Lavabit and Silent Circle Form the Dark Mail Alliance

Intelligence agencies gained the upper hand in communications surveillance because internet technologists did not realize the extent to which it was happening. Now, following the Snowden leaks, the true scope of that surveillance has become apparent; and the technologists will inevitably kick back. Bruce Schneier voiced it in September: "The US government has betrayed the internet. We need to take it back... In particular, we need open protocols, open implementations, open systems – these will be harder for the NSA to subvert."

Green shoots are beginning to show. Lavabit and Silent Circle (two companies that recently shut down their 'secure' email services rather than have their users' privacy compromised by government surveillance) have joined forces to create the Dark Mail Alliance, with a vision of re-securing email. The intention is to develop an easy-to-use, peer-to-peer, ephemerally encrypted open source email system.

Announced at the Inbox Love email conference in Mountain View, CA, Silent Circle's Mike Janke blogged yesterday, "Silent Circle and Lavabit, as privacy innovators have partnered to lead the charge to replace email as we know it today – fundamentally broken from a privacy perspective – we have collaborated in developing a private, next-generation, end-to-end encrypted alternative."

By operating peer-to-peer, the email messages will not reside on or pass through a central server where they can be captured, by court order or otherwise, by national intelligence agencies.

By using ephemeral encryption keys (which are destroyed after use), there are no permanent encryption keys that can be subpoena'd by government. This means that while interception will still be possible, the encryption for every single email will need to be cracked individually – making dragnet surveillance effectively impossible.

Unlike some existing email encryption systems such as PGP, the Dark Mail approach is likely to be based on Silent Circle's existing Silent Circle Instant Messaging Protocol (SCIMP), and will also encrypt the metadata of emails.

"For the NSA and similar surveillance agencies across the world," reports Slate, "it will sound like a nightmare. The technology will thwart attempts to sift emails directly from Internet cables as part of so-called 'upstream' collection programs and limit the ability to collect messages directly from Internet companies through court orders."

Slate points out that covert monitoring would need to be done outside of the communication itself, on the sender's computer before encryption or on the receiver's computer after decryption – perhaps, suggests Slate, "by deploying Trojan spyware on a targeted individual's computer."

Silent Circle calls the new development 'Email 3.0,' and describes it as "an urgent replacement for today’s decades old email protocols (‘1.0’) and mail that is encrypted but still relies on vulnerable protocols leaking metadata (‘2.0’)." Both Silent Circle and Lavabit are encouraging other email providers to join the Dark Mail Alliance; and their vision is to make genuinely secure email available to everyone during 2014.

What’s Hot on Infosecurity Magazine?