As the end to our summer doldrums draws close, I’m dusting off my RSS feeds and finding some updates on a topic that I touched on earlier this year: the webmail encryption services coming out of Germany.
Back in March I wrote Of German Email Encryption Tool Tutanota and Other PETs, which mentioned a number of new players in the Privacy Enhancing Technologies space that seemingly could make lawyers better at client confidentiality. Not a bad thing, eh?
In a breach-a-day world even lawyers without a particular passion for technology issues are beginning to take note of email encryption. The fact is, whether the threat is black-hat data thieves (were you aware that intrusion against law firms has been on the rise over the last decade?), or the more cloak and dagger stuff that Snowden has repeatedly warned us about, it’s clear that encryption (and cybersecurity more generally) is no laughing matter.
But as recent events in the encrypted email startup space show, this does not mean earnest attempts won’t unravel into farce once in a while. Strangely (and sadly from the perspective of how hard it is to build trust, and how easy it is to fuel cynicism), this seems to have happened with the rather spectacular flame-out by one company I mentioned in my March post… although for reasons I’ll mention, the intrigue is deeper than it may fist appear.
Until about five days ago Lavaboom appeared focused on seizing their piece of the email encryption market with a secure email client that boasted end-to-end encryption and a zero-knowledge architecture. Lavaboom now seems to have gone volcanic… and not in the good way.
I noticed some strange posts from @LavaboomHQ last week, which had me thinking the account might have been hacked. A pair of tweets blurted out that the encrypted email service would be unceremoniously shuttering, leaving only 7 days for users to grab their data and find a lifeboat. In (fittingly?) cryptic fashion, Lavaboom’s tweets hinted obscurely as to the cause of its sudden implosion. Something about financial problems. I poked around and found TechCrunch’s story on the whys and wherefores surrounding the German company’s sudden decision to swan dive with zestful dereliction into the deadpools of the neverafter. Between the TechCrunch story, this ridiculously embarassing thread on Reddit (which precipitated the initial alarm and ongoing mortification), and the aforementioned twittering, one is led to conclude more or less that:
- Reddit is a full blown nightmare—especially if your dream is to avoid utter humiliation when your PET startup goes 100% FUBAR.
- Lavaboom had at one time secured funding of around €280,000, but ultimately couldn’t tame its burn-rate.
- Lavaboom mismanaged not only its money, but its relationship with a key developer—a teenager who appears to be the only person who really knew how the whole system worked.
- The whole Lavaboom operation is now so utterly bankrupt that it barely has the wherewithal to keep the doors propped long enough for 25,000 users to salvage their data.
The surface story is one of intemperate youth, poor management, and bickering, or ultimately a severe caution for those who would dare experiment with forward-seeming services like Lavaboom. The story looks to be that ordinary financial troubles and vague other problems (ego, betrayed trust, a “criminal investigation”, disillusionment) caused the service to fall off the rails—where it was probably inevitably bound. It’s a disappointing story on a number of levels, not the least being that it sets us all back a distance in the quest for better privacy.
It feels disappointing because an example like Lavaboom makes us ask, “How can the status quo not remain dubious and not roll eyes in the direction of such bumbling amateurishness? Why would we ever trade our tested tools for some flash in the pan service that can’t even keep the lights on!”
Lavaboom’s Canary Warrant
However, there could be something more to this story. There is some indication that the service’s Canary Warrant—specifically Lavaboom’s failure to update theirs—offers a clue. It’s a turn in the Lavaboom story which, if accurate, should make us concerned not just for the stability of one company, but for the integrity of any client data a lawyer wants to use encryption to protect.
The term “canary warrant” is defined by the Electronic Frontier Foundation as “a colloquial term for a regularly published statement that a service provider has not received legal process that it would be prohibited from saying it had received. Once a service provider does receive legal process, the speech prohibition goes into place, and the canary statement is removed.” This includes legal processes like warrants and national security letters respecting private data.
In addition to the original Reddit post that TechCrunch referred to, there are a few other threads that indicate a canary warrant problem may have cropped up. A short time before the company announced its bad news, someone else on Reddit noticed that the Lavaboom canary warrant had expired, suggesting a “possible compromise”. At first the ex-developer at the centre of the fuss, Piotr Zduniak, hinted that it was mere laziness on the company’s part, however in the last 24 hours he has written more posts that seem to indicate there may be more to it than “mere laziness”. On of his posts implies that the canary warrant is related to the shutdown, while another post outright says the warrant “was not updated on purpose.”
Implications for the integrity of lawyer-client privilege
What worries me about Lavaboom is not so much that some inexperienced people tried to launch an encryption service and failed at it. It’s vexing that this kind of blunder might become associated with other PET services and hamper their adoption by legal professionals, but it’s not the critical factor.
What’s more concerning in my view is the possibility that yet another encryption tool (remember what happened to Lavabit?) may have been compromised and gagged by state actors who would stop at very little to crack into the encrypted communications pipe. What is most concerning is that this will be the risk for any encryption tool, and that it will be commonly justifiable for state agencies to strong arm encryption service providers if the service is publicly open to all, be they lawyer or suspected terrorist.
The solution, I’m beginning to feel, is that law societies themselves should consider banding together to support and offer encryption. Our regulators could offer to be curators of encrypted email and data services for lawyers, all as an extension of the public’s interest in client confidentiality and the Rule of Law. Do readers of this blog agree that a coalition of law societies—armed with strong professional ethics, fierce advocacy, and a long standing obligation to protect privilege—has the best chance at fending off one of the biggest threats to client confidentiality, the state surveillance agencies?
A note about Tutanota
I should add that Tutanota.de, the other German service mentioned in my older post, has gone quite the other direction from Lavaboom. In addition to adding smartphone support, Tutanota recently launched (on July 31, 2015) premium services that allow use of the Tutanota platform with a custom domain and even Outlook 2010 with Microsoft Exchange or Outlook 2013 with IMAP or Microsoft Exchange. Pricing is surprisingly modest.