Yet another American Internet privacy service has bitten the dust, prompted by fears about broad government surveillance demands.
San Francisco-based CryptoSeal, a provider of virtual private networks that can be used to browse the Internet anonymously, has closed its doors to users of its private VPN service. In a statement posted online, CryptoSeal announced that a key factor in the closure was the government’s recently revealed attempt to force email provider Lavabit to turn over its private encryption keys. Lavabit shut down in August as part of an effort to resist a surveillance demand believed to involve NSA whistle-blower Edward Snowden, who was a Lavabit customer. Lavabit was ordered to turn over its master encryption keys in a way that could have potentially compromised thousands of users’ private data.
In an email interview Tuesday, CryptoSeal co-founder Ryan Lackey told me that the company had not received any similar government order. Rather, he decided to take pre-emptive action after reading court documents in the Lavabit case showing the government’s aggressive surveillance tactics related to so-called “pen-register” law. Pen-register orders are used to gather metadata about a communication, such as the “to” and “from” fields in an email but not the actual content. Lavabit was served with a pen register order believed to be seeking information about Snowden’s email account—but the company’s encrypted systems meant that it could not immediately turn over the data demanded. This frustrated the feds and led them to seek a sweeping warrant demanding that Lavabit instead turn over the encryption keys. In response, Lavabit’s founder chose to shut down his website as he felt that the demand was unlawful and would have forced him to commit “massive commercial fraud.”
Thirty-four-year-old Lackey says he was comfortable with the pen-register legal standard as he previously understood it—but that has now changed. “The post-Lavabit interpretation of a pen register order being enough to compel complete turnover of the service, if that’s the most effective way for USG to get pen register data, is terrifying,” he says.
Other companies offering secure communications agree. The government’s handling of Lavabit also prompted Silent Circle to pre-emptively shut down its encrypted email service, leading to a mounting standoff between the government and sections of the American tech industry. But as the latest company to call out the feds’ snooping methods, CryptoSeal doesn’t appear to have taken the decision lightly—and certainly can’t be dismissed as some sort of government-baiting anarchist outfit looking to jump on the bandwagon. Indeed, according to the CryptoSeal’s website, Lackey is more familiar with being an ally, not an opponent, of the U.S. government. He has done contract work for the U.S. Army, the website says, and also helped set up a satellite network serving the U.S. and coalition governments in Iraq and Afghanistan.
CryptoSeal is still offering VPNs to users of its business service because, according to Lackey, the government “already has the unilateral right to inspect traffic at any time” in the field of regulated industries. In addition, he says, system administrators at companies using VPNs want to monitor their traffic for antivirus and other malicious activity. But private users of CryptoSeal, of which Lackey says there were fewer than 1,000, will have to seek new VPN providers as the company feels it can no longer offer them a secure service. CryptoSeal is planning to work on a way to implement new technical measures that will notify its private VPN users if changes are made to configuration—giving them a heads up if there was a Lavabit-style court order in place, for instance. But the changes aren’t expected until mid- to late-2014.
“Until then,” says Lackey, “we recommend individuals use offshore services.”
