Lawyers for Lavabit, a recently-shuttered email service once used by Edward Snowden, told a federal appeals court this week that the government had no reason to request from the company a code that could unlock the encrypted messages of its 410,000 users.
Starting last June, Lavabit owner Ladar Levison unwittingly became entwined in a complicated legal case when the Federal Bureau of Investigation obtained a pen register order requiring him to let the FBI install a wiretap device on his servers to record and store information about one of his company’s nearly half-a-million customers, widely presumed to be the now-notorious former intelligence contractor. And although much of the ordeal is to this day still under seal, on Tuesday his attorneys argued publically before the Fourth Circuit Court of Appeals in Richmond, Virginia that a civil contempt order waged against Levison should be rejected because the government unjustly compelled him to surrender his website’s master encryption keys.
Because the customer in question had opted-in to Lavabit’s encrypted email function, the information sought by the government was impossible to acquire using ordinary methods. Levison complied with the pen register order nonetheless, but the metadata being logged by the FBI proved to be unusable and quickly prompted them to demand the SSL (Secure Socket Layer) keys that encrypted all data going in and out of the website’s servers. The architecture of the SSL protocol as well as his nature of the custom-built site made it arguably impossible for Levison to provide unencrypted data using just a standard wiretap, but because the FBI’s request also provided he furnish the government with the “technical assistance necessary” to fulfil their demands, the government said he’d have to surrender the SSL keys as well and in turn compromise the privacy of each and every user.
When the pen register wouldn't work, the feds returned with a subpoena for the keys. And when Levison didn't immediately comply, they came back with a search warrant. Levison's lawyers are now fighting to appeal the lawfullness of those requests for the keys by saying they were not valid.
"[T]o comply with the government’s subpoena would have either required Lavabit to perpetrate a fraud on its customer base or shut down entirely. That is the key point, and the resulting harm goes far beyond a mere inconvenient search for records," his counsel claimed when the appeal was first filed in October. “The Fourth Amendment insists that a warrant name particular things to be searched; a warrant that permits open-ended rummaging through all of Lavabit's communications data is simply a modern-day writ of assistance, the sort of general warrant that the Fourth Amendment was ratified to forbid,"
An earlier offer made by Levison to personally log data about that particular target should have sufficed, his attorneys said during oral arguments Tuesday, and the FBI should have been satisfied with that option without effectively compromising the privacy of all Lavabit customers by having a federal judge demand the SSL keys.
“The offer was basically, ‘I will record this data. I have a tool that can transmit it to your servers and I can do it either at the end of the period or so that it’s more frequent then that,’” Lavabit attorney Ian Samuel recalled in court this week. “The company in this case offered the United States all of the information that the United States was seeking — all of it — and it did it in a way that would have protected the privacy of hundreds of thousands of innocent people as well,” he said.
But “That isn’t what they were ordered to provide,” one judge responded. “They were ordered to install a pen register and a tracking device which provided unencrypted data.” Levison agrees that this means giving up the SSL keys, but at what cost? When his attorney time and time again argued that sacrificing the keys would render the whole site insecure, Judges Paul V. Niemeyer, Roger L. Gregory and G. Steven Agee appeared befuddled by the technological aspects involved, and along with lawyers representing both Lavabit and the government struggled to make sense of the science behind intercepting encrypted emails.
“I’m no technologist, your honor,” attorney Andrew Peterson for the government admitted at one point, later claiming he could only “assume” that it was possible for Lavabit to decrypt data in real-time to be logged on-the-fly by the FBI — which tech experts dispute.
Levison eventually relinquished to the government’s requests for his site’s SSL keys while the first of the now-ongoing Snowden leaks began to surface, but only after several weeks of a back-and-forth with investigators that ended with him being fined $10,000 and the court claiming he was in contempt for not cooperating sooner. When he eventually complied with their requests last August, Levison immediately shut-down his site to protect the privacy of his customers whose accounts had been compromised by giving up the keys. A gag-order in place at the time prevented him from disclosing even the existence of the investigation to his customers, though, and instantly he eroded access to the accounts of each and every one of his customers to, as he put it then, avoid being complicit in “crimes against the American people.”
The civil contempt order lobbed at Levison for failing to initially provide that assistance is what is now before the Fourth Circuit, but the other, much greater underlying issues at hand, may never be resolved in a court of law. When Samuel raised the issue of protecting the privacy of Lavabit’s entire client base repeatedly during Tuesday’s meeting, the appellate judges routinely said that wasn’t at issue.
“We’re only here,” Judge Leon said at one point, “because of [Lavabit’s] refusal to do what the initial request was — which was the pen register. The encryption key became a red herring.”
“There is such willingness and a desire to argue about secret keys being provided,” another judge added, “…and the government’s going to take full advantage of that and spy on everybody. What was ordered here was with respect to a particular target to provide unencrypted data pursuant to that order.”
"And even when they asked for the key," the court claimed at one point, "they only wanted to use it and were only authorized to use it in connection with a particular target."
As evident by what has become routine news articles as of late, though, Lavabit’s fear about government surveillance is indeed a legitimate one. Disclosures about the National Security Agency’s contentious operations continue to surface more than seven months after Mr. Snowden’s first revelations, and a recent story about a former competitor has revealed that very recently the US government relied on a court order to collect emails used later in unrelated investigations. As RT reported last week, the FBI seized all servers used by the company TorMail in 2013 pursuant to a separate investigation overseas. When the government wanted to get a copy of a single TorMail customer’s emails several months later, they didn’t bother to ask the company — they just had a judge allow them to search the trove of messages they had already taken into possession.
Lavabit now has the unique opportunity to establish a precedent to determine what the FBI can and can’t order an internet company to do, but those following the case closely fear this week’s comments from the court suggest the Department of Justice isn’t quite ready to weigh in on such matters.
“As this case unfortunately demonstrates, our judicial system is not always well-suited to addressing complex, cutting-edge technical issues,” Brian Hauss of the ACLU’s Speech, Privacy, and Technology Project told RT’s Andrew Blake this week. “Judges, of course, work very diligently to educate themselves about the disputes they are called upon to resolve, but without a technical background it is often difficult to sensibly address the important technical issues that are now coming before our courts.”
Chris Soghoian, the principal technologist at the same ACLU office, tweeted on Thursday that Tuesday’s oral arguments were “terrifying,” and that “The court desperately needed to hear from someone technical.”
This Lavabit oral argument is terrifying. The court desperately needed to hear from someone technical. MP3: http://t.co/63wJ9F0sY6
— Christopher Soghoian (@csoghoian) January 30, 2014
“It is disappointing that the technical details of SSL encryption were not clearly discussed at oral argument,” added Hauss, who entered a friend-of-the-court brief last year on behalf the ACLU in support of Lavabit. “Hopefully, the judges will take care to research that issue before writing their opinion. Otherwise, there is a danger that the opinion could have unintentional and wide-ranging implications on the internet’s security infrastructure.”
In the meantime, though, there are other repercussions that could soon become reality pending the Fourth Circuit’s decision. When Peterson was asked if the DOJ was interested in charging Levison with obstruction of justice for shutting down his site before intelligence could be collected, he said that the “The government has not taken any action at this point related to that.”
“It would be deeply troubling if the government ultimately changed course and pursued such charges,” Hauss told RT. “Information service providers, like Lavabit, are under no obligation to make their services amenable to government wiretaps. And if a business owner would rather shut down his service than operate that service in a manner contrary to his deeply held beliefs, he should have the right to do so.”
“If the government were to start coercing internet service providers to fundamentally undermine their services, on pain of obstruction of justice charges, I think a lot of companies would respond by either shutting down or designing services that are effectively impossible to wiretap in any way,” he said. “That would be a tremendous waste of resources, and it would effectively prevent law enforcement from getting even the targeted information it needs to build a case. That’s why it’s so important for the government to show restraint when coercing service providers to assist in its investigations."
Until the Fourth Circuit reaches a decision, the appellate panel will continue to consider whether or not it was unlawful for Levison to be charged with contempt for not handing over his encryption keys to comply with a pen register order. And according to one of the judges, the case may very well warrant further discussion.
“Wouldn’t it be appropriate that this this case should at least be remanded to the district court to get a fair hearing as to why this was or was not contentious activity or conduct?” Judge Gregory asked at one point.