October 22, 2013
VPN service provider says that concerns it may be
forced to hand over its encryption keys to United States authorities have
led it to take the decision to shut down its consumer services.
says that information revealed as part of the
Lavabit case has undermined
its original understanding of United States law and made its position
Shutting down, the company says, is the only solution to protect
As the revelations of Edward Snowden roll
on and on the
notion that individuals in the United States, or indeed citizens of any
country, have any real online privacy is being continually undermined.
As a result, interest in anonymity services such
as Tor and
VPNs has increased as even regular Internet users balk at the idea of
While there are hundreds of providers to choose
from, one particular US-based company has decided that the current
environment on home soil makes it impossible to offer an effective
"With immediate effect as of this notice,
CryptoSeal Privacy, our consumer VPN
service, is terminated.
All cryptographic keys used in the operation of the
service have been zerofilled, and while no logs were produced (by design)
during operation of the service, all records created incidental to the
operation of the service have been deleted to the best of our ability," the
company said in a statement.
While itís not unusual for a provider to leave
the marketplace, CryptoSeal says that the ground has recently shifted
beneath its feet, meaning that the legal basis on which the company was
founded can no longer be relied upon.
"Essentially, the service was created and
operated under a certain understanding of current US law, and that
understanding may not currently be valid.
As we are a US company and comply
fully with US law, but wish to protect the privacy of our users, it is
impossible for us to continue offering the CryptoSeal Privacy consumer VPN
product," the company says.
The problem, CryptoSeal says, relates back to
recent Lavabit case.
The now-shuttered email service used by Edward
Snowden closed down in August, with founder Ladar Levison saying that he had
"forced to make a difficult decision: to become complicit in crimes
against the American people or walk away from nearly 10 years of hard work
by shutting down Lavabit."
Lavabit had been targeted by U.S. authorities
but rather than compromise the privacy of his users, Levison decided to
close the service down instead.
He is currently tied up in a legal battle
with U.S. authorities and itís a document from this case that has caused CryptoSeal to shut down its consumer service.
"The Lavabit case, with
filings released by Kevin Poulsen of Wired.com reveals a Government
theory that if a pen register order is made on a provider, and the
providerís systems do not readily facilitate full monitoring of pen register
information and delivery to the Government in realtime, the Government can
compel production of cryptographic keys via a warrant to support a
government-provided pen trap device," CryptoSeal state.
A pen register is a device originally created in
the 1800′s for recording telegraph signals on paper but more recently the
term has been used to describe devices that can monitor telephone lines and
Since VPN communications are encrypted, CryptoSeal
believes that the only way it would be able to comply with a pen register
order would be to do the unthinkable - hand over its encryption keys.
"Our system does not support recording any of
the information commonly requested in a pen register order, and it would be
technically infeasible for us to add this in a prompt manner.
consequence, being forced to turn over cryptographic keys to our entire
system on the strength of a pen register order, is unreasonable in our
opinion, and likely unconstitutional, but until this matter is settled, we
are unable to proceed with our service," the company informs.
While encouraging customers to
donate to Lavabitís defense fund,
CryptoSeal says it is currently investigating whether it will be able to
provide a consumer VPN service in the future without compromising user
The company signs off with the following call.
"For anyone operating a VPN, mail, or other
communications provider in the US, we believe it would be prudent to
evaluate whether a pen register order could be used to compel you to divulge
SSL keys protecting message contents, and if so, to take appropriate
action," CryptoSeal concludes.