Referencing Lavabit’s decision to close, CryptoSeal has decide to shut down their US based personal VPN service. The company will continue to support their business customers but is closing their consumer VPN service effective immediately. Being a small company in terms of consumer VPN, CryptoSeal decided to shut down to avoid any future legal issues. Conflict of interest may have also played a role in the decision.
Here’s the full statement from the CryptoSeal site:
CryptoSeal Privacy Consumer VPN service terminated with immediate effect
With immediate effect as of this notice, CryptoSeal Privacy, our consumer VPN service, is terminated. All cryptographic keys used in the operation of the service have been zerofilled, and while no logs were produced (by design) during operation of the service, all records created incidental to the operation of the service have been deleted to the best of our ability.
Essentially, the service was created and operated under a certain understanding of current US law, and that understanding may not currently be valid. As we are a US company and comply fully with US law, but wish to protect the privacy of our users, it is impossible for us to continue offering the CryptoSeal Privacy consumer VPN product.
Specifically, the Lavabit case, with filings released by Kevin Poulsen of Wired.com (https://www.documentcloud.org/documents/801182-redacted-pleadings-exhibits-1-23.html) reveals a Government theory that if a pen register order is made on a provider, and the provider’s systems do not readily facilitate full monitoring of pen register information and delivery to the Government in realtime, the Government can compel production of cryptographic keys via a warrant to support a government-provided pen trap device. Our system does not support recording any of the information commonly requested in a pen register order, and it would be technically infeasible for us to add this in a prompt manner. The consequence, being forced to turn over cryptographic keys to our entire system on the strength of a pen register order, is unreasonable in our opinion, and likely unconstitutional, but until this matter is settled, we are unable to proceed with our service.
We encourage anyone interested in this issue to support Ladar Levison and Lavabit in their ongoing legal battle. Donations can be made at https://rally.org/lavabit We believe Lavabit is an excellent test case for this issue.
We are actively investigating alternative technical ways to provide a consumer privacy VPN service in the future, in compliance with the law (even the Government’s current interpretation of pen register orders and compelled key disclosure) without compromising user privacy, but do not have an estimated release date at this time.
To our affected users: we are sincerely sorry for any inconvenience. For any users with positive account balances at the time of this action, we will provide 1 year subscriptions to a non-US VPN service of mutual selection, as well as a refund of your service balance, and free service for 1 year if/when we relaunch a consumer privacy VPN service. Thank you for your support, and we hope this will ease the inconvenience of our service terminating.
For anyone operating a VPN, mail, or other communications provider in the US, we believe it would be prudent to evaluate whether a pen register order could be used to compel you to divulge SSL keys protecting message contents, and if so, to take appropriate action.
Ryan Lackey, CEO and Co-founders of CryptoSeal left this comment on Hacker News:
We didn’t have millions of users, but were making decent profits to cover costs on the users we had, and growing. If someone outside the US wants to run a privacy VPN service for consumers, or if the lavabit case is resolved successfully, I’d probably say it’s a decent business (boring, but decent).
The financial issue was the potentially huge liability due to a legal action or battle, not the (small) costs of operating the service; my cofounder and I are both not really able to take a lavabit-style stand (I do DoD/USG consulting work, so I have additional special considerations in doing anything which isn’t absolutely legally compliant in every appearance which Ladar et al didn’t have…).
We’re still working on similar things, now without the revenue from the privacy vpn service.
Given that Mr. Lackey consults for the Department of Defense it’s not too surprising that he decided to shut down. This could have easily been a conflict of interest for him. We wish Ryan and his team the best in their future endeavors. We also want to to stress this article in the right context. CryptoSeal was very small in comparison to StrongVPN, Private Internet Access and others that operate out of the United States. We don’t see the CryptoSeal closure as a sign of things to come for the larger U. S. based VPN services.
