Managing Your Virtual Presence #encryption #privacy (Updated)

Update: Lavabit.com has been shut down by the owner. How would I adjust my diagram? Hmm…

My Fellow Users,
I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on–the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests. 

What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company. 

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States. 

Sincerely,
Ladar Levison
Owner and Operator, Lavabit LLC
Defending the constitution is expensive! Help us by donating to the Lavabit Legal Defense Fund here.

“Dad,” asked my son in anticipation of his upcoming birthday, “I’m planning on starting over online. I want to delete my email accounts, YouTube accounts, etc.” As we discussed all the things he wanted to do (and why), I made a few suggestions based on recent changes that I’ve made in my own habits.

For fun, I’ve captured them in a Gliffy.com diagram (wow, this is an AWESOME diagramming tool!) that I made using their free account. One of the questions I have is, What have I left out? On first look, I wonder if this is too complicated. But then, the reality sinks in. It’s important to plan your virtual presence with security and encryption in mind.

Here’s the diagram, and I’ve included a list of the various sites:

As you can see, there are two strategies discussed in the diagram.

1) Lavabit Account:
The rationale for getting a Lavabit.com account is the security. They offer free webmail accounts that can also be accessed on your mobile device via POP/IMAP. What makes them unique is that statements like this:

In an era where Microsoft and Yahoo’s e-mail services sell access past their spam filters, Google profiles user’s inboxes for targeted advertising, and AT&T allows the government to tap phone calls without a court warrant; we decided to take a stand.
Lavabit has developed a system so secure that it prevents everyone, including us, from reading the e-mail of the people that use it. We felt that this technical protection was necessary in addition to our Terms of Use and privacy policies

In safer times, a strict Privacy Policy would have been enough to protect the rights of honest Internet citizens. But everything changed when the United States Congress passed the Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT) Act in 2001. If you’re currently unaware of the PATRIOT Act, we highly recommend you visit the Electronic Frontier Foundation (EFF)website. 

The key element of the PATRIOT Act is that it allows the FBI to issue National Security Letters (NSLs). NSLs are used to force an Internet Service Provider, like Lavabit, to surrender all private information related to a particular user. The problem is that NSLs come without the oversight of a court and can be issued in secret. Issuing an NSL in secret effectively denies the accused an opportunity to defend himself in court. Fortunately, the courts ruled NSLs unconstitutional in 2005; but not before illustrating the need for a technological guarantee of privacy. 

Lavabit believes that a civil society depends on the open, free and private flow of ideas. The type of monitoring promoted by the PATRIOT Act restricts that flow of ideas because it intimidates those afraid of retaliation. To counteract this chilling effect, Lavabit developed its secure e-mail platform. We feel e-mail has evolved into a critical channel for the communication of ideas in a healthy democracy. It’s precisely because of e-mail’s importance that we strive so hard to protect private e-mails from eavesdropping.

Their security description continues as follows, but you can read the whole thing online:

The short description is that for users of this feature, incoming e-mail messages are encrypted before they’re saved onto our servers. Once a message has been encrypted, only someone who has the account password can decrypt the message. Like all safety measures, encryption is only effective if it’s used. To ensure privacy, Lavabit has developed a complex system that makes the entire encryption and decryption process transparent to the end user. 

As you might guess, I didn’t explain ALL of this to my son, but I did help him come up with a secure password. What fun it was to see his expressions when he’d try some sample passwords in the How Secure Is My Password web site, only to see they could be cracked in 2 hours or 10 days. “We’re trying for infinity, right?”
Of course, I will eventually introduce my son to tools like SSE File Encryption and AESCrypt.com for encrypting files, folders, etc. As we head into high school, being able to transmit encrypted files becomes a greater necessity. I can’t tell you how many times my daughter had to send me files, or vice versa. Simply dropping unencrypted content in cloud storage solutions like Dropbox or GoogleDrive isn’t recommended!

Google Drive does not currently encrypt files on the server. Our team and our company take the security and privacy of our users very seriously. For example, we support 2-factor authentication, and as Julio mentioned, all transmissions to and from your device using HTTPS and TLS. However, you can encrypt a file (or all your files) before you add it to Google Drive, and Drive will sync any file (whether it’s encrypted or not) to all your devices. 

Source: Teresa, Google Docs & Drive Community Manager, Post on Forum 4/26/12 available online

Security researcher Christopher Sogohain believes Dropbox is lying in claiming that they encrypt uploaded files and keep them from employee eyes. So he filed an FTC complaint against them. According to Wired, the complaint alleges that the lack of encryption means that your files could be involved in possible government searches, copyright infringement lawsuits, or the machinations of Dropbox employees.

Source: Gizmodo 

Rather than use GoogleMail for help manage social media, Lavabit email account (they provide 2 free accounts) will be used to manage the various social media accounts he uses. 
Those accounts include:
  1. Kik – an instant messaging service popular with youngsters.
  2. Instagram – photo sharing site
  3. YouTube – video sharing. We think we can use YouTube with a 3rd party email account.
  4. Cloud Storage solutions
  5. Apple ID – Since he’s an avid Apple user (sigh), switching over to Lavabit shouldn’t be difficult. I went through the process prior to writing this email and it was pretty straightforward.
2) Gmail
One of the points I shared with him was that while he could point most folks to Lavabit email, he probably needed to keep a Gmail account active for now. The reason why is that he’s already established his eportfolio online, and having a Gmail account could also help when setting up new accounts in “throwaway” services that require OAuthID (such as Gliffy).
Thinking Long-Term
You know, I wonder what far-reaching consequences of knowing how to do all this will have on my children’s lives. When I was 13–my son’s current age–I learned how to use an Apple //e computer. It started me down a path I couldn’t have imagined at the time. What impact will knowing these things have on him?


Check out Miguel’s Workshop Materials online at http://mglearns.wikispaces.com


Everything posted on Miguel Guhlin’s blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure

var _gaq = _gaq || []; _gaq.push([‘_setAccount’, ‘UA-3445626-5’]); _gaq.push([‘_setDomainName’, ‘mguhlin.org’]); _gaq.push([‘_trackPageview’]); (function() { var ga = document.createElement(‘script’); ga.type = ‘text/javascript’; ga.async = true; ga.src = (‘https:’ == document.location.protocol ? ‘https://ssl’ : ‘http://www’) + ‘.google-analytics.com/ga.js’; var s = document.getElementsByTagName(‘script’)[0]; s.parentNode.insertBefore(ga, s); })();

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: