CryptoSeal, a VPN company based in the United States, has closed the doors of its Personal VPN service, saying that following the legal wrangles over the Lavabit case, it can no longer guarantee to protect its customers privacy.
‘With immediate effect as of this notice, CryptoSeal Privacy, our consumer VPN service, is terminated. All cryptographic keys used in the operation of the service have been zerofilled, and while no logs were produced (by design) during operation of the service, all records created incidental to the operation of the service have been deleted to the best of our ability.’
The company’s statement on its now defunct webpage goes on to explain,
‘Essentially, the service was created and operated under a certain understanding of current US law, and that understanding may not currently be valid. As we are a US company and comply fully with US law, but wish to protect the privacy of our users, it is impossible for us to continue offering the CryptoSeal Privacy consumer VPN product.
‘Specifically, the Lavabit case, with filings released by Kevin Poulsen of Wired.com reveals a Government theory that if a pen register order is made on a provider, and the provider’s systems do not readily facilitate full monitoring of pen register information and delivery to the Government in realtime, the Government can compel production of cryptographic keys via a warrant to support a government-provided pen trap device.
‘Our system does not support recording any of the information commonly requested in a pen register order, and it would be technically infeasible for us to add this in a prompt manner. The consequence, being forced to turn over cryptographic keys to our entire system on the strength of a pen register order, is unreasonable in our opinion, and likely unconstitutional, but until this matter is settled, we are unable to proceed with our service.’
A pen register is an ‘electronic device that records all numbers called from a particular telephone line. The term has come to include any device or program that performs similar functions to an original pen register’ according to Wikipedia, and has had its definition expanded under the Patriot Act ‘to include devices or programs that provide an analogous function with internet communications.’
Lavabit closed down in August rather than accede to an NSA secret court order which would have allowed it to spy on Lavabit customers, and therefore make the company ‘become complicit in crimes against the American people’.
How other US based VPN companies react to news of CryptoSeal’s closure (and the reasons it has given for it) will prove very interesting, and it provides further evidence that if NSA surveillance bothers you (as it should), then you should use technology companies (very much including VPN providers) who are based outside the US. CryptoSeal’s CEO Ryan Lackey (aka RLD) appears to confirm this perception when he commented on Hacker News that,
‘If we were the legally best VPN option, I would probably have pushed to keep it going anyway and just shut down when/if that happened, but as it is, non-us providers run by non-US people (there are several good ones) are an objectively better option, so in good conscience there’s no reason to continue running a US privacy VPN service without technical controls to prevent being compelled to screw over a user.’
And while we are somewhat on the subject, we would like to congratulate Lavabit founder Lader Levinson for successfully meeting his appeal target of $96,000, so that he can continue his legal battle against the US government. We proud of the support we, and everyone else who contributed to Mr Levinson’s cause, have provided.