‘Scary you could be jailed for running computer service’ – CryptoSeal co-founder

VPN service CryptoSeal followed Lavabit in pulling the plug, fearing running afoul of US authorities. Ryan Lackey, co-founder of the computer firm, told RT about the current climate where people can be put behind bars just for running their businesses.

In August, the highly-encrypted email service Lavabit reportedly used by NSA leaker Edward Snowden went offline after it was ordered by a court to turn over its Secure Sockets Layer (SSL) private key – a cryptographic protocol designed to facilitate communication security over the internet – to the FBI.

The company objected, saying the key would grant the government access to communications by all 400,000 of its customers. Lavabit offered instead to add code to his servers which would provide the FBI the necessary information only for the target of the order. According to unsealed documents from the Federal District Court in Alexandria, Virginia, released earlier this month, the court rejected the offer, demanding that Lavabit hand over the SSL key or face a $5,000-per-day fine.
 
Fearing the legal precedent set by the Lavabit case, CryptoSeal followed suit earlier this week, saying it would be impossible to comply with a government order without turning over the crypto keys to its entire system.

RT:Tell us how your relationship with the National Security Agency unfolded?

Ryan Lackey: Well, we don’t really have a relationship with them. We just monitor the news and ran a service under what we believed was the law, where they would require a search warrant to extract [cryptographic] keys. It turns out that under the Lavabit case, they can use a pen register order or a D order, which is a much lower standard, to compel a provider to turn over keys. We can’t really operate in that environment, so we pre-emptively shut the service down; it was too risky to operate.

RT:We've spoken to the head of the secure email service used by Edward Snowden, Lavabit, on his experience dealing with the NSA. Let's take a listen quickly:

“I know they threatened me on more than one occasion with jail. I think the only reason they didn’t do it is because if they had, the service would have eventually shut down on its own with nobody to maintain it. And the only reason they didn’t arrest me after the shutdown was because of the media, the publicity. But it’s pretty scary to think about what lengths they’re willing to go to conduct these investigations.”

In that clip, he did say he’d experienced threats. Did you encounter any such threats?

RL: We haven’t experienced any threats. We certainly were compliant with US law and we always want to stay on the right side of US law. We just think in the case that the court rulings, the preliminary rulings are incorrect, and they’ll probably be overturned on appeal, or possibly by legislative change. But that’s not going to happen possibly for months or years, and in the interim it’s too scary. I fully agree with the operator of Lavabit: being threatened with jail or prison for running a computer service for people is a very, very scary proposition and I personally have no interest in going to prison.

RT:What then protects online services like yourself or Lavabit from being prosecuted for providing your service to people like Edward Snowden, whom you have nothing to do with? As for whistleblowers, how are they to be protected?

RL: The fourth amendment of the US Constitution is supposed to be protection against general warrants, which is what I believe the Lavabit case is about. There is supposed to be a very specific legal standard, where they need evidence about a specific person and a specific crime. They bring that to a provider, and then they can then get records, which has previously been the case. But in this case, they don’t appear to have followed that, and there is at least one judge who is willing to compel a provider to operate in violation of what I believe to be the US Constitution. So until that’s resolved, it’s very scary.

RT:  Let’s talk about the mass surveillance that is happening not only in America, but around the world. Who should be held responsible for such extensive surveillance on members of other peoples’ parliaments or even the public themselves?

RL: It’s unclear. I believe it is fairly standard for intelligence agencies to monitor foreign intelligence agencies or foreign militaries, and heads of state are certainly part of the military. But when it comes to monitoring private citizens and private businesses that aren’t involved in any sort of defense or national security, I think there needs to be a much higher level of protection. Certainly US persons in the United States should not be in risk of being monitored by the NSA except in truly exceptional circumstances like a terrorist plot. Private citizens in other countries should not be at risk of being monitored by intelligence agencies from any country. Private citizens doing their own thing and not involved in terrorism, not involved in the military or government, should be fully protected from this.

RT:How do you think the ongoing scandal will reshape the internet as we know it?

RL: I think the internet is ultimately just a system where people in many countries cooperate, so it really depends on the laws in each country. I think the United States, from a constitutional perspective, has strong protections, but there has been a weakening over time through court rulings. The problem is, when you have a bad case and a bad defendant, it tends to make bad law. A lot of the US cases involve very bad people, child pornography or other cases like that, and the judges are sort of willing to overlook the fundamental privacy issues and make rulings that are very favorable to the government, whereas in the abstract it’s a very bad idea.

In other countries, they do not have as strong protections. It’s going to be interesting to see other countries that have different levels of protection for privacy to operate on the internet. Part of that might be technology. We’re going to have stronger technical protections for privacy, so perhaps people will operate in countries where the laws might say one thing… and it’s very unclear if you’re the citizen of one country and you’re visiting another country what the legal standard really needs to be to turn over your records.