The problem is that you don't sent to the destination SMTP server. You send to your SMTP server. That goes at least one hop via SMTP and eventually ends up on the destination's domain server.

So even if I setup and host my own SMTP server, and even if I verify the TLS certs on my side, I have no way to verify that I'll get (1) A TLS connection (2) with an authenticated cert all the way to the ultimate destination.

It's beyond my control to ensure that I'm secured when emailing to an arbitrary domain with arbitrary configuration.

It's quite likely however that Lavabit, being a service that focusses on privacy, delivers enough emails directly to the target server over a secure protocol to cause problems for the NSA in this investigation.

The problem is that all of the people you correspond with use gmail, which participates in PRISM. No amount of transport encryption or storage encryption on your own end will stop Google from sharing that data with US authorities.

Well anything that hits an MTA or MDA and sits in a queue somewhere on rust is liable to be snagged. That's usually every host between you and the destination MUA.

The whole protocol and mail delivery system is fucking hopeless.

As an ex-ISP mail architect and ex-operations guy, I hope the whole existing email protocol suite and architecture dies in a fire.

The problem is that, left to market forces, we would end up with an email solution that looks like (or is) Facebook.

I'd rather we stopped talking electronically than ended up with Facebook.

Your username combined with your claimed former work experience is utterly hilarious--thank you for the levity in this dark time.

The name came after many years of filling in paperwork :)

"Participates" is the wrong characterisation, they are under the jurisdiction of FISA orders, if the NSA wants to call that PRISM, it's their business. Also worth mentioning is that providers in non-US countries are subject to their respective country's surveillance efforts, so either way it's a red herring argument.

"Participates" is a perfectly acceptable word for silently complying with a law. Especially for an international company that could have changed jurisdiction of the relevant servers.

"Participates" is not at all an acceptable word for actions taken under duress, and for an international company, changing jurisdiction of the relevant servers would have made no difference whatsoever. As long as your flesh-and-blood body is located in the US, or in a country that chooses to enforce US law in such matters (or will ever be so located in the future, even for a stopover on an international flight), your servers could be on the moon for all it matters; you still have to obey the government.

There are different levels of duress. Nobody pointed a gun at Google. They could have refused if they truly wanted to.

Can the US serve a warrant to a server in Europe run by Europeans? I was assuming the answer was no, in which case you don't need violate any laws or worry about repercussions.