Two privacy-focused email providers have launched the Dark Mail Alliance, a project to engineer an email system with robust defenses against spying.
Silent Circle and Lavabit abruptly halted their encrypted email services in August, saying they could no longer guarantee email would remain private after court actions against Lavabit, reportedly an email provider for NSA leaker Edward Snowden.
Their idea, presented at the Inbox Love email conference in Mountain View on Wednesday, is for an open system that could be widely implemented and which offers much stronger security and privacy. As envisioned, Dark Mail would shield both the content of an email and its "metadata," including "to" and "from" data, IP addresses and headers. The email providers hope a version will be ready by next year.
"The issue we are trying to deal with is that email was created 40 years ago," Jon Callas, CTO and founder of Silent Circle, in a phone interview. "It wasn't created to handle any of the security problems we have today."
Silent Circle, Lavabit and at least one VPN provider, CryptoSeal, shut down their services fearing a court order forcing the turnover of a private SSL (Secure Sockets Layer) key, which could be used to decrypt communications.
Lavabit was held in contempt of court for resisting an order to turn over its SSL key, which in theory allowed the government to decrypt not only Snowden's communications but also those of its 400,000 users. Ladar Levison, Lavabit's founder, is appealing.
Callas said Dark Mail is a collaboration with Levison. Rather than create a closed email service, they decided to design Dark Mail with open-source software components that could be used by any email provider.
"We need 1,000 Lavabits all around the world," he said.
Representatives of Google, Microsoft and Yahoo who attended Inbox Love did not have an immediate comment on Dark Mail.
Dark Mail will be crafted around XMPP, a web messaging protocol known by its nickname Jabber, along with another encryption protocol created by Silent Circle called SCIMP (Silent Circle Instant Message Protocol), Callas said.
An adapter will be built that will enable Dark Mail within different email clients. "There's no reason why you couldn't modify Outlook and Exchange to do this," he said.
The private key used to encrypt email will be held on users' systems and not retained by a service provider. Even if the government forced a SSL key to be turned over, users would not be compromised "because all of the messages are encrypted to keys that are sitting in the hands of the recipient," Callas said.
Sign up for CIO Asia eNewsletters.