In September of 2013, Ladar Levison, founder of encrypted email service Lavabit, sat in front of a European Parliament hearing in Brussels, Belgium. He’d been asked to testify as part of a European Union investigation into the revelation that the National Security Agency was engaged in illegal surveillance activity on its own citizens and on sovereign nations that considered themselves allies of the United States.  Just a few months earlier, Levison had abruptly shut down his network, denying his nearly half a million users access to their accounts and closing down Lavabit’s operations. It cost him his business—and turned him into a hero to privacy advocates around the world.

Lavabit was founded with the intention of eliminating the service provider from the surveillance equation. Levison didn’t keep logs on his server, and didn’t have access to users’ emails on disk. If someone wanted to conduct surveillance on a target, they’d have to get access on the sender’s or the receiver’s ends. There was no way to access a single user’s password-protected account.

So when the Federal Bureau of Investigations demanded access to Snowden’s account, there was only one way to do it. The FBI demanded Levison turn over Lavabit’s SSL key so they could intercept the password to his account and access data on disk before it became encrypted. The problem was that it wasn’t only Snowden’s account that would have been compromised. Having the SSL key would have granted them access to every account on Lavabit’s servers.

That the FBI wanted the SSL key was disturbing enough, but even worse was the secrecy order they imposed on Levison, preventing him from notifying his users that the federal government had access to every communication on his network. He fought the order in federal court and lost. He concluded that the only ethical choice left to him was to shut down.

I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit, Levison posted on the company’s homepage. After significant soul searching, I have decided to suspend operations. … I feel you deserve to know what’s going on—the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise.

“I believe in the need to conduct investigations. But those investigations are supposed to be difficult for a reason. It’s supposed to be difficult to invade somebody’s privacy, because of how intrusive it is. Because of how disruptive it is,” he told the EU court. “If we don’t have a right to privacy, how do we have free and open discussion? What good is the right to free speech if it’s not protected?”

“Achieving online privacy shouldn’t require a Ph.D in cryptology.”

Levison told us that when he first started Lavabit, he reached out to several of the original email RFC writers, security engineers and leading experts to try and understand the limits of email security. As he and his team began to deconstruct the original email protocols, they quickly realized that legacy email was inherently unsuited to modern-day usage.

Email has become our default mode of communication. In 2016, more than 2.6 billion of us used email, exchanging nearly 205 billion messages per day.  But email security has not kept pace with its adoption rate. We are essentially using the first email protocols developed back in the 1970s, when security and privacy were afterthoughts at best. Email back then was designed to be more akin to a postcard than a sealed letter, says Levison. Anyone who happened to come across it could read it.

Today, there are many ad hoc security technologies out there, including email encryption solutions such as GPG and S/MIME. But they’re tacked onto the existing email protocols, not integrated into them, and most of them require a high level of user effort and expertise. They’re cumbersome, and Levison says none provide protection outside of their own walled gardens, meaning a closed platform in which service providers control all applications and content. These two elements—difficulty of use and the inability to encrypt communications outside of a service provider’s own network—prevent email encryption from becoming an ubiquitous standard, says Levison.

“Achieving online privacy shouldn’t require a Ph.D. in cryptology,” Levison says.

Lessons Learned

For next three and a half years after turning off his servers, Levison, along with a small group of likeminded volunteer coders, worked feverishly to develop a new email protocol that would eliminate the possibility of a repeat of the situation he’d faced in the summer of 2013. While Lavabit’s original design fully encrypted the data on Levison’s network, it had to use the SSL key as a bridge of sorts between users’ home computers and Lavabit’s server in order to maintain compatibility with those legacy email protocols from the 1970s. If he wanted to truly “take the service provider out of the equation,” then he needed to remove the SSL key as an option to leverage.

On January 20, the day the U.S. inaugurated Donald Trump as president, Levison relaunched Lavabit, along with a new email environment, the world’s first Dark Internet Mail Environment (DIME). The ultimate goal of the DIME initiative is to enable the ubiquitous adoption of end-to-end email encryption, to create a new default standard of inherent privacy. DIME is Levison’s leviathan.

This time, he wanted to make sure all sensitive metadata associated with email would be encrypted, so anyone snooping around would only be able to see, at most, the length of the encrypted message. Levison says to think of it like the Tor protocol, where the data is hidden under many virtual layers that obscure the data traffic. And though we can’t get away from the SSL key altogether, Lavabit offers three different options for key distribution: Trustful, Cautious and Paranoid.

Trustful mode is designed to integrate with existing email software, and it requires users to trust the server to manage encryption. Users don’t have to worry about technical requirements or complicated cryptographic code. Levison envisions this as the go-to mode for businesses that have regulatory requirements, data retention practices and unique needs like escrow keys.

The Cautious and Paranoid modes both utilize end-to-end encryption. In Cautious mode, the user’s encryption key is stored in plaintext within the memory of their personal device, encrypted and then transmitted through a secure tunnel to the Lavabit servers where it’s stored in a user-specific space. Since it’s encrypted on the user’s device, there’s no way for the network administrator to access it.

But there are those—activists, journalists, residents of countries with oppressive governments—who want absolute control over their security key. For these users, Lavabit offers Paranoid mode. The key is never transmitted anywhere, and the user is responsible for moving the key to any new device on which they want to access their account. Destroy the device, and you destroy the key. It’s ultra-secure, but it also requires a high level of technical proficiency.

If Edward Snowden’s account had been in Paranoid mode, Lavabit would never have had to close its doors.

Freedom and Privacy for All

But Levison’s dream of ubiquity won’t ever come true if Lavabit users can only email other Lavabit users. DIME won’t do a lot of good unless it’s used by service providers worldwide. To that end, he’s making the DIME code open source for anyone to audit. He doesn’t view other service providers as competitors. Levison is a true idealist who believes in forming a community of partners working toward creating an encrypted future, and he’s offered Lavabit’s code to anyone trying to support the DIME protocol.

Levison feels he has a mandate to protect at-risk individuals and communities. Human rights organizations, NGOs, activists and journalists aren’t technologists. They have to depend on service providers to provide the technology necessary to protect their communications. By making email encryption the automatic default, Levison has come full circle to the original Lavabit ethos: to provide people a measure of privacy to live and work.