Silent Circle, Lavabit unite for 'Dark Mail' encrypted email project

Dark Mail will provide end-to-end encryption, including email metadata

Two privacy-focused email providers have launched the Dark Mail Alliance, a project to engineer an email system with robust defenses against spying.

Silent Circle and Lavabit abruptly halted their encrypted email services in August, saying they could no longer guarantee email would remain private after court actions against Lavabit, reportedly an email provider for NSA leaker Edward Snowden.

Their idea, presented at the Inbox Love email conference in Mountain View on Wednesday, is for an open system that could be widely implemented and which offers much stronger security and privacy. As envisioned, Dark Mail would shield both the content of an email and its "metadata," including "to" and "from" data, IP addresses and headers. The email providers hope a version will be ready by next year.

"The issue we are trying to deal with is that email was created 40 years ago," Jon Callas, CTO and founder of Silent Circle, in a phone interview. "It wasn't created to handle any of the security problems we have today."

Silent Circle, Lavabit and at least one VPN provider, CryptoSeal, shut down their services fearing a court order forcing the turnover of a private SSL (Secure Sockets Layer) key, which could be used to decrypt communications.

Lavabit was held in contempt of court for resisting an order to turn over its SSL key, which in theory allowed the government to decrypt not only Snowden's communications but also those of its 400,000 users. Ladar Levison, Lavabit's founder, is appealing.

Callas said Dark Mail is a collaboration with Levison. Rather than create a closed email service, they decided to design Dark Mail with open-source software components that could be used by any email provider.

"We need 1,000 Lavabits all around the world," he said.

Microsoft's David Dennis, lead principal program manager for the company's Outlook.com webmail portal, said Dark Mail is an "interesting proposal."

"We pay attention to any new innovations, protocols, standards and proposals impacting online communications," Dennis wrote in an email. "And we're always open to discussions with potential partners."

Representatives of Google and Yahoo who attended Inbox Love did not have an immediate comment.

Dark Mail will be crafted around XMPP, a web messaging protocol known by its nickname Jabber, along with another encryption protocol created by Silent Circle called SCIMP (Silent Circle Instant Message Protocol), Callas said.

An adapter will be built that will enable Dark Mail within different email clients. "There's no reason why you couldn't modify Outlook and Exchange to do this," he said.

The private key used to encrypt email will be held on users' systems and not retained by a service provider. Even if the government forced a SSL key to be turned over, users would not be compromised "because all of the messages are encrypted to keys that are sitting in the hands of the recipient," Callas said.

In that case, the party interested in the communication would have to request the encryption key from a person or find another way to decrypt the message.

Snowden's documents showed the NSA was also collecting email metadata, which reveals a sender's and recipient's email addresses, subject line of the email, IP addresses and more. Dark Mail will encrypt the metadata, using the XMPP protocol to signal when a new message has arrived, Callas said.

The alliance is also considering longstanding problems around encryption keys, such as public and private key pairs that are in use for years. "The longer that a key stays around, the bigger of a vulnerability it is," Callas said.

One idea is to create a protocol that would only keep a static public key for just a few hours or a day and then refresh it. Older messages would need to be re-encrypted with a new key to maintain access, but it would provide much better long-term protection for sensitive messages, Callas said.

Also under consideration is "forward secrecy," an encryption feature that limits the amount of data that can be decrypted if a private key is compromised in the future.

Wide use of encrypted email has implications for companies such as Google, which displays advertisements based on email content. In industries such as financial services, companies are required to retain email for compliance regulations.

There's also a convenience factor, as email encryption isn't necessarily easy to implement, especially as people use multiple tablets and mobile phones and desktop computers. Callas said Dark Mail will be flexible, allowing users to send unencrypted email if they don't need an extra level of security.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the PC World newsletter!

Error: Please check your email address.

Tags Silent Circleapplicationse-mailLavabitsoftware

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?