Ladar Levison, creator of Lavabit. Photo via Flickr/Gage Skidmore.
After harnessing the power of crowdfunding to help pay for his legal defense, the man behind Edward Snowden’s email provider of choice has taken to Kickstarter to raise funds for a new secure email initiative: Dark Mail.
Ladar Levison, who shut down Lavabit in August after the FBI demanded he hand over private encryption keys, is looking to raise the curiously exact sum of $196,608 to improve on the service.
With Dark Mail, he plans to build a system that pretty much takes off where Lavabit ended. “The goal is to cleanup and release the source code that was used to power Lavabit as a f/oss (free and open-source software) project with support for dark mail added,” he explains on the Kickstarter campaign page. Less than three days in, he’s already received nearly $70,000 from over 1,700 backers (though many commenters deplore the clunkiness of the Kickstarter campaign and its less-than-gripping video).
The campaign comes after Levison announced a partnership with encrypted communications firm Silent Circle. Calling themselves the Dark Mail Alliance (Levison joked that “black mail” might have the wrong connotations), they set out their mission statement: “Our goal is to provide end-to-end, user-to-user security. The type of security you get today with PGP, but integrating it into the protocol give us the ability to secure the metainformation as it traverses the network, and make it easy enough that grandma can use.”
This is what you now see if you go to lavabit.com. Image via Flickr/Prachatai.
As it's integrated into the protocol, the encryption will be effectively invisible to the user. As Levison describes in the project description, “Dark Mail users will get the security of PGP without the cognitive burden; if someone can use email today they will be able to use Dark Mail tomorrow.” If all goes to plan with the initiative, there will be Dark Mail-compatible email clients built for Windows, Mac and Linux, as well as iOS and Android.
But while the new project has already garnered a lot of support, questions have been raised over Lavabit’s true track record when it comes to security. Pseudonymous security researcher Moxie Marlinspike posted a pretty damning op-ed on his blog (later picked up by Ars Technica) about the original Lavabit service, and claimed its primary security claim—that it wasn’t capable of reading users’ emails itself—wasn’t true. “The cryptography was nothing more than a lot of overhead and some shorthand for a promise not to peek,” Marlinspike wrote. “Even though it advertised that it ‘can’t' read your e-mail, what it meant was that it would choose not to.” He did, however, praise Levison’s courage in defying the government’s requests and shutting down the service.
Ultimately—at least for most people who, like grandma, aren’t expert cryptographers—it comes down to trust. A service like Dark Mail, accessible even to those who don’t have any great technical knowledge, is a great idea. But as people see more and more of their online privacy compromised, it takes faith to accept someone’s word that, yes, their service is completely secure.