Why secure e-mail startup Lavaboom imploded

After encrypted webmail service Lavabit closed under FBI pressure to reveal data about users – Edward Snowden reportedly among them – Lavaboom launched to take up the mantle. But about a year after launching, it has collapsed amid legal and financial woes.

A volcano on the French Indian Ocean Reunion Island.

Gilles Adt/Reuters

September 23, 2015

The short life of the secure e-mail startup Lavaboom started last year in a moment of intense global backlash over US government surveillance.

Its idealistic chief executive, Felix Müller-Irion, was a young university graduate in his 20s who set out to provide the world with a more secure e-mail service after Lavabit shut down. That company closed after it was pressured by the FBI to reveal data about customers, which reportedly included former National Security Agency contractor-turned-fugitive Edward Snowden.

Mr. Müller-Irion hoped to pick up where Lavabit left off. But in August, only a year after Lavaboom launched to great fanfare, Müller-Irion discovered that his company was the subject of a German criminal investigation, the details of which remain a mystery. He isn't allowed to speak about the case conducted by a unit of the Federal Office for Information Security, Germany's cybersecurity authority. The investigation was enough to scare off investors, hurting the company’s already fragile financial situation. 

In Snowden's wake, crypto-startups take root in Germany

Soon after finding out Lavaboom was under investigation the young chief executive opted to pull the plug on his company and declared bankruptcy. He gave his 12,000 registered users a week to transfer data to another secure e-mail service, recommending Tutanota in Hannover and Whiteout Mail in Munich. Then he deleted his customers' data.

"I decided not to let my users down, and deleted their whole data," said Müller-Irion. "So far I have not been served with a letter or notice of seizure of the servers, so I didn’t want to leave any trace of data left that could be recreated on the hard drive."

He's certainly aware of the potential similarities to his company's fate and the demise of Lavabit. In the end, he said, he opted to follow the Lavabit's example and shut down over his deep concerns that authorities may force him to weaken the security his customers were seeking. 

Lavaboom was among a slate of other German upstart e-mail providers that promised to be more secure options to Gmail, making it easier to send fully encrypted messages. While Lavaboom's demise may have been hastened by legal troubles, the company also struggled financially.

"You need a lot of time and a lot of back-up money” to raise a communications company that can rival the mainstream e-mail providers, said Matthias Pfau, cofounder of Tutanota. 

In the race to attract students, historically Black colleges sprint out front

Still, he said, the European public is increasingly turning to services such as his. Three years after Tutanota launched, the company ended its testing phase in March and opened the service to the public. Now, it's user base is north of 100,000. "The market is big, and it’s just starting," he said.

Signs of Lavaboom's trouble surfaced this summer when tech experts noticed that the company had failed to update its "warrant canary," a statement that a company has not been served with a warrant or court order for user data. If the warrant canary isn't updated, users assume the company has been received a government or court order for user information.

"It is now 16 days into August and the canary still states 1st July," read a post on Reddit. Another read: "Be very caution using Lavaboom right now!"

"This isn’t something which inspires confidence in a service which was designed with the thought of keeping secure communications out of the hands of law enforcement agencies," security expert Graham Cluley posted on his blog.

Lavaboom had committed to updating its canary on the first of every month. “Yes, the investigation was the reason we didn't feel comfortable to update it,” said Müller-Irion. 

But it wasn't just the investigation that troubled Müller-Irion and Lavaboom. The company was also in deep financial trouble. Even though the startup received $300,000 from an anonymous donor, it could not attract other investors. It did manage to raise about $110,000 in a crowdfunding campaign, but needed at least $170,000 to stay afloat.

Any leads the company had for new funding "went cold after we shared the information regarding the ongoing investigation,” said Müller-Irion.

"Lavaboom was neither big nor attractive enough," said Jochim Selzer, a cryptoparty organizer in the Bonn region.

In recent years, Germany's main e-mail providers have taken steps to make conversing via e-mail more secure. And that also hurt Lavaboom, experts say. Recently, the popular German server gmx issued a plug-in that allows the encryption software known as Pretty Good Privacy to work with its Internet mail interface.

"Gmx is a big provider with several million users," said Mr. Selzer, so they'll be able to big foot much of the emerging competition even by providing simple or basic encryption protections. 

Now, Müller-Irion said the rise and fall of Lavaboom should serve as one more reminder of how difficult it is to ensure and privacy on the Web.