Inside the Decision to Shut Down Silent Mail

Silent Circle shut down its Silent Mail service yesterday to ward off future requests for customer data by the government.

Silent Circle’s decision to shut down its Silent Mail email service may have come quickly yesterday, and the timing of the announcement admittedly was prompted by Lavabit’s decision to suspend operations hours before. But the seeds for this decision may have been sown long before Edward Snowden, who reportedly used Lavabit as a secure email provider, was a household name and NSA warrants for customer data were known costs of doing business.

“When the team first delivered [Silent Mail], I congratulated and apologized at the same time, and told them this might be our first legacy product,” said Silent Circle CTO Jon Callas.

Silent Circle’s value proposition is its secure real-time voice, video and text communication services; email may have been extraneous from the start. And given the actions of the NSA whistleblower and Internet providers and technology companies seeking transparencies about government requests for customer data, Silent Mail’s days were numbered.

Ironically, yesterday when Lavabit, which provided a similar secure email service, announced it was shutting down rather than “become complicit in crimes against the American people,” as owner Ladar Levison said, things moved quickly for Silent Circle’s decision makers.

“When we saw the Lavabit announcement, the thing we were worrying about had happened, and it had happened to somebody else. It was very difficult to not think I’m next,” Callas said. “I had been discussing with Phil [founder and PGP developer Phil Zimmerman] over dinner the night before, should we be doing this and what the timing should be. I was looking at it from point that I want to be a responsible service provider and not leave users in a lurch. [The Lavabit announcement] told me I have to start moving on it now.”

Within hours, the decision was made and a blogpost was live on the Silent Circle website explaining why.

“We see the writing on the wall, and we have decided that it is best for us to shut down Silent Mail now,” Callas wrote. “We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.”

Silent Mail was the outlier for Silent Circle. It was the one product the government could target with a warrant, and the one privacy promise the company could not keep to its customers, Callas said.

“We have been debating Silent Mail from the very beginning and the reason is if you look at what we’re doing with Silent Phone and Silent Text, they offer very high degrees of security,” Callas said. “Email is intrinsically not as good.”

Silent Phone and Silent Text promise end to end encryption with each service; encrypted data is not stored by the company and metadata from conversations is not stored. The same promises could not be made with Silent Mail, and the blame lies with standard email protocols such as SMTP, POP3 and IMAP that leak too much information and metadata, Callas said. The Lavabit announcement yesterday made it clear that Silent Circle had to act promptly with its product, scrapping a number of other options to phase the service out slowly, not take orders after a particular date, or even give customers 72 hours notice of the decision.

“Then, that is the flag for the warrants to come,” Callas said. “We said we had to do something and do it now, and tell people why we did. I had to think about it in terms of if I were [the government], what would I be doing? I would be typing up the subpoenas to be delivered at 7 a.m.”

Lavabit’s Levison, meanwhile, intimated that the 10-year-old company is in the midst of some unnamed request for user data, details of which it could not legally share. Some have speculated the company is in a battle over a request for Snowden’s passwords or other sensitive data. Rather than comply, Levison said he is suspending operations and preparing an appeal that if favorable, would enable him to revive Lavabit.

“I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on–the first amendment is supposed to guarantee me the freedom to speak out in situations like this,” Levison wrote in a note on the Lavabit site. “Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.”

Silent Circle, meanwhile, appears to have sidestepped that landmine and doesn’t expect any issues around Silent Phone and Silent Text.

“We already worry about that with the other services, which is why we could move from being nice about it, to being drastic,” Callas said about Silent Mail. “We know our strengths on the other [products]. It’s the defense we have. We’re quite public that we don’t keep data. Don’t come to us, because we don’t have it.”

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business