Lawyers for Lavabit, a recently-shuttered email service once used by Edward Snowden, told a federal appeals court this week that the government had no reason to request from the company a code that could unlock the encrypted messages of its 410,000 users.
Continue reading «Future of the internet could depend on Lavabit appeal»
Starting last June, Lavabit owner Ladar Levison unwittingly became entwined in a complicated legal case when the Federal Bureau of Investigation
obtained a pen register order requiring him to let the FBI install a wiretap device on his servers to record and store information about one of his company’s nearly half-a-million customers, widely presumed to be the now-notorious former intelligence contractor
. And although much of the ordeal is to this day still under seal, on Tuesday his attorneys argued publically before the Fourth Circuit Court of Appeals in Richmond, Virginia that a civil contempt order waged against Levison should be rejected because the government unjustly compelled him to surrender his website’s master encryption keys.
Because the customer in question had opted-in to Lavabit’s encrypted email function, the information sought by the government was impossible to acquire using ordinary methods. Levison complied with the pen register order nonetheless, but the metadata being logged by the FBI proved to be unusable and quickly prompted them to demand the SSL (Secure Socket Layer) keys that encrypted all data going in and out of the website’s servers. The architecture of the SSL protocol as well as his nature of the custom-built site made it arguably impossible for Levison to provide unencrypted data using just a standard wiretap, but because the FBI’s request also provided he furnish the government with the “technical assistance necessary” to fulfil their demands, the government said he’d have to surrender the SSL keys as well and in turn compromise the privacy of each and every user.
When the pen register wouldn’t work, the feds returned with a subpoena for the keys. And when Levison didn’t immediately comply, they came back with a search warrant. Levison’s lawyers are now fighting to appeal the lawfullness of those requests for the keys by saying they were not valid.
“[T]o comply with the government’s subpoena would have either required Lavabit to perpetrate a fraud on its customer base or shut down entirely. That is the key point, and the resulting harm goes far beyond a mere inconvenient search for records,” his counsel claimed when the appeal was first filed in October.“The Fourth Amendment insists that a warrant name particular things to be searched; a warrant that permits open-ended rummaging through all of Lavabit’s communications data is simply a modern-day writ of assistance, the sort of general warrant that the Fourth Amendment was ratified to forbid,”
An earlier offer made by Levison to personally log data about that particular target should have sufficed, his attorneys said during oral arguments Tuesday, and the FBI should have been satisfied with that option without effectively compromising the privacy of all Lavabit customers by having a federal judge demand the SSL keys.
“The offer was basically, ‘I will record this data. I have a tool that can transmit it to your servers and I can do it either at the end of the period or so that it’s more frequent then that,’” Lavabit attorney Ian Samuel recalled in court this week. “The company in this case offered the United States all of the information that the United States was seeking — all of it — and it did it in a way that would have protected the privacy of hundreds of thousands of innocent people as well,” he said.
But “That isn’t what they were ordered to provide,” one judge responded. “They were ordered to install a pen register and a tracking device which provided unencrypted data.” Levison agrees that this means giving up the SSL keys, but at what cost? When his attorney time and time again argued that sacrificing the keys would render the whole site insecure, Judges Paul V. Niemeyer, Roger L. Gregory and G. Steven Agee appeared befuddled by the technological aspects involved, and along with lawyers representing both Lavabit and the government struggled to make sense of the science behind intercepting encrypted emails.
“I’m no technologist, your honor,” attorney Andrew Peterson for the government admitted at one point, later claiming he could only “assume” that it was possible for Lavabit to decrypt data in real-time to be logged on-the-fly by the FBI — which tech experts dispute.
Levison eventually relinquished to the government’s requests for his site’s SSL keys while the first of the now-ongoing Snowden leaks began to surface, but only after several weeks of a back-and-forth with investigators that ended with him being fined $10,000 and the court claiming he was in contempt for not cooperating sooner. When he eventually complied with their requests last August, Levison immediately shut-down his site to protect the privacy of his customers whose accounts had been compromised by giving up the keys. A gag-order in place at the time prevented him from disclosing even the existence of the investigation to his customers, though, and instantly he eroded access to the accounts of each and every one of his customers to, as he put it then, avoid being complicit in “crimes against the American people.”
The civil contempt order lobbed at Levison for failing to initially provide that assistance is what is now before the Fourth Circuit, but the other, much greater underlying issues at hand, may never be resolved in a court of law. When Samuel raised the issue of protecting the privacy of Lavabit’s entire client base repeatedly during Tuesday’s meeting, the appellate judges routinely said that wasn’t at issue.
“We’re only here,” Judge Leon said at one point, “because of [Lavabit’s] refusal to do what the initial request was — which was the pen register. The encryption key became a red herring.”
“There is such willingness and a desire to argue about secret keys being provided,” another judge added,“…and the government’s going to take full advantage of that and spy on everybody. What was ordered here was with respect to a particular target to provide unencrypted data pursuant to that order.”
“And even when they asked for the key,” the court claimed at one point, “they only wanted to use it and were only authorized to use it in connection with a particular target.”
As evident by what has become routine news articles as of late, though, Lavabit’s fear about government surveillance is indeed a legitimate one. Disclosures about the National Security Agency’s contentious operations continue to surface more than seven months after Mr. Snowden’s first revelations, and a recent story about a former competitor has revealed that very recently the US government relied on a court order to collect emails used later in unrelated investigations. As RT reported last week, the FBI seized all servers used by the company TorMail in 2013 pursuant to a separate investigation overseas. When the government wanted to get a copy of a single TorMail customer’s emails several months later, they didn’t bother to ask the company — they just had a judge allow them to search the trove of messages they had already taken into possession.
Lavabit now has the unique opportunity to establish a precedent to determine what the FBI can and can’t order an internet company to do, but those following the case closely fear this week’s comments from the court suggest the Department of Justice isn’t quite ready to weigh in on such matters.
“As this case unfortunately demonstrates, our judicial system is not always well-suited to addressing complex, cutting-edge technical issues,” Brian Hauss of the ACLU’s Speech, Privacy, and Technology Project told RT’s Andrew Blake this week. “Judges, of course, work very diligently to educate themselves about the disputes they are called upon to resolve, but without a technical background it is often difficult to sensibly address the important technical issues that are now coming before our courts.”
Chris Soghoian, the principal technologist at the same ACLU office, tweeted on Thursday that Tuesday’s oral arguments were “terrifying,” and that “The court desperately needed to hear from someone technical.”