Hacker News new | comments | show | ask | jobs | submit login
CryptoSeal (YC S11) Shutting Down Private VPN (cryptoseal.com)
205 points by Udo on Oct 21, 2013 | hide | past | web | favorite | 119 comments

If you're gonna publish something with a PGP signature. At least make sure it's valid:

  mike@glue:~$ wget -q -O - https://privacy.cryptoseal.com/ | gpg --verify
  gpg: Signature made Mon 07 Oct 2013 12:38:07 BST using DSA key ID D2E0301F
  gpg: BAD signature from "Ryan Lackey <rdl@icloud.com>"

sigh, I think it got screwed up when someone put it on the website. And I'm currently in Asia for a conference and don't have my keys (intentionally...).

it still meets the xkcd definition of a secure pgp message, at least.

Replace the newline char immediately following the string "we relaunch a" with a space instead, and then it verifies.

I guess you didn't know about the fold command, either...

cat my-aspergers-unformmatted-text-file.txt | fold -s > readable.txt

Useful to know. Thanks.

Paste buffer fail or something. Fixed now.

Works here/now:

  $ wget -q -O - https://privacy.cryptoseal.com/ | gpg --verify
  gpg: Signature made Mon Oct  7 14:38:07 2013 EEST using DSA key ID D2E0301F
  gpg: Good signature from "Ryan Lackey <rdl@icloud.com>"
  Primary key fingerprint: B8B8 3D95 F940 9760 C64B  DE90 07AD BE07 D2E0 301F

We're currently sitting a a version of pfSense 2.1 that can run on EC2. (Ob disclosure, I own over half of ESF, the company behind pfSense.)

Amazon said they didn't want anything powered by FreeBSD in AWS. There are currently negotiations about running on a larger instance that supports the HVM, and avoids the 'Windows tax', but there are significant usage fees for that tier (today that´s the cluster compute and M3 instances) as well.

We could release a variant of the AMI as a "public" AMI. It wouldn't be in AWS then, but it would be available. If your account is new enough, it would allow a completely free VPN service on Amazon's "free tier".

It would also allow people to setup their own VPN service (OpenVPN and IPSEC are both fully supported.) Hosting on top of EC2 isn't perfect (there are possible key recovery attacks from others hosted on the same infrastructure), but, correctly configured, Law Enforcement would need more than a pen register order to obtain anything beyond the enclosing IP packet data. Since, in theory, you would be your own provider, the FBI (or an equivalent in other EC2 zones) would have a higher burden to install even a pen register.

My question is: should we bother? Anyone with sufficient clue could setup a linux instance to do the same thing.

> My question is: should we bother? Anyone with sufficient clue could setup a linux instance to do the same thing.

You indeed could setup some basic stuff this way, but I wouldn't recommend it as a long term strategy. The way that our privacy product was built protected users from a variety of issues. I also wouldn't recommend using AWS for this till you can install your own trusted hypervisor and encrypt memory/disk/etc.

You can run on bare-metal providers like SoftLayer, which allows you run your own trusted hypervisor or OS. This, as you said, isn't currently possible on AWS.

Incidentally, PrivateCore has a trusted, remotely-attested hypervisor that encrypts memory and runs on providers like SoftLayer: http://www.privatecore.com

PrivateCore has some very cool stuff, I think they're one of the only solutions available right now.

Where did you hear that Amazon doesn't want FreeBSD on AWS? Colin Percival's postings on the matter seem to indicate otherwise however its just not very high on their priority list. Also I believe there are FreeBSD images in the Marketplace.

If you don't think we've been working closely with Colin, ... you're wrong.

We heard it directly from Amazon. To quote:

"After reviewing with our team and leadership, we will not be able to list the product in its current form. Only products built on supported file systems are allowed, and specifically we are not accepting any new FreeBSD products into Marketplace."

As I indicated above, we are continuing to work with them. The "supported file systems" is about the process used to build the AMI. (And yes, Colin uses exactly the same process.)

I figured you would have been working with him, I was just going off of what his older posts has said. I didn't know they had somewhat changed their policies.

BTW, thanks for the work on PFSense, while I don't use it at the moment, its been very useful in the past.

Before i got to the end of you comment I was going to suggest that anyone with an internet connection could do this. Indeed most home "nas devices" actually have VPN applications. I'm not familiar with more than a couple of commodity home wifi routers but i know some also carried this functionality.

I guess the issue with needing a VPN is that you need one far away from where you are geographically.

Maybe i have misunderstood the whole thing.

Depends on what your goal is. Consumer VPNs have been used for an assortment of reasons. Some of these you would need a VPN server that is close-by, while others should be far away:

0) Remote access to small business office 1) Connect to home router to access home network 2) To avoid ISP throttling of YouTube, etc 3) Download torrents, usenet 4) Commit crimes (routed through unallied nations) 5) To watch Netflix or Hulu from Europe ...

Yes, please. I'm cobbling together pfsense-on-aws for my own use and an actual pfsense-created AMI would be much nicer...

Well, get in touch. email address is in my profile here.

You'll want to put it in the public field, your email in your profile is not publicly visible.

thanks. fixed.

To the founders of CryptoSeal. When you first set up, did you consider not being a US headquartered company? If so, what were the overriding factors that made you stay US-based?

I ask because in a recent blog post from Silent Circle (a secure comms company), they explicitly state "we are not a U.S firm" [1]. I'm beginning to think any company that wants to offer security products like this has to place their Global HQ outside the US's legal jurisdiction. I doubt it solves all the problems but it probably helps to some extent.

[1] http://silentcircle.wordpress.com/2013/10/16/one-heck-of-a-y...

There are multiple concepts of jurisdiction.

It does very little good to just "incorporate offshore" and still have US operations, US principals, etc.

If you're a US citizen doing something questionable in the US, you have basically three choices: try to do it in a compliant way, renounce your citizenship, or leave the US and/or operate underground and hope you never get caught.

While I have problems with the US Government's actions in the terrorism/cyberspace regulation/IP spheres (particularly in that the legislative branch has totally abdicated its role in oversight, as well as being generally incapable and obstructionist in general), I'm a loyal US citizen, respect the laws of the US and its political process, etc. So, all I'm willing to do is try to do things in a superior technical way, or to try to get the laws changed in the US.

The silent circle guys are basically all US citizens, and as far as I'm aware, equally wedded to the idea of US legal compliance.

Thanks for the additional context. On the surface it doesn't seem that there are any benefits to having the parent company offshore.

I agree with the sentiment of trying to change the system, which won't happen if people (and companies) simply try and leave.

Sounds like what the market needs is a provider that is truly offshore: foreign principals, headquarters, operations.

That's only a limited success, because I still trust the US Government, even NSA, more than almost any foreign government. (NSA has more resources, but there's at least some semi-effective political and thus popular oversight).

The ultimate solution is providers which can prove their operational security to end users continuously, through technical controls.

Could you elaborate on that first statement? Would you really place more trust in the US government in these matters than, say, the government in one of the Nordic countries? Or Germany?

Trust in a government is mostly relevant in situations where they would be breaking the law, like spying. If the law doesn't protect you in the first place, then the trustworthiness of the government doesn't really matter.

If the courts decide that you can't be compelled to give away master keys, then the US is a good choice. If not, no amount of governmental honesty can protect you.

As far as I know, US citizens can't be ordered to violate laws when they operate in foreign countries. If they receive compliance letter requesting them to use foreign company with servers located in that country to break those laws, they can point out that it's outside US jurisdiction.

There would probably be an argument about "instrumentality", and the US person sitting in the US would be in an exceptionally uncomfortable position.

You're right. Legally setup foreign businesses can't be forced to comply with US law, unless it's fraud or other criminal activity.

There's still a few safe places out there to do business legally and protect your data. The Bahamas comes to mind.

Silent Circle "isn't a US company", but has their US HQ in Washington DC.

They have software engineers in "Silicon Valley".

What makes you think they're "outside the US' legal jurisdiction"?

Apologies, I wasn't clear enough. What I'm trying to refer to is the legal jurisdiction of the Global HQ and what effect that has (if any) on receiving court orders like the one described in this discussion. Having wholly-owned subsidiaries in the territories in which you operate is a requirement and puts part of the company within that jurisdiction but I'm curious to know if having the parent company elsewhere offers some form of insulation (or not).

Perhaps this is a question I should direct at the other company but I wondered if it was something that the CryptoSeal folks had considered.

Perhaps you missed the intentionally vague part of the criminal complaint against Ross Ulbricht of Silk Road fame. The FBI managed to get a foreign country to seize servers for it. How much due process do you think was involved in that unnamed foreign country? Abandoning the US isn't the solution to your problems. Fixing the law is, and you have a better chance of doing that in the US than elsewhere.

I am not a lawyer. However, as a US company or a non-US company with US customers, I wonder if cryptography export laws come into effect: http://en.wikipedia.org/wiki/Cryptography_export_laws#Curren...

If you're a non-US company with US customers, I don't think you're technically exporting anything (unless it's code that was written in the US and then moved out of the country).

(I'm also not a lawyer)

Come to Iceland. Law is on your side here and the infrastructure is coming along.

Iceland, Switzerland, New Zealand, Hong Kong, and a few other places do look really interesting (and Switzerland and Hong Kong have pretty good infrastructure). Investigating a few more as well.

One consideration, though, is that we're all US citizens, and so even if we set up a Hong Kong company with Hong Kong servers, we'd be at risk to US court orders or any civil/criminal action. So for US citizens, the only real solution is technical controls, or legal/legislative reforms in the US.

Im from NZ. NZ is not a good place to trust your private data.

The NZ government has no hesitation in breaking whatever laws it needs to in order to satisfy US requests.

See also: Kim Dotcom raids, GCSB amendment bill.

How about having one employee in each of those jurisdictions and setting up a way so that nothing can be done such as deploys and code changes, etc. without one employee from each jurisdiction using their key together. There is no way that a government is going to be able to compel like four citizens from four different countries from complying if it is possible. A US admin could give up their key to the US government and it would still be useless if they can't get the an admin from Iceland, Switzerland, New Zealand and Hong Kong to also participate in the change. It would allow people to comply with the letter of the law to avoid comtempt of court since they gave up their key as asked.

Wouldn't that require N principals, one for each jurisdiction, which is an unusual organizational structure, and requires a lot of trust and shared vision even if it's an n-of-m authorization system?

Sort of. Just because N people from different countries and time zones each need to enter their password in order to make a production change doesn't mean that the organizational structure needs to follow that. For all we care, only the subteam that does production deployments would need to be set up this way.

They would, however, need highly trusted agents in several legal jurisdictions. Agents who they trusted with the ability to bring the company down. Still... I think I might pay for a service like that, if some of the principle participants were people I trusted so I was sure it wasn't a honeypot.

Don't forget The Bahamas, Ryan! :-)

If you need advice from experts at setting up a legal foreign business, LMK, and I'll send you a few referrals.

Switzerland is far from being innocent saints when it comes to surveillance:

The Swiss SIGINT equivalent is called PTSS: https://www.li.admin.ch/en/ptss/index.html https://www.li.admin.ch/en/ptss/legal.html https://en.wikipedia.org/wiki/Swiss_intelligence_agencies

And don't get me started in HK, NZ or Iceland. If you really want to protect Osamas IRC server and worse with your VPN service, you require specific political protection from the host country.

Why would Iceland be a vulnerability?

They just recently cooperated with the FBI to bust Silk Road...

Do US citizens have to install pen registers on their own service(s)?

If so ordered by a court of competent jurisdiction.

Essentially from lavabit it appears if you don't have technical capabilities inside the service already in place to provide pen trap level realtime reporting, they can compel you to install a pen trap device, and provide all keying/etc. required to make it work.

You're likely wrong.

On June 10, the federal government served a court order on Lavabit issued under 18 USC 2703(d), a 1994 amendment of the Stored Communications Act.

The Stored Communications Act (SCA, codified at 18 U.S.C. Chapter 121 §§ 2701–2712) is a law that addresses voluntary and compelled disclosure of "stored wire and electronic communications and transactional records" held by third-party internet service providers (ISPs). It was enacted as Title II of the Electronic Communications Privacy Act (ECPA, Pub.L. 99–508, 100 Stat. 1848, enacted October 21, 1986).

(emphasis mine)

Users generally entrust the security of online information to a third party, an ISP. In many cases, Fourth Amendment doctrine has held that, in so doing, users relinquish any expectation of privacy. The Third-Party Doctrine holds "…that knowingly revealing information to a third party relinquishes Fourth Amendment protection in that information."

It doesn't follow that a private individual can be compelled to install a pen register on his/her own infrastructure.

I thought he meant "do us citizens operating services for third parties have to install pen registers". If it is your own service for yourself, they just go a layer down the stack and get your hosting provider or carrier to do so.

> New Zealand

Are you kidding!?

>New Zealand.

Hahahaha. NZ bent over backwards to let the US decimate mega. Let's be honest, we have/had basically each of those countries be complicit in extraordinary rendition, extradition, or compliance with US IP-law.

What do you honestly think will happen when we, in the name of international security and terrorism prevention, ask them to hand over a few computers instead of, well, people?

Advertised cryptography/anonymizing services really can't exist in a climate where all rules are thrown out the window because terrorists.

Five Eyes countries (US, CA, UK, NZ, AU) have very deep intelligence cooperation and sharing agreements. I don't think NZ is particularly good choice for this reason.

I don't know about your Iceland, but my Iceland is currently debating putting edge filters up to block "pornogaphy and other questionable content". I understand that the Internet here is just following our outdated laws which levy fines and threaten prison terms to anyone who purchases porn, but any country (even one as enlightened as ours) that contemplates edge router censorship is suspect to me.

.. and is Ögmundur still in power to follow through?

But you know as well as I do that he didn't fall over his censorship dreams but Icesave. Another will come. That we even seriously, politically, considered this is scary in and by itself. Pirate Birgitta isn't enough to reassure me.

I would say that is a miscategorization of the election results. It's not so much that he was voted out as the electorate falling for the populism of Framsókn.

Of course a party of 3 out of 63 is not going to make big waves legislatively, but the center-right coalition wouldn't touch this issue. Hell, the previous administration didn't want to touch the issue either. Noise, that's all.

Fair enough. Maybe I am just a little too sensitive to the broad brush and heavy handed approach we seem to touch everything these days with. Frankly, I love my country, but I sometimes wonder if the Facebook "Iceland is so cool" movement isn't making us, internally, a little to complacent.

I would respond with saying: Pirates gained 3 seats in Parliament. There IS hope.

Iceland isn't an online utopia, as the current proposal for online censorship demonstrates: http://www.theguardian.com/world/2013/feb/25/iceland-seeks-i...

Although, for the most part, it has good intentions.

That bill was DOA, posturing by a politician to appease his left flank. Nobody took it seriously and his party is no longer in power.

But it's still illegal to publish pornograpy in Iceland isn't it? http://www.althingi.is/lagas/nuna/1940019.html#G210

Yes, it does impinge on freedom of speech locally. No politician is going to move to abolish it (for now), but enforcement is next to non-existent.

It appears also (as best as I can tell without being able to understand Icelandic) that there is a law on the books that makes it prosecutable to 'publicly ridicule an individual or group on the grounds of their "nationality, skin color, race, religion, or sexual orientation."'

I wonder how broadly that could be interpreted. The UK doesn't give me hope.

What's the legal situation in Iceland?

Isn't it likely that Iceland has – as all functioning countries – a surveillance apparatus and is cooperating with the US? For the latter, the usual legal trick is not to spy on your own citizens but to ask a partner service for data about your own citizens …

Strict privacy laws can be great, however, they are no protection from surveillance. Surveillance is usually excluded from privacy laws as far as countries are snoopy and not 'just' private entities.

The dept. of the Interior has been talking about expanded investigatory powers for police but those are aimed at when they can open an investigation without prior cause.

There is no spy agency in Iceland. We are a nation of roughly 350k people. Last interior minister actually sent the FBI packing when they came to investigate something.

It is highly unlikely that our current government is colluding with the US. Transparency is too high and anti-American sentiment as well. Don't forget, we're in total about half the size of an average American suburb, everyone knows everyone, there's very little you can gain from spying as opposed to asking.

Spying electronically on Icelanders is a useless and expensive pursuit, if you want to know anything you go downtown and sit around while your average Joe or Jane talk about it.

Talking to people? What a concept!

Seriously though, it is amazing how much information can be gleaned from someone (rightly or wrongly) if you just sit down and talk with them for a bit. And even more information about someone's true feeling can be determined from their non-verbal communication, something that electronic surveillance (like email snooping) can do nothing about.

There's a recurring joke in advertisement in Iceland. If you have a fringe product with a well defined demographical following (say, upper-middle-class females, 40-50), you'd reach them better by throwing a small party with drinks on the house and inviting them than with media advertisement.

To get a handle on how bad domestic spying is in practical terms, consider that the US outspends the rest of the planet in military spending. Surveillance spending is likely to be roughly proportional. A small nation with low military spending per-capita could fall below the threshold of operating an effective surveillance state, just as they could fall below the threshold of operating a blue-water navy.

I was just trying to sign in to my account, as I was greeted with this:

"CryptoSeal Privacy Consumer VPN service terminated with immediate effect

With immediate effect as of this notice, CryptoSeal Privacy, our consumer VPN service, is terminated. All cryptographic keys used in the operation of the service have been zerofilled, and while no logs were produced (by design) during operation of the service, all records created incidental to the operation of the service have been deleted to the best of our ability.

Essentially, the service was created and operated under a certain understanding of current US law, and that understanding may not currently be valid. As we are a US company and comply fully with US law, but wish to protect the privacy of our users, it is impossible for us to continue offering the CryptoSeal Privacy consumer VPN product.

Specifically, the Lavabit case, with filings released by Kevin Poulsen of Wired.com (https://www.documentcloud.org/documents/801182-redacted-plea...) reveals a Government theory that if a pen register order is made on a provider, and the provider's systems do not readily facilitate full monitoring of pen register information and delivery to the Government in realtime, the Government can compel production of cryptographic keys via a warrant to support a government-provided pen trap device. Our system does not support recording any of the information commonly requested in a pen register order, and it would be technically infeasible for us to add this in a prompt manner. The consequence, being forced to turn over cryptographic keys to our entire system on the strength of a pen register order, is unreasonable in our opinion, and likely unconstitutional, but until this matter is settled, we are unable to proceed with our service.

We encourage anyone interested in this issue to support Ladar Levison and Lavabit in their ongoing legal battle. Donations can be made at https://rally.org/lavabit We believe Lavabit is an excellent test case for this issue.

We are actively investigating alternative technical ways to provide a consumer privacy VPN service in the future, in compliance with the law (even the Government's current interpretation of pen register orders and compelled key disclosure) without compromising user privacy, but do not have an estimated release date at this time.

To our affected users: we are sincerely sorry for any inconvenience. For any users with positive account balances at the time of this action, we will provide 1 year subscriptions to a non-US VPN service of mutual selection, as well as a refund of your service balance, and free service for 1 year if/when we relaunch a consumer privacy VPN service. Thank you for your support, and we hope this will ease the inconvenience of our service terminating.

For anyone operating a VPN, mail, or other communications provider in the US, we believe it would be prudent to evaluate whether a pen register order could be used to compel you to divulge SSL keys protecting message contents, and if so, to take appropriate action."

With every shut down in a similar vein, I weep and fear for the future.

It may sound strange for me as a European to be saying this, but I worry that the second stage of this will be a massive exodus of talent and startups out of the US.

This would probably be a good thing. Right now the internet is way too US driven and focused. A more balanced, global distribution of talent would be far more beneficial.

I agree. And it might ease some of the pricing issue too. There are many plans for cloud services outside the US but there's usually a lack of know-how and competitive functionality/pricing.

A current example:

Clio, a cloud provider for lawyers, recently started to offer a server location in Ireland in order to comply with European privacy laws [1]. The price, however, is about 60% higher than in the US …

Price comparison:

US = 49 USD/month = about 36 EUR [2] EU = 49 GBP/month = about 58 EUR [3]

[1] = http://www.goclio.com/blog/2013/10/clio-online-practice-mana... [2] = http://www.goclio.com/signup/ [3] = http://www.goclio.co.uk/signup/

The cost issue is probably because they're using Linode instead of AWS.

What could be the reason for using Linode instead of AWS's European data center?

Just personal preference I'm guessing. They probably went live US side with Linode, and their DevOps is probably already built around Linode's API/environment, so it was easier to just spin up new gear in Linode EU vs AWS EU.

At first glance it may seem that way, but I don't see how the privacy and human rights situation is all that different in, say, Europe and it's generally worse in places like India or China. Whenever I see European startup communities at work, they're really at their best when they're emulating US startup culture. Removing US influence may lead to an even more stagnant ecosystem in the long run.

I moved to Ireland a year ago (I realize they generally acquiesce to anything the US wants, but hey, it's a start) because I wanted to try something different and was tired of feeling guilty about the foreign policy my taxes were supporting. The startup culture here is excellent and the cost of living lower than SF (everything costs more except rent, which is about 25% what it would be in SF). You also don't have an entire city being run over by rich 25 year olds driving out the artists and people who make a city enjoyable.

Oh, to lend some more context - being an English-speaking country in Europe with an immigration policy that doesn't consist of "gtfo unless you're a billionaire" added to its appeal as well.

Where in Ireland?

Dublin; there's some activity in Cork as well but since it's already a bit isolated from the rest of Europe being near a major airport is a pretty big factor in its favor, at least for me.

To be honest, I doubt that exodus will ever come. Americans don't seem to care that much about privacy or their rights, this is demonstrated weekly in the news. I feel bad saying that, but it does seem to be the case when people trade freedom for "security".

Actually, I think this is good. The shutdowns of all these unsafe services are creating a need, and when there's a need a solution will appear.

A VPN is just an access control mechanism for network services; it is for network service privacy. If you're worried about the privacy of your data, you should be using technology to protect your data at rest, such as PGP.

Perhaps I'm being daft, but I'm struggling to see the connection between SSL certs ( per the Lavabit scenario ) and a VPN service.

Didn't they have an IPSec cert for each individual subscriber?

If not.. I wouldn't have wanted to go anywhere near them if they were using one keypair for all traffic.

Public-facing websites are usually dependent on a single server cert because they can't easily provide a separate client cert for everyone who visits. A private, subscription-based service should not be using that model and thus should not have encountered the 'Lavabit Paradox'.

Neither should Lavabit, but I digress.

The problem is a pen trap order, which is a very low legal bar, far lower than probable cause, can be applied to any single customer. Since we couldn't implement that effectively, we would be forced to give all of that customer's raw traffic to the government. It's entirely likely they would also compel an entire node or even the entire system if they felt that was more effective for their purposes in any way.

If the bar set to do this were at search warrant level (probable cause of criminal activity), that would still kind of suck, but the bar for pen traps being so low by comparison totally invalidates our security model.

All US providers (including "foreign" providers with US principals or US operations) are vulnerable to this specific problem right now.

There are technical ways to deal with this, but it would take months to implement, and no one has done it before. I've got a bunch of talks scheduled for conferences over the next year on how to implement exactly this (and am working on the tech for it), but it's not going to be instantaneous. We didn't want to be in the position of screwing over even one customer in the interim.

Until that stuff is in place, my recommendation is to use a non-US VPN provider. There, you're still at risk to local search warrants, but those are a relatively high legal standard in some jurisdictions. The problem in the US is that the lavabit case implies a much lower legal standard to effectively compel all traffic.

It'll probably be a year or two before this plays itself out in the courts. Hopefully 6-9 months for a much stronger technical solution. I'm actually working with some pretty kickass legal people on v2.

(as always, I Am Not A Lawyer; I Am Not Your Lawyer; This is not legal advice; Consult an attorney licensed in your jurisdiction for specific legal advice in your particular case.)

I'm actually working with some pretty kickass legal people on v2.

Can you say who they are? I'm looking for legal advice in this area as well (and I'm not a competitor to CrytoSeal in any way). Our service is currently in Australia (only), but I'm an owner, based in the US, and by design we also aren't able to support a pen trap order without the same problems you've encountered.

It's sucks when crypto best-practices are, effectively, either illegal or useless.

Law students and their professors; I don't think my "bro deal" with them is transferable, sadly. (we're trying to get law review and/or conference papers out of it, too)

The whole thing is quite unsettled right now, and unique to every case. I'd probably contact EFF. If I were looking for someone to pay, Marcia Hofmann is now a commercial option, and she's probably the best in the world.

Please consider also looking for a criminal defense attorney with significant experience defending people in federal court. When it hits the fan and you get a court order and are being threatened by federal prosecutors, lawprofs don't do you much good. You need someone who has experience fighting back.

Here's a criminal defense attorney who makes the case for this better than I could: http://blog.simplejustice.us/2013/10/03/lavabits-levisons-re... http://blog.simplejustice.us/2013/08/31/why-hackers-dont-win...

Ouch. The first post seems especially unfair.

...they are screwing up the world for the rest of us, for everyone.. Choices being made by the tech-savvy and law ignorant are creating the precedents, while destroying themselves, that form the foundation for computer law going forward. We may be saddled with bad law for decades...

The point seems to be: when a random computer person provides a service, and that service is targeted by federal prosecutors, and idiotic judges use the opportunity to cripple civil society, it's the random computer person's fault. Are lawyers and judges simply vengeful automatons, whom any citizen should expect to destroy civilization if given any opportunity? Maybe others in the jurisprudential profession could help defend society from their colleagues?

You've missed the point big time. They screw things up when they pick inexperienced lawyers whose inexperience costs them their cases. If they pick experienced lawyers who lose despite their experience, then no one is blaming them.

The context is important here: Levison was initially defended by a small business lawyer who was only 4 years out of law school. That was truly a boneheaded decision and may very well be why Lavabit crumbled so quickly.

Well sure I see that point: one should hire good attorneys. If one cannot afford good attorneys, one is boned. That doesn't seem profound. (Not particularly just either, but whatever.)

My previous comment was thinking more generally. Society has in the past successfully weathered innovations in technology and commerce without the legal profession running amok. Often innovators were not "connected" enough to hire the best legal representation, if they did so at all. What's different this time?

> Well sure I see that point: one should hire good attorneys. If one cannot afford good attorneys, one is boned. That doesn't seem profound. (Not particularly just either, but whatever.)

The author addressed this ad nauseam in the comments. In particular, see:


> My previous comment was thinking more generally. Society has in the past successfully weathered innovations in technology and commerce without the legal profession running amok. Often innovators were not "connected" enough to hire the best legal representation, if they did so at all. What's different this time?

I don't think technological innovation has ever had the potential to disrupt existing power structures as much as the Internet and cryptography. I'm not sure what you mean by "legal profession running amok," but if you mean bad court decisions and draconian government legal theories, that's nothing new. We're only starting to see this in the context of technology because of the aforementioned clash between technology and government power.

I don't think technological innovation has ever had the potential to disrupt existing power structures as much as the Internet and cryptography.

That's a bold statement. You don't think the cotton gin and improved looms contributed to the numbers of people enslaved in the antebellum southern USA? You don't think the railroads and telegraph contributed to the settling of the West? You don't think the rise of manufacturing, which pulled multitudes of (black and white) Southerners north, changed both the South and the Midwest?

I'm not sure what you mean by "legal profession running amok," but if you mean bad court decisions and draconian government legal theories, that's nothing new.

Let me preface this by saying that I'm not comparing Lavabit to Dred Scott in terms of the degree of injustice the two parties suffered. Mostly I just don't know a great deal of legal history and this historical "worst case ever" is what came to mind. However, I have never seen the unfortunate Mr. Scott blamed for the infamous Dred Scott v. Sandford decision. So, bad court decisions: not new. Blaming the victims of those decisions: new.

Mostly it just speaks to an audacious sense of entitlement on the part of any attorney who upon news of a fresh new legal outrage, immediately excoriates the victims of our federal Department of Injustice. When he says a society without Lavabit is better than a society in which Lavabit doesn't have him (or a similarly experienced and wise litigator) on retainer, that is self-serving. He is fundamentally no different than the feds, because he also wants the legal profession to act as a check on all innovation. The slight cosmetic difference is that he wants to be the one running things, because his judgment is better than that of the feds.

Of course we mustn't fall victim to the classic is/ought confusion. When in legal trouble, it's best to be well-represented. However, when any developer who wants to help people maintain a modicum of privacy and dignity is automatically in legal trouble, we all have legal trouble.

I get permission denied on every page on that site.

The prospect of the government demanding all your encryption keys is probably just one of the threats. Apparently they shut down CS because they simply don't want to enable the security apparatus spying on their customers.

What I don't understand is why I didn't get a notification of the shutdown. As a paying customer I shouldn't read about it on HN. I used the service primarily to shield myself in hotels/coffeeshops, but I know the NSA can get to me if they want to and I don't really care.

I appreciate the high ground CryptoSeal is coming from, but from a customer standpoint I don't think this was done well.

If they let you know then the government knows and CryptoSeal runs the risk of the government compelling them by force of FISA court order to stay in business, turn over all customer data, and don't say anything about it.

Have any companies ever been compelled to stay in business? How does that even work, especially if the company (not sure if its applicable in this case) is losing money at the time? Does the government subsidize all of the operations at that point? Can they compel people not to quit their jobs in this case too?

"'I could be arrested for this action,' Ladar Levison told NBC News about his decision to shut down his company, Lavabit LLC, in protest over a secret court order he had received from a federal court that is overseeing the investigation into Snowden."


If they were serious about running a privacy startup, they would move out of the US. Better luck next startup guys.

Https://simple-vpn.com, why deal with us companies for security services?

No, actually https://simple-vpn.com, it's paid for with BTC for those who really care about anonymity and privacy. Seems like the service got hackernewsed though. :)

Ah that explains the 502 :)


You literally signed up five minutes ago just to post these wild allegations.

To be fair, that was my first thought too. I find it difficult to believe they would close down if the service was successful and growing. I know this is exactly what Lavabit did, but I feel Lavabit is an exception to the rule in this respect. I have no evidence either way, just my gut feeling. Until I've seen evidence that it was anything other than a simple money related business decision, I'm going to assume it was so. I don't mean to make any accusations: This is just the way my brain works.

We didn't have millions of users, but were making decent profits to cover costs on the users we had, and growing. If someone outside the US wants to run a privacy VPN service for consumers, or if the lavabit case is resolved successfully, I'd probably say it's a decent business (boring, but decent).

The financial issue was the potentially huge liability due to a legal action or battle, not the (small) costs of operating the service; my cofounder and I are both not really able to take a lavabit-style stand (I do DoD/USG consulting work, so I have additional special considerations in doing anything which isn't absolutely legally compliant in every appearance which Ladar et al didn't have...).

We're still working on similar things, now without the revenue from the privacy vpn service.

Has anyone written a review of Sealand in the light of the current situation of "no privacy anywhere"?

I'm very pleased that there are people working in this area, and I look forward to seeing what happens.

The problem with Sealand is that you can't trust the people operating it farther than you can throw them, and they're not particularly small people. They are in a legally (and physically) precarious position, so if someone were to make a serious threat, there is no way you could expect them to be like lavabit and face them down.

(There's a new group trying to re-launch "HavenCo", although it has no real connection to Sealand; it's a VPN service and some mail and stuff run out of non-Sealand colos. I wouldn't touch it, myself.)

There is no solution to any of this other than pure technology. You want something where even the operators can't do worse than shut the service down, even if you have a gun to their heads. That's not technically feasible given current technology, but is a 6-24 months of development from being practical. And even with better technology, you end up having to worry about the entire stack, all the time -- constant vigilance is expensive.

This is probably just a turn of phrase but

> decent profits to cover costs

Do you mean it was meeting costs and growing in a way which would have led to profit in the absence of a legal tangle with the FBI or whatever?

Yeah, it was covering operating costs and some profit, and would feasibly grow into a decent overall business. But even if it became a decent overall business ($100-200k/mo profit in 2014?), one pen trap incident on one customer would have had vastly higher costs -- civil or criminal contempt being the most likely outcome (maybe not -$inf, but at least -$millions).

If we were the legally best VPN option, I would probably have pushed to keep it going anyway and just shut down when/if that happened, but as it is, non-us providers run by non-US people (there are several good ones) are an objectively better option, so in good conscience there's no reason to continue running a US privacy VPN service without technical controls to prevent being compelled to screw over a user.

So if he wasn't trolling, why didn't cryptomaniac use his real account to say this? It's very sad that these kinds of drive-by accounts are so successful (he got at least two upvotes at the time I'm writing this) for what seems like a personal attack without any data to back up the claims.

And regarding the actual content, it doesn't really make sense to me why a startup would lose face if they shut down a service that wasn't viable. They are expected to experiment. It happens all the time and nobody minds. Sure, it probably makes the decision easier to shut down if there aren't a lot of users, but let's not jump to conclusions.

> So if he wasn't trolling, why didn't cryptomaniac use his real account to say this?

I did not make this claim, so feel no need to answer your question.

> It's very sad that these kinds of drive-by accounts are so successful (he got at least two upvotes) for what seems like a personal attack without any data to back up the claims.

I don't think he meant to express it as a statement of fact, but meant to suggest it as his strong oppinion. I just think it was worded badly. Lots of people don't sign up until they decide to make their first comment.

> And it doesn't really make sense to my why a startup would lose face if they shut down a service that wasn't viable. They are expected to experiment. It happens all the time and nobody minds. Sure, it probably makes the decision easier to shut down if there aren't a lot of users, but let's not jump to conclusions.

Many people are embarrased when their companies fail.

> Many people are embarrased when their companies fail.

In this case it was just one product getting shut down (and only until we can do something better); there's clearly a demand in the market for it, maybe stronger than ever.

I'm actually much more embarrassed by the horrible formatting of my PGP message (I never really did PGP stuff on Mac before, and forgot about the newline issues.)


You would be right to have concerns about future ventures by the creators of Lavabit or CryptoSeal, just like someone might have concern about a Google API service. At least Lavabit and CryptoSeal are giving legitimate and very real reasons why their services shut down. This is different then being told "it's a business decision" or just having it disappear with no reason given.

Or worse, not you tell you anything, and in a few years you find out someone's been monitoring all the VPN traffic, INCLUDING YOURS.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact