CryptoSeal VPN service opts to close down rather than grant NSA access
CryptoSeal issued a Monday statement indicating that the company will still offer its VPN for businesses, but its customer-only service will no longer be available. For a small fee, an individual user can establish their own encrypted internet connection through a VPN service and reroute all of their traffic through that point.
“With immediate effect as of this notice, CryptoSeal Privacy, our consumer VPN service, is terminated. All cryptographic keys used in the operation of the service has been zerofilled [purged], and while no logs were produced (by design) during operation of the service, all records created incidental to the operation of the service have been deleted to the best of our ability,” the statement read.
“Essentially, the service was created and operated under a certain understanding of current US law, and that understanding may not currently be valid. As we are a US company and comply fully with US law, but wish to protect the privacy of our users, it is impossible for us to continue offering the CryptoSeal Privacy consumer VPN product.”
Monday’s announcement is hardly unique. A number of privacy companies have made headlines in the months following the revelation that the US National Security Agency has secretly forced internet and telecommunication companies to install so-called backdoors that will allow the government to database emails and other messages.
CryptoSeal’s business VPN is not designed to block government access and, if the company is served with a pen register order, the NSA could technically access protected messages, SSL keys, and infiltrate other privacy safeguards. A pen register is capable of automatically recording a vast number of telephone numbers and internet access information.
“CryptoSeal Connect is not designed as a BitTorrent or other file-sharing VPN and is not designed to give you anonymity against the legal system,” the company told Ars Technica. “We fully comply with all warrants and subpoenas and are located in the United States. We suggest using systems such as the Tor Project for anonymity requirements.”
The statement continued, outlining “a Government theory that if a pen register order is made on a provider, and the provider’s systems do not readily facilitate full monitoring of pen register information and delivery to the Government in realtime, the Government can compel production of cryptographic keys via a warrant to support a government-provided pen trap device.”
The same issue forced the hand of Ladar Levison, founder and owner of Lavabit, the email service used by NSA whistleblower Edward Snowden. Levison opted to shut Lavabit down instead of complying with a government order compelling him to turn over the service’s SSL key, which would have granted the NSA access to all of Lavabit’s customers.
Although Levinson had no choice but to turn over the SSL key, he did terminate the email service, giving the NSA nothing to comb through.
Lavabit pointed out in a recent court filing that officials also forbade the service from informing anyone – including its customers and partners – that it has compromised their security. According to the brief, government officials "insisted that all of those parties be affirmatively misled into believing that the system remained secure against exactly the kind of secret monitoring that the government was proposing."
While the federal government charged Levison $5,000 each day he denied them, CryptoSeal founder and CEO Ryan Lackey reportedly posted a comment on Hacker News detailing the costs he was facing.
“The financial issue was the potentially huge liability due to a legal action or battle, not the [small] costs of operating the service,” a user thought to be Lackey wrote.
“If we were the legally best VPN option, I would have probably pushed to keep it going anyway and just shut down when/if that happened, but as it is, non-US providers run by non-US people [there are several good ones] are an objectively better option, so in good conscience there’s no reason to continue running a US privacy VPN service without technical controls to prevent being compelled to screw over a user.”