
Silent Circle shuts down email service - fnordfnordfnord
http://silentcircle.wordpress.com/2013/08/09/to-our-customers/
======
scarmig
Convenient, maybe, but prematurely shutting down secure email because you
anticipate the government will come out to get you effectively does the
government's job for it.

Albert Hirschman wrote a famous book called "Exit, Voice, Loyalty" about
different styles of responses to conflict. Different strategies are certainly
called for in different situations. But most exit strategies (outside of
suicide) rely on retreats to spaces outside the sphere of influence of the
conflict initiator.

The existential space of the Internet is not the infinite, however. Although a
nurturing environment for human freedom, it's also a fragile ecosystem, and
giving up on a couple key nodes, in its current form, is enough to destroy it,
shadowy dreams of darknets notwithstanding. When freedom retreats from all
Internet spaces in the USA, that is plausibly more than enough to kill it as a
haven for freedom anywhere.

It's not the end of freedom or anything like that: maybe it's strategic to
retreat to spaces more decentralized and harder to compromise than the
Internet, and other fights can be fought and won in those. But that's not a
gamble I want to make, especially because the fight for Internet freedom
hasn't been lost yet! Not by a long shot.

ETA: This came off harsher than I anticipated: I had no idea that Silent
Circle is a project of Phil Zimmerman. Damn, that's dispiriting. Time to pop
open a beer.

ETA2: Yeah, I think I jumped to conclusions about their central motivation and
shouldn't have implicitly doubted as much their stated reasons. Boo me.

~~~
JshWright
I'm a Silent Circle employee, but I'm not speaking in any official capacity...

The issue with email is that we _had_ to touch plaintext at times. People
expect email to work universally, so we had to accept unencrypted mail from
outside clients, which we then encrypted for our users. That is a major
departure from our other services. It's something we disclosed quite clearly,
but we've decided that even with the disclosure, it's simply not worth the
risk. We don't even like the idea of storing ciphertext (and obviously,
running a mail server means you end up storing a fair amount if it). You can't
be compelled to give up what you don't have.

This isn't a 'retreat.' Silent Mail was used by a relatively small percentage
of our users. Silent Phone and Silent Text are services that we can provide
'responsibly' (in that we don't ever see plaintext, and hold ciphertext in
extremely limited situations). They are our core services, and provide our
users with the some of tools necessary to communicate securely and privately.
We aren't giving up the fight by any means.

EDIT: llamataboot summed things up very nicely in another comment thread.
[https://news.ycombinator.com/item?id=6183394](https://news.ycombinator.com/item?id=6183394)

~~~
mtgx
Can't you offer PGP-only e-mails, and just tie everyone's public key to their
"profile" on the service? Then, even if they don't specifically have that
person's public key, they can still send them e-mails through PGP as long as
that other person also has a Silent Circle e-mail account (because you already
have that person's public key, so you can connect the two).

And _of course_ you should not offer e-mail outside of Silent Circle in any
way. I actually can't believe you did that. Silent Circle was supposed to be
all about security, not "convenience". If some customers didn't like that,
then they shouldn't use it. Now look at the mess you created because you
thought it's good to have the convenience of sending anyone an e-mail. You
shouldn't have offered that to begin with.

So see if you can come back with a PGP-only e-mail in a way that you couldn't
add some kind of spyware to get people's private keys if NSA asked you to do
it. It might also be a good idea to offer the maximum encryption level (RSA
4096 bit?) if you can afford it (or ask them more money for it), since PGP is
more vulnerable to cracking than say OTR, especially if they _target_ some of
your customers. And use forward secrecy for the TLS channel.

Is there any way you could use the Bitmessage protocol? Or whatever Retroshare
is using for e-mails?

~~~
StavrosK
The offering _was_ PGP-only email. The server encrypts the message when it's
sent so the user doesn't have to install PGP. That's why plaintext was
visible.

------
joetek
TechCrunch has further information:

In a statement to TechCrunch about whether the shut down was only because
Silent Circle felt email was insecure, CEO Michael Janke tells us

“It goes deeper than that. There are some very high profile people on Silent
Circle- and I mean very targeted people- as well as heads of state, human
rights groups, reporters, special operations units from many countries. We
wanted to be proactive because we knew USG would come after us due to the
sheer amount of people who use us- let alone the “highly targeted high profile
people”. They are completely secure and clean on Silent Phone, Silent Text and
Silent Eyes, but email is broken because govt can force us to turn over what
we have. So to protect everyone and to drive them to use the other three peer
to peer products- we made the decision to do this before men on [SIC] suits
show up. Now- they are completely shut down- nothing they can get from us or
try and force from us- we literally have nothing anywhere.”

[http://techcrunch.com/2013/08/08/silent-circle-
preemptively-...](http://techcrunch.com/2013/08/08/silent-circle-preemptively-
shuts-down-encrypted-email-service-to-prevent-nsa-spying/)

------
plg
As someone who followed Phil Zimmerman's epic battle with the US govt in the
1990s over PGP, I am seriously bummed by this news. For someone with as much
personal conviction and moral depth as Phil Zimmerman to essentially pre-
emptively give up on the idea of offering truly secure email, means to me,
that the US government has now crossed a certain threshold that will be very
very difficult to come back from.

Think about it. It's chilling. The idea that a paragon of privacy and
encryption, not to mention a legend in terms of standing up to the government
for freedom, has now said "I fold" to the simple idea that an American company
offers true privacy of email communication.

How long before we have government installed microphones and cameras .... Oh
never mind. It's already here.

Maybe Americans will have to get their privacy tools from other countries.
Think about that for a second.

~~~
anologwintermut
His claim was that it was intrinsically less secure, not that the government
was stoping him

~~~
mpyne
Which I would argue is correct. It seems to be intrinsically difficult (to say
the very least) to have a communications system that is open to anyone to send
messages to a given address (even if the sender is not known), and supports
queueing messages for eventual delivery so that both ends don't have to be
online at the same time.

The 'Pond' system mentioned elsewhere in this thread looks promising, for
example, but that system doesn't allow for unknown people to send messages.
This is _perfect_ for many communications needs but can't supplant email
entirely.

But I'll note if I'm reading the user guide [1] correctly that it's going to
be very difficult to setup contacts, exchange messages, etc. in something like
Pond, which would make its usage inherently suspicious (and liable for
increased attention thereby, if we assume general domestic surveillance).

[1]
[https://pond.imperialviolet.org/user.html](https://pond.imperialviolet.org/user.html)

------
llamataboot
Wow. Evidently they destroyed all the data preemptively as well. No notice,
just _poof_. You have to wonder if they thought the situation was dire enough
to not give people any warning that their emails were being lost. I understand
the decision from a security standpoint, but there must have been some fear up
in that decision room. Applaud them for the tough decision.

"Mike Janke, Silent Circle’s chief executive, said in a telephone interview
late Thursday that his company had destroyed its server. “Gone. Can’t get it
back. Nobody can,” he said. “We thought it was better to take flak from
customers than be forced to turn it over.”

[http://bits.blogs.nytimes.com/2013/08/08/two-providers-of-
en...](http://bits.blogs.nytimes.com/2013/08/08/two-providers-of-encrypted-e-
mail-shut-down/?smid=tw-share&_r=0)

~~~
plg
This is truly stunning. Reminds me of Soviet Russia from the 1970s and 80s not
America. Wow

~~~
rbanffy
I considered, for a brief moment, making a Russian inversion joke, but this
whole affair is not funny. Not at all.

------
declan
Silent Circle CTO Jon Callas has been participating in this G+ thread I
started this evening:
[https://plus.google.com/u/0/112961607570158342254/posts/9uyS...](https://plus.google.com/u/0/112961607570158342254/posts/9uySMokvg7k)

Excerpts: "If you're not afraid of the NSA, then encryption is good enough. If
you are, then the headers in your email leak so much information that you
don't really need to decrypt... Study the other headers and there are all
sorts of other things that one mailer or another leaks as well as all the
servers all along the way. Most importantly, all of this is permanently stored
in everyone's email archives which most of us keep lots of. This is what the
NSA wants. They want to construct the social graph, the interactions, the
timings. This is how they get "chatter." None of this is encrypted. This is
why email is broken in ways encryption can't fix..."

------
jstalin
Maybe it's time for an entirely new message transmission protocol. Email
clearly is insecure and not securable.

~~~
ChuckMcM
I was thinking the same thing. In the past, when people have advocated
replacing SMTP with something else to combat spam, that idea is always shot
down with "too many clients, too much infrastructure" but if you have a new
application and real demand (and it seems like there is) then you perhaps you
could get enough traction to make that work.

~~~
rdl
Isn't Pond (agl's thing) that?

~~~
shabble
For those wondering,
[https://pond.imperialviolet.org/](https://pond.imperialviolet.org/)

~~~
jaekwon
Hmm, I just started designing something quite like this.

[https://github.com/jaekwon/gourami/wiki/Protocol-
Overview](https://github.com/jaekwon/gourami/wiki/Protocol-Overview)

I should take a look at pond. Thanks.

~~~
JshWright
Interesting 'collision' of aquatic themed names.

------
pkinsky
Are they shutting down preemptively because shutting down a service that has
received an NSL is illegal? I'll be watching what happens to Lavabit to find
out.

~~~
akavlie
Wait, what? Shutting down a service that has received an NSL is illegal?
Source?

~~~
pkinsky
NSLs come with gag orders, and it's possible that the government would view
shutting down a service entirely as a violation of the duty not to disclose.
It gets fuzzy here, because we're speculating on how a secret court will rule
on a body of secret law while working hand in glove with the NSA.

------
fnordfnordfnord
_" Silent Phone and Silent Text, along with their cousin Silent Eyes are end-
to-end secure. We don’t have the encrypted data and we don’t collect metadata
about your conversations. They’re continuing as they have been. We are still
working on innovative ways to do truly secure communications. Silent Mail was
a good idea at the time, and that time is past."_

They are keeping other services going, just shutting down email.

------
kintamanimatt
We're all aware that providers can be compelled legally to backdoor
aggregation points (i.e. central servers), but could they be forced to put
backdoors in their client software too? What about a letter or court order
compelling them to re-engineer their software to either remove strong
cryptography or force all traffic through a central point, thereby killing
their business?

~~~
Canada
Why not? And why stop there? Why can't providers be compelled to break into
peoples houses or perform assassinations?

------
joetek
Interesting strategy. So, while they were not able to store the content of the
emails, they still retained the metadata. That metadata could be subject to
subpoena, and if they destroyed the data after a request, they'd be in
contempt of court. Dropping the service pre-emptively lets them delete all the
data before they are asked for it.

------
anologwintermut
How is PGP encrypted email any less secure in terms of meta data analysis /
eves dropping than a video call or a "text message" likely sent over OTR?

Obviously, those later two protocols are forward secure and PGP is not, but
that doesn't seem to be what the post is dealing with.

Were they worried about key authentication? Did they not do end to end PGP?

~~~
nikster
It would be up to the client to install PGP for true end to end encryption.

What I was wondering - why don't they keep the email service but reject all
emails that are sent without PGP? Then people would have to go through the
pain of installing PGP but they would end up with truly secure email.

~~~
anologwintermut
Silent Circle is a software client and service, not a cloud hosted solution.
As such, they can do PGP themselves and (from my understanding) did.

~~~
JshWright
Silent Mail was not a separate client.

------
bredren
I think Silent Circle saw an opportunity to kill a service that made little
money, had heavy maintenance and is now making hay.

------
CaveTech
Seems more likely that this was a business decision under the guise of
something else.

~~~
llamataboot
citation?

~~~
alan_cx
You want a citation for what is essentially a thought?

Actually, I suppose one could simply link back to the post its self, since is
this the most reliable expression of that thought available.

------
mattkrea
Is there any standard out there for trying to create some "future" mail?

Ideally it would handle--or emulate--old email clients until they had time to
be upgraded but is this even under consideration now?

I think now more than ever we should evaluate SMTP and see what we can do to
either secure it or replace it.

Looking at a barebones SMTP server in Node.js I could see some ways to very
easily encrypt all data but that only goes so far.. you're still receiving the
normal mail headers you would get with any other platform.. I think we need to
get at this data but I am so far unaware of a solution to this beyond basic
TLS.

Thoughts?

------
camino020
Interesting to see talk about what is legal and what is not. Think about this:
Everything Hitler did in the Nazi Germany was legal.

How a bout a law that tracking or stalking on the internet is the same as in
person, therefore illegal and punishable for everyone?

------
3327
true Patriots...

