Lavabit

written on Friday, 09 Aug 2013

On Thursday, 8th of August, after more than 40 hours of so called 'system maintenance' the privacy focused email service Lavabit has been shut down by its owner and operator. This event has received lots of press and thus it does not make sense to retell what others have expressed in a very detailed manner with speculations included.

I would rather like to share a point of view of a customer who has been unsuccessfully trying to get his emails for nearly two days while having very little information about what is going on.


I have started using Lavabit some year and a half ago. Back then I decided it is about time to stop giving so much data to Google. I've been using DuckDuckGo for a while and it did a great job in replacing Google as my primary search engine [1].

The next step was email. I quite vividly remember DuckDuckGo forum being flooded by request to build a private alternative to Gmail. But the DuckDuckGo's mission has been different and so they kept forwarding people to a list of privacy focused email providers.

The first and possibly most popular provider on the list had an interesting name: Lavabit.

So I decided to give it I try. Meanwhile, I also bought a personal domain name and wanted to use it for email too. So I had a little discussion with Lavabit support, payed for the premium account and got everything set up in a day.

In the next 13 months I have had no serious problem with the service.

Up until around a month ago.

I've noticed a few short outages, each lasting for at most two hours so nothing serious. The emails I should have received at that time still came in afterwards so there was no reason to be mad or anything. The news section on their website has also been updated (after more than a year) saying that they added new servers to improve performance which was a sufficient explanation for me.

On 7th of August, approximately at 7:30 UTC the service went off again. I thought it was nothing serious and that the service will be back online in a few hours. Two days later, it did not happen and very probably never will.

Those two days were quite difficult for me as a Lavabit user. Email is the most important mean of communication online. The inability to receive and send it put me into quite difficult situation.

After the system has been offline for 6 hours I started to investigate. At first I tried to check out the official Lavabit page. No luck, I could not find anything in the news section or anywhere else. My last hope was that they might go around the servers which were offline and let people at least use the webmail.

Well, I was wrong. The system was down for good. The webmail at least responded that it is down for maintenance. Six hours seemed a bit too much, especially given the fact that it took place in the 9-5 time range. But I still had hope in Lavabit and told myself that one day of email diet will not hurt and that those emails will eventually come in. In the meantime the news section on the website got an update, it said that 'Servers are offline because of undergoing maintenance...'. A bit frustrated I went to find some sleep and hoped it will get better the next day.

When I woke up, it was obvious that it did not. At this point it started to be serious. I was under quite a workload so at first I did not have much time to think about it but in the evening I lost all my remaining patience. I tried to find out more information from some Lavabit representative but there was nowhere to look. They had a contact form on their webpage so I tried to use that. Once I submitted it, it only showed a message which said that it is offline. Interesting situation. An email company has a contact form which sends an email. So once their service is down all of their own emails are down and the customers are cut out of support. Eating your own dog food is a good idea. You just should not cross the line.

And Lavabit apparently did. I once again tried their webmail -- no luck. Now it just said '404 Not found'. Something was going on and I still did not know what.

After a while I found this forum thread about Lavabit. It made me feel a bit better, I was apperntly not the only one who did not know what is going on. Curiously enough, Pete, the guy who has been in charge of support at Lavabit knew pricesly as much as I did. After reading the thread I started to hum suspicion. When I looked up Lavabit on Twitter to find out what's wrong I found an article which said Edward Snowden was also apparently using Lavabit. Some suggested that it might be related and it would indeed make sense.

In the meantime, Pete tried to be very responsive on the forum, trying to handle the situation the best way he could. From his responses it became obvious that Lavabit was a really small company. I have nothing to prove it [2] but it seems that there was just Pete and Ladar, the founder and operator running the whole company. If we take into account the fact that Lavabit has been operating since the 2004 I must say that it is quite an achievement. Some again suggested that it's not that small, its own website says that it has 400,000 registered users. Pete responded that that number only shows the number of registered user, not the active ones. And even then, less then 10% of the active customers were paying for the service. It might be worth noting that these users payed $8 or $16 for the premium service.

Suddenly, someone posted the email which showed up on the Lavabit website. It said this:

My Fellow Users,

I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

Sincerely, Ladar Levison Owner and Operator, Lavabit LLC

What stroke me the most was the last line.

But there were also other parts which looked very interesting. Ladar was talking about last six weeks. If we look at the date of the article from which it became apparent that Edward Snowden uses Lavabit we can easily see that it has been written around 28 days ago. In other words four weeks. I am not sure what happened in the other 14 days but the range of six weeks is pretty much fits the time range when I first experienced minor outages. I am not sure if it is related but I would not be afraid to say so.

In the forum thread Pete many times said that Ladar has been moving data to some other storage and it took longer than expected. I am again not sure what to think about this and let the reader make his or her own conclusion.

If a service which has been running for 10 years is just shot down and the owner and operator is not legally able to explain why it opens up room for speculations. Obviously, it is happening in this case too. Many speculate on why, how and what for and I would not be surprised if some of it was indeed the truth. This HackerNews discussion suggests that might not have been asked to hand over the data but to make changes to their system so that it would be easier for authorities to access the data.

Once again, I do not know what to think about that and so I'd like to leave the judgement to the reader. But I am very proud that I've been using an email service that rather chose to closed down than, in the words of the founder 'become complicit in crimes against the American people'.

But it is not over yet. Lavabit will very likely have to fight for its users in the court. If privacy means something for you and you can see some value in what Lavabit has done I suggest you donate to the Lavabit Legal Defense Fund.

Here is my last hypothesis: I don't think Lavabit has been founded to make its founder a millionaire. Its history page also suggests that. It was created as a direct alternative to Gmail. Yes, I know, what is wrong with Gmail? Go figure out. Yes, Lavabit did not have many features. Yes, there was no extra interesting development announced in the past few years. Yes, it did not have a fancy webmail service. Still, it had features the competition was unable to copy: it was an alternative which protected privacy till the very end. You don't make much money out of that. Fred Wilson put it very nicely in regard to DuckDuckGo:

We didn’t invest in it because we thought it would beat Google. We invested in it because there is a need for a private search engine. We did it for the Internet anarchists, people that hang out on Reddit and Hacker News.

Yes, there is a need for alternatives.

And I'm glad there are people who are still willing to support their existence.


So that was what I wanted to share about Lavabit. You can't use that anymore but you still need email. What now?

Well, I personally decided to try Neomailbox. They offer similar features as Lavabit did and even have a nice webmail [3]. Learning a lesson from the Lavabit's example I choose my mail to be stored in Switzerland.

I do understand that you might not like Neomailbox as much as I do. Don't worry, DuckDuckGo has a page dedicated to privacy focused email services. I am pretty sure you will choose something you'll like.

Disclaimer: I am not affiliated with Neomailbox in any way, I just like their service (so far).

[1]I liked it so much that I decided to help out. Right now I'm part of the team.
[2]And I really do not know where I'd legally find something to prove
[3]Yes, I like it more than the one at Lavabit.