Privacy Pledge

Lavabit will not release any information related to an individual user unless legally compelled to do so.

As a necessity Lavabit is required to store private information. In the interest of openness we would like to detail exactly what private information is collected, how that information is used and who has access to that information.

The most private information we store is Internet e-mail. For e-mail, we have two separate stores: one for outgoing mail and one for incoming mail. Messages are only stored for as long as necessary. In the case of outgoing e-mail, the message is only retained until it is successfully delivered. Incoming e-mail is stored until a user a) issues a command requesting that a message be deleted or b) the user account is terminated.

Only a select number of Lavabit administrators have access to servers that store messages, and all administrators have been trained such that they should never need to access the private e-mail of a user.

For premium users who have elected to use our “secure” service, incoming e-mail is stored using an asynchronous encryption process that guarantees that it can’t be accessed by anyone except the holder of the account password. For these accounts, only the encrypted version of the message is ever saved to disk.

Incoming e-mail is optionally scanned by the Lavabit antivirus engine and the statistical spam filter. All outgoing e-mail is scanned by the Lavabit antivirus engine. It should be noted that the antivirus engine retains no record of a particular message once it has been scanned. The statistical spam filter does store hashed token data about messages. This token data is used to assess future messages. In theory, an attacker with unlimited computing power could use these hashes to build a profile of the most common words used in a person’s e-mail. In practice it is considered impossible to determine what word equates to a particular hash. It should also be noted that the spam filter doesn’t store any information regarding what order tokens appear in or what messages contained what tokens. However, in the interest of privacy, we are disclosing this information.

A record of outgoing messages is maintained in the e-mail server logs for a short period of time (typically seven days). This record includes generic information, such as the sender, recipient and time of a message. No record of incoming e-mail is retained once a message is deleted.

The Lavabit servers also collect private information in the web server log files. The log files store basic information about what IP addresses access our site, what web browser was used, what file was accessed and what time that access occurred.

All log files are exclusively analyzed by automated programs to detect statistical trends. These trends allow our administrators to identify and correct problems. All log files containing private information are typically deleted within seven days.

To provide better service, Lavabit records basic statistical information about its accounts. This information includes the last time a particular account was used and aggregate numbers on how many messages have been sent or received by a particular account. These records allow us to purge inactive accounts and provide aggregate statistics, including the number of active accounts and the number of messages processed daily.

When a new user registers for Lavabit, the user’s subnet is temporarily stored in memory. This information is used to prevent more than three new user registrations in a 24-hour period. We do not record any information that would allow us to correlate the IP from which a particular account was registered.

It is also important to know what information Lavabit does NOT store. We do not keep a record of the IP addresses used to access our services (except in the web server logs), and we not keep a record of what information was accessed during a particular session.

On a final note, the Lavabit e-mail servers do record the IP address used to send an outgoing message in the header of an outgoing e-mail. Because of this, it is possible for the recipient of a message to identify what IP was used to send a message. We record this information in the message header so that law enforcement officials in possession of a message that violates the law can identify the original sender. Lavabit does not retain this information.

Though Lavabit’s services are intentionally designed to protect a user’s privacy we do not condone, endorse or encourage the use of our services for illegal activities. In cases where abuse is reported to our administrators, we reserve the right to forward any complaint that our abuse team receives to law enforcement officials. However, in accordance with the policy above, we will not surrender any private information without a court order; only the information we receive from the complainant.

Lavabit reserves the right to update this Privacy Policy at its discretion and without notice or consideration. The most current version of the Privacy Policy can always be viewed using the Privacy Policy hypertext link at the bottom of all web pages. Agreement to this policy is a prerequisite for the use of any Lavabit service.

Last Modified: January 20th, 2017 (revisions pending)

Contact us