When the U.S. government orders a communications company to give up its data, the firm has two basic choices: resist, and risk its leaders going to jail, or comply, and break faith with its customers. On Thursday, Aug. 8, however, two privacy-minded businesses chose a third and unprecedented option: They committed corporate suicide rather than bend to the surveillance state's wishes.
It could just be the opening battles in a new front of the surveillance war.
In a move that blocks governmental monitoring of private email accounts, two secure email providers closed shop on Thursday rather than divulge information about their users to the authorities. The first Dallas-based Lavabit -- which reportedly counts among its users NSA-leaker Edward Snowden -- stopped operations after apparently fighting a losing battle to resist a federal surveillance order. (Snowden called the decision "inspiring" in a note to the Guardian's Glenn Greenwald.) A few hours later, Silent Circle, headquartered outside Washington, D.C., announced it was suspending its encrypted email service as a preemptive measure before ever receiving a command from the government to spy on its users.
The companies' extreme actions put them in an exclusive club. Security and legal experts said they could not recall a company preventing government access to its customers' information by shutting down its business. Some companies have appealed surveillance orders in the courts or attempted to force more public disclosure about the secretive intelligence-gathering process, but they have remained functioning. Refusing to comply with an order also means the government is cut off from potentially valuable information that it may have no other means of obtaining.
Ladar Levison, the owner and operator of Lavabit, said in a cryptic public message to his users that he had "been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit."
Levison didn't say precisely what events had led to his decision, but his letter strongly suggests that he had refused to comply with an official order to hand over Lavabit users' emails and give the government ongoing, prospective access to the company's systems. In the letter, Levison said he was forbidden from discussing "the events that led to my decision." Recipients of secretly issued government surveillance orders are often prohibited from disclosing or discussing them publicly.
Silent Circle, in a letter to its customers, cited Lavabit's decision. "We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail [its encrypted email service] now. We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now."
The company also acknowledged that its email service didn't have protections as strong as those for its phone and text services, which can delete communications entirely, as well any corresponding metadata records. Email leaves a digital trail that can be recovered and therefore forcibly disclosed by the authorities.
"Tough decision but we couldn't wait for the inevitable risking member security," Vic Hyder, the company's chief operations officer, wrote on Twitter.
"We huddled this afternoon and saw no other choice," Jon Callas, Silent Circle's chief technology officer and a noted computer security expert, wrote on his Twitter feed.
Companies that receive surveillance demands find themselves in an unenviable position. Some, such as Yahoo!, Microsoft, and Google, have either fought surveillance orders in court or petitioned the government to let them disclose more information about what the authorities are asking about the companies' users. But until now, these companies and others, including Internet mainstays such as Facebook that have hundreds of millions of users, have complied with the orders and helped form the backbone of official surveillance.
Companies also know they cooperate at the risk of undermining their reputation and their business. Take the encrypted email service Hushmail, a Canadian company that like Lavabit had marketed itself as a secure system. In 2007, the firm gave over information on three customers as part of a U.S. federal investigation into illegal steroids. Although Hushmail was complying with a court order and a legal assistance treaty between the United States and Canada, its reputation was significantly damaged among its product's core users.