Lavabit Founder Takes To Kickstarter To Open Source A New End-To-End Encryption Messaging Protocol

Ladar Levison, founder of the now-shuttered secure email provider Lavabit, has taken to Kickstarter to resurrect the concept of secure email in a new, open source form, and called the project Dark Mail initiative. A not-for-profit organisation called the Dark Mail Alliance, with Lavabit and Silent Circle as founder members, has also been set up to steer the project.

The project’s aim is to “cleanup and release the source code that was used to power Lavabit as a free and open source project with support for dark mail added.” What is dark mail? A “newly developed messaging protocol… designed to provide end-to-end encryption of both the message itself and the email in transit.” So that’s both message content and meta data — in other words, not only what you’re saying but who you’re saying it to.

Why now? The “summer of Snowden,” of course. As Internet users everywhere come to terms with the notion that online privacy for mainstream consumer services has become an oxymoron, Levison believes there’s enough widespread concern about the security of digital communications to make the project viable.

He’s seeking $196,608 to revive and extend Lavabit’s legacy by open-sourcing it, so that other email providers can be encouraged to adopt the Dark Mail protocol. The money is required to hire programmers with f/oss development experience and who’ve worked with C, JavaScript, HTML, SQL and JSON, according to the project page.

Open sourcing encrypted email is an attempt to drive adoption. If encryption becomes a mainstream feature of email providers, not an exception only sought out by the security savvy, there’s a far lower barrier to entry — and more users can benefit. At the same time, government surveillance programs that sift vast tracts of the Internet just because they can are going to hit more stumbling blocks if end-to-end email encryption becomes mainstream.

The more secure email providers there are, the more effective email encryption becomes — since, on the flip side, as soon as a user emails someone that is not using end-to-end encryption they are stepping outside the security circle and giving third parties the chance to listen in, meaning their communications are no longer secure. The aim of Dark Mail is to ensure more digital communication is kept out of the listening loop.

From the Kickstarter video:

Our goal is to provide end-to-end, user to user security. The type of security you get today with PGP but by integrating it into the protocol, giving us the ability to secure the meta information as it traverses the network and make it easy enough that grandma can use.

Our hope is that someday in the very near future, anybody who can use email today will be able to use a dark mail compatible client and get a way to communicate with their friends and associates securely.

It’s time to change 40-year-old architecture of email with default security and privacy.

As a commercial service Lavabit was forced to close when Levison determined there was no way to run an encrypted service that was secure. NSA whistleblower Edward Snowden had been using the email service to communicate. So it’s safe to assume that government pressure was applied to get hold of Snowden’s emails. Secure email? Not any longer.

Levison has never been able to be explicit about why he shuttered Lavabit, but did previously say:

I didn’t want to be put in a situation where I had to turn over private information. I just didn’t have it. I didn’t have access to it. And that was sort of—may have been the situation that I was facing. You know, obviously, I can’t speak to the details of any specific case, but—I’ll just leave it at that.

Now, taking to Kickstarter, the aim is to use the transparency afforded by open sourcing the Lavabit source code to shine enough light onto the system and attract enough contributors to pick it up and run with it that the availability of end-to-end encryption spreads — thereby keeping more emails secure from prying eyes. The new messaging protocol is also more extensive — covering both meta data and email content — and aims to make the encryption process invisible to the user so they don’t have to be a security specialist to send an encrypted email.

From the project page:

The Summer of Snowden may have taken the Lavabit email service offline, but the lifeblood of the service is still alive and relevant to Dark Mail. The goal is to perfect and release its source code as a free and open-source software (F/OSS) project. The “magma” daemon supports access via SMTP, POP3, IMAP4 and HTTP. Magma can be clustered and transparently encrypts user data before storing it on disk. It includes a Javascript webmail system that uses a JSON-based API to provide secure mail access via the web.

The project will also include building, and releasing as F/OSS, the first Dark Mail compatible clients. We are planning to launch with clients for the desktop (Win, Mac, Lin), smartphones and tablets (iOS, Android).

More detailed discussion of the Dark Mail project in the following video: