A consumer VPN service called CryptoSeal Privacy has shut down rather than risk government intrusions that could cost the company money in legal fees and threaten user privacy.

CryptoSeal will continue offering its business-focused VPN, but the consumer service is done, the company announced:

With immediate effect as of this notice, CryptoSeal Privacy, our consumer VPN service, is terminated. All cryptographic keys used in the operation of the service have been zerofilled, and while no logs were produced (by design) during operation of the service, all records created incidental to the operation of the service have been deleted to the best of our ability. Essentially, the service was created and operated under a certain understanding of current US law, and that understanding may not currently be valid. As we are a US company and comply fully with US law, but wish to protect the privacy of our users, it is impossible for us to continue offering the CryptoSeal Privacy consumer VPN product.

VPN services let consumers gain extra privacy and security while using the Internet. A user establishes an encrypted connection with a VPN service, routing all Internet traffic to the VPN before sending it on to the rest of the Internet.

Some VPN services promise only protection from common hackers, which is useful for people seeking extra security while surfing the Web on public Wi-Fi networks. To hide one's traffic from Internet service providers or governments, people look to VPNs that promise not to keep any logs that might reveal what they use the Internet for.

CryptoSeal's description of its business VPN service says it's not designed to hide information from the government. "CryptoSeal Connect is not designed as a BitTorrent or other file-sharing VPN and is not designed to give you anonymity against the legal system," the company said. "We fully comply with all warrants and subpoenas and are located in the United States. We suggest using systems such as the Tor Project for anonymity requirements."

The possibility of handing cryptographic keys over to the government is a troubling one, though. "For anyone operating a VPN, mail, or other communications provider in the US, we believe it would be prudent to evaluate whether a pen register order could be used to compel you to divulge SSL keys protecting message contents, and if so, to take appropriate action," CryptoSeal wrote.

Lavabit case raises troubling legal possibilities

The company referred to the case of Lavabit, an e-mail service that shut down rather than comply with government orders to monitor user communications. A legal filing in that case raises a possibility that is troubling for CryptoSeal. Specifically, it describes "a Government theory that if a pen register order is made on a provider, and the provider's systems do not readily facilitate full monitoring of pen register information and delivery to the Government in realtime, the Government can compel production of cryptographic keys via a warrant to support a government-provided pen trap device," CryptoSeal wrote.

"Our system does not support recording any of the information commonly requested in a pen register order, and it would be technically infeasible for us to add this in a prompt manner," CryptoSeal continued. "The consequence, being forced to turn over cryptographic keys to our entire system on the strength of a pen register order, is unreasonable in our opinion and likely unconstitutional. But until this matter is settled, we are unable to proceed with our service."

CryptoSeal is investigating "alternative technical ways" to comply with US law without sacrificing user privacy, but in the meantime it is offering customers refunds as well as "one year subscriptions to a non-US VPN service of mutual selection" and "free service for one year if/when we relaunch a consumer privacy VPN service." CryptoSeal also encouraged people to donate to a Lavabit legal fund.

We've contacted CryptoSeal to ask why it's able to keep its business service open but haven't heard back yet. Selling to enterprises is more lucrative than selling to consumers, of course, providing one possible reason CryptoSeal chose this route. Another factor is that businesses seeking a VPN service may be more concerned about security from hackers than about hiding Internet activity from governments and Internet service providers.

A comment on Hacker News apparently posted by CryptoSeal founder and CEO Ryan Lackey points to the cost of legal services being one of the main factors.

"The financial issue was the potentially huge liability due to a legal action or battle, not the (small) costs of operating the service," Hacker News user "RDL" wrote. The service "was covering operating costs and some profit," but the risk of defending against a government order would have wiped that out.

"If we were the legally best VPN option, I would probably have pushed to keep it going anyway and just shut down when/if that happened, but as it is, non-US providers run by non-US people (there are several good ones) are an objectively better option, so in good conscience there's no reason to continue running a US privacy VPN service without technical controls to prevent being compelled to screw over a user," RDL wrote.

UPDATE: Lackey replied to Ars, explaining the different security requirements for the business service. "The users are businesses who usually want to monitor (automatically) their employees, for things like DLP [data loss prevention]," he wrote in an e-mail. "They also are all in regulated industries so far with logging and monitoring requirements in excess of what a court order might require, so the pen register 'loophole' isn't a concern for them at all."

He also noted that the biggest risk of continuing the service wasn't necessarily the cost of hiring lawyers, but that being in contempt of court could have landed him in jail.