Dark Mail Alliance ‘fighting to bring privacy back’ by reinventing email encryption
In August, Lavabit and Silent Mail, the encryption email service of Silent Circle, both shut down suddenly. The news came just two months after it was revealed that the NSA is combing through vast quantities of the world’s emails. Both companies opted to close their operations rather than grant the intelligence agency access to users’ accounts.
Both companies resurfaced Wednesday, announcing in an email conference keynote that they have joined forces as the first two members of the new ‘Dark Mail Alliance.’ Lavabit founder Ladar Levison and Silent Circle CEO Mike Janke said they are working on a new open-source tool that promises to offer peer-to-peer, end-to-end encryption for any email service.
The cryptologists admitted it is hard to point to a specific launch date, but said they hope it will be available by the second quarter of 2014.
“We’re taking our inspiration from the Rebel Alliance,” Levison said, referencing the heroes who fought The Dark Side in the “Star Wars” movies. “We’re the rebels who have decided privacy is too important to compromise on. We’re fighting to bring privacy back to the internet.”
The new technology purportedly looks just like an ordinary email interface, complete with an inbox, sent mail, and draft folder. But by using an add-on, and with the consent of major providers like Google and Microsoft, Dark Mail will encrypt the message’s transfer.
This method is based on SCIMP, an instant messaging protocol used by Silent Circle that only saves the key code into the email for a very short time - essentially deleting the email after it has been read.
“We believe email is fundamentally broken in its current architecture,” said Silent Circle’s Janke, a former Navy SEAL. “This is an opportunity to create a new email service where the keys are created on the device and only the user can decrypt it.”
Dark Mail Alliance’s announcement was cause for celebration among security experts and throughout social media Wednesday, yet much of the technology’s success will rely on how widely it is adopted.
Levison and Janke said they plan to launch an iOS app and an Android app, as well as a desktop version for both Mac and Windows. It will also be available to customers who do not wish to leave their Gmail or Hotmail accounts - although when a message is sent from that subscriber to a non-Dark Mail user, a reminder will warn of the risk of interception.
Janke admitted that because the launch will be “politically hot,” monoliths like Google and Microsoft may refuse signing onto the service.
“We want to get the Googles, the Yahoos and the Microsofts to stand tall,” Janke said. “But it will be an interesting friction point. These companies make money by mining their free emails.”
Yet he said the surveillance state has become “completely out of hand,” adding that Dark Mail will only be stronger with more companies involved.
“Our vision is three or four years from now that this will become email 3.0 – the way the majority of internet users email,” he said.
The encryption services that are currently available merely hide the contents of a message - not the sender, recipient, or subject line, Slate noted. And encryption solutions like PGP, for instance, have been criticized for being difficult to use.
But to intercept messages vetted through Dark Mail, the NSA and other snoops would have no choice but to launch Trojan spyware on the computer of every individual they wish to monitor - a task so unwieldy that it becomes impossible to foresee on a mass scale.
Dark Mail would also prevent against the indiscriminate collection of metadata that so many users have unwittingly experienced over the past decade. Each Dark Mail message will be redirected through a hub. But unlike other services that employ similar methods, the information revealing where the message originated and where it was sent will be scrubbed as soon as possible.
This announcement comes after the FBI - acting as a proxy for the NSA - compelled Levison to hand over the SSL keys to Lavabit’s encryption, which would have left the service’s 40,000 users exposed as authorities pored through the data, presumably hoping to find any evidence against Snowden.
Faced with a $5,000 fine for each day he refused to turn over the SSL key and a costly legal battle that would have likely gone on for years, Levison eventually had no choice but to hand over the codes. He then immediately shut the site down.
He now says the Dark Mail Alliance will provide an encryption solution “easy enough for your grandma to use.”
The pair plans to release a white paper detailing the technical specifications within the next two weeks. By 2014, they hope to have dozens more companies involved.
“We want community participation on the protocols,” Silent Circle cryptographer Jon Callas told Forbes. “But we are not going to be sitting around, waiting for permission to do it. We’re going ahead with it even if it’s just the two of us.”