

Our computerized defense installations, including the nuclear arsenals, are getting millions of hostile hits a day. Defense Secretary Leon E. Panetta says that "the United States [is] facing the possibility of a 'cyber-Pearl Harbor' . . . [that] could dismantle the nation’s power grid, transportation system, financial networks and government." Elisabeth Bumiller and Thom Shanker, "Panetta Warns of Dire Threat of Cyberattack on U.S.," New York Times, October 12, 2012, p. A1. We now have an Army Cyber Command -- not to mention our real world, lethal video game controllers, operating drones in Pakistan and Yemen, among other countries, from comfortable locations here at home. (See "Home Grown Drones," February 16, 2013.)

If, with all their multi-billion-dollar resources, our government, military, corporations and other major institutions are under cyberattack, and losing more often than not, what hope is there for the rest of us?

Fortunately for us, like risks to our health, it turns out that the greatest risks to our computers are well within our control.

How many times have you heard these health tips: get a full night's peaceful sleep, control your weight (getting from "obese to "overweight" is a good start), eat more raw fruits and vegetables (and less sugar, salt and fat), exercise (both aerobic and strength training) 30 minutes a day, eliminate all tobacco and other drugs, keep alcohol consumption to a minimum, fasten your seat belt in the car and wear your helmet when riding a bike. Whether we're looking for ways to reduce our risks of heart disease, or cancer, or diabetes, or arthritis, or Alzheimer's disease, or other conditions, the advice usually includes these same basics.

Do we follow this advice? That's another matter -- albeit one that costs us $100s of billions in excess health care bills. The point is, whether the health of our bodies or the security of our computers, many of the factors are within our control.

No one can make their home or car 100% theft-proof. Thieves can break a side window on your car, or on a second story bedroom, and remove contents. However, they are less likely to take your stuff if you lock the doors to your house than if you leave them ajar; or if you close the windows and lock the doors of your car than if you leave the windows down and the key in the ignition.

If you are a computer professional, you already know what follows and far more. If not, here are some simple suggestions -- the computer equivalent of locking your house and car -- that can save you from most of the computer grief, some say as much as 90% or more, that can otherwise come your way. (Basic security for handheld mobile devices may be covered in a subsequent blog entry.)

1. There's no perfect security. Assume every email or text message you send could show up on the front page of your local newspaper, and may have already been scanned by your employer and some government agency. Every photo or bit of information about yourself you or your friends put on Facebook, or you share with an online merchant or Web page, may find its way to those you wish didn't have it. Every program you install on your computer may come with, or develop, vulnerabilities that enable strangers to enter your computer. [Photo credit: multiple sources.]

The only surefire way to avoid contributing to such problems is to stay off the Internet entirely, or at least put your most private material on a computer that's never connected to the Internet. Even then, of course, there's no way to protect yourself from what others put on the Internet about you, or release from supposedly confidential files. The University of Iowa recently had a couple examples of this. Ryan Foley, "University of Iowa apologizes for privacy breach; A staff member mistakenly sends an email to 2,000 students with all of their GPAs," Des Moines Register, February 8, 2012; Clark Kauffman, "Register Investigation: University of Iowa gives private student data to Johnson sheriff; Info on gun permit applicants' classroom performance, discipline history is protected by federal law," Des Moines Register, February 20, 2013; Clark Kauffman, "U of I suspends record sharing; University addressing concerns raised about student information given to law enforcement for gun-permit checks," Des Moines Register, February 23, 2013.

What is possible, however, is to reduce 90% or more of these risks by applying some common sense basics, and finding someone you can consult with about the rest -- even if she turns out to be your 14-year-old computer geek neighbor.

2. Preventing loss of your computer. Roughly 10 million computers are stolen each year. Keep an eye on yours -- especially in airports. Don't leave it visible in your car or home. If you use it in public places, or at work, consider a cable and lock sold for this purpose.

3. Preventing loss of your data.

(a) If your software doesn't automatically save your work as you write, save it manually. Don't risk losing two hours of writing if the power goes off.
(b) If you're working on, or modifying, a document over time, save daily versions separately (e.g., "article-Dec 20," "article-Jan 21"). When the current version mysteriously disappears you will at least have the next most current available.
(c) The only thing that can be said with confidence about every computer's hard drive is that some day it will crash. Get an external hard drive, and use a backup program at least once a week that will save any newly created or changed files -- or at least copy to that drive the files you really don't want to lose. Store the external drive somewhere away from the computer (so that if your computer is stolen or damaged your backup drive doesn't disappear with it).
(d) If the files are worth greater protection (from fire, flood or theft of your external hard drive), like an entire doctoral dissertation manuscript, back up your files to a second external hard drive kept in a safe deposit box or other safe place away from the first external hard drive.

Nothing can eliminate every possibility of loss, but these suggestions will prevent some of the most common causes.

Preventing unauthorized access. The computer hacking making the headlines involves unauthorized acquisition of military or corporate intellectual property, trade secrets, and the pathways to bring down our electric power grid or other infrastructure. Nobody is going to hack into your computer looking for that. So what is your risk; what might strangers be doing with your computer?

The possibilities are endless, limited only by the hackers' imagination.

(a) They may be in the identity theft business, looking for enough of the details about your financial and other relationships to pass themselves off as you.
(b) Depending on your employer, they may try to use you as a pathway into their industrial espionage of the computers in your workplace. (Most people who find a flash drive in the company parking lot bring it into work and put it in their office computer.)
(c) Perhaps they're after your money, seeking to transfer money out of your bank account, or charge items to your credit cards.
(d) Maybe it is your entire list of friends' email addresses they want, in order to sell them to spammers.
(e) They may install a bit of software that captures each of your keystrokes, including your passwords.
(f) There is software that enables them to take over your computer without your knowledge, linking it to their network of computers used to send out spam or viruses -- maybe in your name from an email account of yours.
(g) They may just be up to devilment, leaving software that will erase files, slow operations, bring your computer down completely, or instruct it to destroy itself -- just to show off to their friends.
(h) And once in your computer, they would have access to all of your documents, spreadsheets, photos, or other things you might consider private.

So what can you do?

4. Use passwords -- or maybe even encryption.

(a) Password protect your computer. That way, if you need to leave your computer from time to time, but like to keep a number of Web sites or files open, rather than having to log off (and reopening everything when you return) you can just press CTRL-ALT-DEL, and choose the "Lock" option. When you return, enter your computer's password; the screen, sites and files you last saw will be waiting for you.
(b) Obviously, you don't want to put passwords on Post-It notes on your computer screen, or in your top desk drawer, or share them with others.
(c) You shouldn't use the same password, or minor variations of one, for all sites. It makes it too easy for those trying to get to your stuff.
(d) Perhaps less obvious, you want to make it hard to guess. A distressingly large number of cell phone passwords are "1234," "5555," or the equivalent in their inability to slow up an intruder. Make your passwords at least 8 characters, and include every category on your keyboard: capital letters, lower case letters, numbers, and those symbols above the numbers, like the "#" sign above the keyboard's number "3." Of course, the stronger the password (number of characters, mix of characters) the more difficult it is to remember and use. That might be worth it for the password to your online banking, but a weaker one might be enough for your local online newspaper.
(e) If you have a number of passwords you'll need a way to record what they are and save them -- preferably not on your computer. You might want to consider a master password system, such as LastPass.com; but they involve more description and instruction than can be provided here.
(f) Finally, to borrow from Big Pharma's TV ads, "Ask your computer consultant if encryption might be right for you." Like passwords, encrypting a file will provide an added layer of security, but also create, like master passwords, one more thing you'll have to learn about, and step to go through, in using that file.

And see, Gregory Johnson, "Yahoo Accounts Vulnerable to Hacking -- Why and How to Protect Yourself," ResourcesForLife.com, February 5, 2013.

5. Update your programs. You may not care about the features offered in the latest updated versions of programs you use. What you do need to care about are your computer's vulnerability to attack as a result of the current versions you're using. The more popular the program the more likely it is to have been targeted by those spreading viruses and other malware -- programs such as Java, Adobe's Acrobat Reader, Microsoft's Internet Explorer, and Google's Chrome. Again, there is no 100% protection from these attacks. But well over 90% of them are attacks by way of programs that have not been updated. Most browsers and programs provide a feature for automatic updates at no additional charge to you. They are primarily software patches to the program's newly discovered vulnerabilities. If you're compulsive about keeping them updated you will eliminate most of the risk -- not all, but most.

6. Be cautious of Wi-Fi connections. A Wi-Fi connection to the Internet turns your laptop into a radio transmitter and receiver. (As distinguished from connecting with what is called an Ethernet cable.) Some Wi-Fi connections are open to the public, others are secured with passwords. If you're using your own at home, make sure your consultant geek knows how to maximize your security (applying the same password suggestions as in 5, above). If you're out in public, find out how secure the system is -- and probably save any financial transactions until you're back home.

7. Be skeptical. If you're over the age of 5 you probably know about scams. If someone emails you, asking you to accept their $15 million from Nigeria, after you send them a deposit, it's highly unlikely you'll ever see again the money you sent them -- not to mention any of the $15 million. Those are relatively easy. More difficult are emails from people you know (whose email accounts have been hacked) that you open reflexively before noticing, and wondering why, they are now using an email address from Russia. It's an especially good idea never to click on Web addresses in emails from people you don't know, or even from people you do know if the email doesn't look quite right, or like something they would have sent. It's highly unlikely that your bank is asking you to send it your Social Security number, or online banking password, however much that email may look like it came from your bank.

As we began, "There's no perfect security." We may not have the computer security problems confronting our military, banks, and other large corporations, but we have our own set of challenges. We also have our own set of solutions, thankfully much simpler than those required by large institutions. Moreover, as with maintaining our health, most of the reasons for unauthorized intrusion into our computers are within our control. Whether we choose to exercise that control is up to us.

# # #