A VPN provider says that concerns it may be forced to hand over its encryption keys to United States authorities have led it to take the decision to shut down its consumer services. CryptoSeal says that information revealed as part of the Lavabit case has undermined its original understanding of United States law and made its position untenable. Shutting down, the company says, is the only solution to protect customer privacy.
As the revelations of Edward Snowden roll on and on the notion that individuals in the United States, or indeed citizens of any country, have any real online privacy is being continually undermined.
As a result, interest in anonymity services such as Tor and VPNs has increased as even regular Internet users balk at the idea of being monitored.
While there are hundreds of providers to choose from, one particular US-based company has decided that the current environment on home soil makes it impossible to offer an effective consumer-focused service.
“With immediate effect as of this notice, CryptoSeal Privacy, our consumer VPN service, is terminated. All cryptographic keys used in the operation of the service have been zerofilled, and while no logs were produced (by design) during operation of the service, all records created incidental to the operation of the service have been deleted to the best of our ability,” the company said in a statement.
While it’s not unusual for a provider to leave the marketplace, CryptoSeal says that the ground has recently shifted beneath its feet, meaning that the legal basis on which the company was founded can no longer be relied upon.
“Essentially, the service was created and operated under a certain understanding of current US law, and that understanding may not currently be valid. As we are a US company and comply fully with US law, but wish to protect the privacy of our users, it is impossible for us to continue offering the CryptoSeal Privacy consumer VPN product,” the company says.
The problem, CryptoSeal says, relates back to the recent Lavabit case. The now-shuttered email service used by Edward Snowden closed down in August, with founder Ladar Levison saying that he had been “forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly 10 years of hard work by shutting down Lavabit.”
Lavabit had been targeted by U.S. authorities but rather than compromise the privacy of his users, Levison decided to close the service down instead. He is currently tied up in a legal battle with U.S. authorities and it’s a document from this case that has caused CryptoSeal to shut down its consumer service.
“The Lavabit case, with filings released by Kevin Poulsen of Wired.com reveals a Government theory that if a pen register order is made on a provider, and the provider’s systems do not readily facilitate full monitoring of pen register information and delivery to the Government in realtime, the Government can compel production of cryptographic keys via a warrant to support a government-provided pen trap device,” CryptoSeal state.
A pen register is a device originally created in the 1800′s for recording telegraph signals on paper but more recently the term has been used to describe devices that can monitor telephone lines and Internet communications. Since VPN communications are encrypted, CryptoSeal believes that the only way it would be able to comply with a pen register order would be to do the unthinkable – hand over its encryption keys.
“Our system does not support recording any of the information commonly requested in a pen register order, and it would be technically infeasible for us to add this in a prompt manner. The consequence, being forced to turn over cryptographic keys to our entire system on the strength of a pen register order, is unreasonable in our opinion, and likely unconstitutional, but until this matter is settled, we are unable to proceed with our service,” the company informs.
While encouraging customers to donate to Lavabit’s defense fund, CryptoSeal says it is currently investigating whether it will be able to provide a consumer VPN service in the future without compromising user privacy. The company signs off with the following call.
“For anyone operating a VPN, mail, or other communications provider in the US, we believe it would be prudent to evaluate whether a pen register order could be used to compel you to divulge SSL keys protecting message contents, and if so, to take appropriate action,” CryptoSeal concludes.