In amassing data about every American’s communications, U.S. intelligence agencies are not only making many uneasy about their privacy, but also are endangering the nation’s leadership in innovation and security in communications technology.
Analysts, technology executives and former officials spoke about the recent decisions by two U.S.-based providers of encrypted email to shutter their services in response to actual or anticipated legal demands to surrender customer data.
“Other companies offering these services are starting to move offshore outside the reach of whatever is going on” in the United States, said Howard A. Schmidt, former White House cyberczar.
Indeed, operating a secure email service in the United States no longer may be an option, said law professor Fred H. Cate, director of Indiana University’s Center for Applied Cybersecurity Research.
“If you mean by ’secure’ a system to which the U.S. government cannot get access, it is beginning to look as if that might not be possible,” said Mr. Cate, who specializes in privacy, security and other information law issues.
Lavabit, the free encrypted email service used by National Security Agency leaker Edward Snowden, closed suddenly this month. Its founder said in a note on the company website that he took the drastic action to avoid being “complicit in crimes against the American people.”
In his note, Ladar Levison said the U.S. government had gagged him from explaining what had happened and why he felt compelled to close his Texas-based business. “I wish that I could legally share with you the events that led to my decision. I cannot,” he wrote.
Hours after Lavabit’s announcement, a Maryland-based company that offers encrypted communication services — SilentCircle — announced that it, too, was shuttering its email service and destroying all of its customers’ email archives.
SilentCircle CEO Mike Janke said the move was to pre-empt legal demands from Washington that the company turn over the “keys” to its customers’ encrypted emails and archived data stored on company servers.
“We saw the writing on the wall,” Mr. Janke said.
Encryption scrambles digital data by manipulating it according to a complex formula or algorithm, called a key. With the key, the data can be unscrambled. Without it, the information remains a mass of meaningless numbers.
The Patriot Act
Mr. Janke said SilentCircle needed to destroy its archives without notice because the company’s email servers had become “a treasure box” of data about its customers, which include several heads of state, some U.S. and allied special operations forces units, and 16 of the world’s largest companies.
“If we had given notice, it would have been like saying: ’You’ve got 12 hours to serve us [a subpoena].’ I bet we would have got a national security letter within 30 minutes,” he said.
National security letters are administrative subpoenas issued by the FBI without any judicial review. They require companies to produce a broad range of business records “relevant” to a terrorism or counterintelligence investigation.
Initially created to acquire bank records in money-laundering probes, the subpoena authority was expanded to cover communications businesses by Section 215 of the Patriot Act, the antiterrorism laws hurriedly enacted in the wake of the Sept. 11, 2001, attacks.
In June, Mr. Snowden revealed that national security letters were served on U.S. telephone companies to enable the NSA to build a vast database of information about every phone call made in the United States.
Mr. Janke said such broad use of national security letters is not exceptional. “If you get [one], they don’t have to say, ’Just give us [the data on] these three guys.’ They take it all,” he said.
Lawmakers who helped draft the Patriot Act have said they did not intend the provision to be used in this sweeping fashion, but Obama administration officials have said they informed Congress about the program in closed briefings and in recently declassified letters.
To assuage growing public concern that the NSA is eroding Fourth Amendment rights against unwarranted searches and seizures of property, President Obama recently outlined a series of new oversight and policy measures, including the appointment of a special board of outside advisers to examine how U.S. intelligence agencies use surveillance technologies.
He also asked Congress to review Section 215 of the Patriot Act. Critics say the provision is too broad and shrouded in secrecy.
’Everyone has a relationship’
The gag order that drew Mr. Levison’s complaints, for example, strongly suggests that his company was served a national security letter, because targets of such subpoenas are forbidden to disclose they have received such an order. Company officials cannot even reveal it to their boards of directors.
“The sheer time and cost of responding to these demands is oppressive for a small business,” said Mr. Cate, the law professor. “And at some point, the government stops playing nice and starts saying: ’You’re breaking the law, you could go to jail.’”
Mr. Levison advised any Americans wanting electronic privacy to choose communications and data-storage services that are not based in the U.S.
But Mr. Janke, whose company’s servers are in Canada and Switzerland, said that being located outside the United States offers no protection because of broad cooperation among Western intelligence and law enforcement agencies.
“The United States, the European Union, everyone has a relationship,” he said.
Mr. Schmidt, the former cybersecurity czar, noted the close cooperation among the 39 nations that have ratified the Budapest Convention on Cybercrime, which covers assistance in accessing and intercepting computerized data.
Even in Western countries, “most governments doing intelligence collection are not looking to use the court system,” Mr. Schmidt said. “Nation-states are going to do what they do, and they’re not going to advertise it.”
In addition, Mr. Janke said, email is nearly impossible to secure because the Internet addresses of the sender and the recipient are “exposed in any email system.”
Silent Circle will continue to offer encrypted video, phone and text services, he said, because those can be secured “end to end.”
In the cloud
But even encrypted emails cannot be secure because messages are stored on the company servers of the email provider. If they are encrypted, the provider will have a copy of the key and could be obliged to surrender by a national security letter.
Email stored on a third-party provider’s servers, such as Gmail, is the leading edge of the cloud-computing boom — with U.S. companies in the vanguard. In cloud computing, a company such as Google or Microsoft provides email, data storage or other services that companies once provided for themselves.
But Mr. Snowden’s revelations about sweeping data-gathering by the NSA, and the closure of Lavabit and SilentMail, have highlighted the fact that U.S. providers can be forced to secretly turn over private data to the government.
Last week, the German government announced a series of measures designed to boost European information technology companies and help create homegrown alternatives to U.S. cloud providers. The move has fueled fears that concerns about data privacy could be used as a back door to introduce trade barriers.
“Cloud computing-related protectionism is an issue,” said Laurent Lachal, a senior analyst at Ovum market research. “Regulations on issues like privacy can be used for protectionism.”
A business opinion survey has indicated growing concern among would-be cloud-computing customers about the broad legal powers of the U.S. government in relation to third-party data.
“One of the major concerns that motivates our customers, especially overseas, is the USA Patriot Act,” said Pravin Kothari, founder of California-based CipherCloud.
CipherCloud software works with cloud applications such as Google Gmail or Microsoft Office so that data can be encrypted and only the customers have the keys needed to unscramble it.
“If the government asks, there’s nothing we can give them that would enable the authorities to get access to the data,” Mr. Kothari said. “Even if the government also has the cooperation of the cloud provider, [they] must go directly to the customer to get access.
“We are giving control of the data back to the customer,” he said.
• Shaun Waterman can be reached at swaterman@washingtontimes.com.
Please read our comment policy before commenting.