14 DAY TRIAL // Lavaboom, the secure email service from Germany, is entering private beta and it’s trying to make sure that your messages are safe from the curious eyes of the NSA and any other intelligence agency on the planet.
Named as a tribute to the defunct Lavabit, the encrypted email service that Edward Snowden used, Lavaboom seeks to offer an increased level of security not only by providing encryption tools, but also by staying out of the American intelligence agency and its partners’ reach.
In an exclusive interview for Softpedia, Bill Franklin from Lavaboom talked about the world’s spies, encryption, security and how to be safe online.
Softpedia: How do you plan to keep Lavaboom safe from the NSA and other intelligence services curious enough to start snooping?
Bill Franklin: The main protection for users is that as a provider we really don’t have access to your private keys, they're generated in the JavaScript on the user side - this means we can't get access to your personal information and 3-letter agencies can't get from us.
We also make it very hard for them to apply for data. Only German agencies can issues warrants. These warrants can only be for individual data, not the entire user base, and the warrants must be approved by the German high court (which is very pro-privacy).
We have no intention to break the law, if we find an account is being used for criminal activity we can shut it down, but what we can't do is open up their email account to take a look inside. If a law enforcement agency has legally obtained a private key of an account holder and they also possess a warrant from the German High Court then we will of course co-operate.
We think this is unlikely to happen. We also use a variety of other encryption and security protocols; our mission is to make email as secure as it can be.
Will Lavaboom be safer from mass surveillance because the company is based in Germany?
Yes. Lavaboom email accounts are already safe from Carnivore-like mass surveillance by agencies like the NSA and GCHQ. Germany is good for us because although the privacy laws are very strict, they are also very clear cut and between the lines of their privacy laws there aren't loopholes - German privacy laws genuinely benefit personal privacy.
Google has had massive trouble working in Germany with their privacy policies - they even stopped updating Google Street View because of the hassle of blurring out a large percentage of what they were capturing on camera. Germany also does not recognize Safe Harbor regulations like other EU member states.
Do you think Lavaboom has stronger chances to avoid following in Lavabit’s footsteps – shutting down rather than provide SSL keys?
Yes. Germany operates differently to the US, that's why we try to have no ties to the US. We learned a lot from watching Ladar Levinson fight the NSA and he's got big fans here in Germany, it's lucky the NSA has no jurisdiction in Germany. We pledge in our mission statement to protect our users, and that's exactly what we're going to do.
Levinson was asked to provide the site's SSL keys. Could this type of demand be issued to Lavaboom as well? How would you handle such a situation? It's illegal in Germany to request our SSL keys, so our response would be to contact our lawyers / the police.
The security of your users depends on how much they encrypt their messages. How exactly do you plan on helping everyone follow the right steps?
That's our mission: We want everyone sending encrypted email, we've built an email provider that makes this extremely easy and we'll be explaining very clearly how to use PGP (Pretty Good Privacy).
There are 3 billion people sending unencrypted messages, the vast majority of which are personally private - too many people don't realize how ridiculously easily it is to access their emails when they send them unencrypted. Even more people don't realize that this is already happening.
Since Heartbleed is such a hot topic nowadays, I must ask – have your servers been affected by the vulnerability?
No, we weren't affected by Heartbleed. We ran a Q&A on Twitter to help those who were worried - we still recommend changing your passwords for your email accounts and purchasing accounts (e.g. eBay, Amazon, PayPal) if you haven't done so already.