[Infowarrior] - CryptoSeal shuts down commercial VPN service

Richard Forno rforno at infowarrior.org
Mon Oct 21 16:29:57 CDT 2013 

https://privacy.cryptoseal.com/

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CryptoSeal Privacy Consumer VPN service terminated with immediate effect


With immediate effect as of this notice, CryptoSeal Privacy, our 
consumer VPN service, is terminated.  All cryptographic keys used in the 
operation of the service have been zerofilled, and while no logs were 
produced (by design) during operation of the service, all records 
created incidental to the operation of the service have been deleted to 
the best of our ability.

Essentially, the service was created and operated under a certain 
understanding of current US law, and that understanding may not 
currently be valid.  As we are a US company and comply fully with US 
law, but wish to protect the privacy of our users, it is impossible for 
us to continue offering the CryptoSeal Privacy consumer VPN product.

Specifically, the Lavabit case, with filings released by Kevin Poulsen 
of Wired.com 
(https://www.documentcloud.org/documents/801182-redacted-pleadings-exhibits-1-23.html) 
reveals a Government theory that if a pen register order is made on a 
provider, and the provider's systems do not readily facilitate full 
monitoring of pen register information and delivery to the Government in 
realtime, the Government can compel production of cryptographic keys via 
a warrant to support a government-provided pen trap device.  Our system 
does not support recording any of the information commonly requested in 
a pen register order, and it would be technically infeasible for us to 
add this in a prompt manner.  The consequence, being forced to turn over 
cryptographic keys to our entire system on the strength of a pen 
register order, is unreasonable in our opinion, and likely 
unconstitutional, but until this matter is settled, we are unable to 
proceed with our service.

We encourage anyone interested in this issue to support Ladar Levison 
and Lavabit in their ongoing legal battle.  Donations can be made at 
https://rally.org/lavabit  We believe Lavabit is an excellent test case 
for this issue.

We are actively investigating alternative technical ways to provide a 
consumer privacy VPN service in the future, in compliance with the law 
(even the Government's current interpretation of pen register orders and 
compelled key disclosure) without compromising user privacy, but do not 
have an estimated release date at this time.

To our affected users: we are sincerely sorry for any inconvenience. 
For any users with positive account balances at the time of this action, 
we will provide 1 year subscriptions to a non-US VPN service of mutual 
selection, as well as a refund of your service balance, and free service 
for 1 year if/when we relaunch a consumer privacy VPN service.  Thank 
you for your support, and we hope this will ease the inconvenience of 
our service terminating.

For anyone operating a VPN, mail, or other communications provider in 
the US, we believe it would be prudent to evaluate whether a pen 
register order could be used to compel you to divulge SSL keys 
protecting message contents, and if so, to take appropriate action.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (Darwin)

iEYEARECAAYFAlJSnR8ACgkQB62+B9LgMB+VQQCcCtJO9W9tNVZHd5q8YGBykO1+
PuEAn39cWbDwt6UQd2GyZUZ7y79cVQXh
=vGGD
-----END PGP SIGNATURE-----

	
-- 
Just because i'm near the punchbowl doesn't mean I'm also drinking from it.

More information about the Infowarrior mailing list