The Federal Bureau of Investigation secretly obtained a court order compelling Lavabit, the email service used by National Security Agency whistleblower Edward Snowden, to hand over its private SSL key, thereby allowing the FBI to monitor Lavabit's users.
The FBI order was handed down on July 16, according to Wired, shortly after Lavabit refused to bypass the company’s internal security systems to facilitate a government request asking the email provider to trace the internet IP address of an individual user.
Government documents indicate that the FBI sent Lavabit a so-called “pen register” order on June 28, forcing the Texas-based company to record the connection information belonging to a particular user each time that user logged in to check his or her email. Lavabit was then required to turn that data over to the government.
The pen register came down just weeks after the first Snowden leaks were published in the Guardian and The Washington Post. Among the unveiled programs was PRISM - a massive electronic data mining program employed to collect and store communication data extracted from internet companies including Google, Facebook, Microsoft, and others.
While the identity of the FBI’s Lavabit target was not disclosed
in the filings, the suspect is described as having committed
violations under the Espionage Act, indicating with near
certainty that Snowden was the motivating factor.
The June 28 order, as seen by Wired, required Lavabit to turn over all “technical assistance necessary to accomplish the installation and use of the pen/trap device.”
When the company - which is now embroiled in a court battle with the government - refused to comply, authorities filed a motion to compel, saying the single user “enabled Lavabit’s encryption services, and this Lavabit would not provide the requested information.”
“The representative of Lavabit indicated that Lavabit had the technical capability to decrypt the information, but that Lavabit did not want to ‘defeat its own system,’” the order went on.
Prosecutors soon asked that founder Ladar Levinson and Lavabit be held in contempt “for its disobedience and resistance to these lawful orders.” A search warrant was issued demanding “all information necessary to decrypt communications sent to or from the Lavabit email account [redacted] including encryption keys and SSL keys.”
A search warrant and SSL key would grant the government unobstructed access to Lavabit’s servers, and a court informed Levinson that he would be fined $5,000 each day he refused to hand over the necessary information.
“I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly 10 years of hard work by shutting down Lavabit,” Levinson wrote on August 8. “After significant soul searching, I have decided to suspend operations.”
Now embroiled in a costly legal battle, Levinson has already raised over $20,000 to pay the necessary legal fees. That makes up half of Levinson’s goal, he said, because unfortunately “defending the constitution is expensive.”
UPDATE: Lavabit has issued a statement in response to aforementioned revelations.
"The vast majority of the court records in Lavabit LLC’s fight for internet privacy and security are now public. Although most of the documents have been redacted, 23 court orders, pleadings, and other documents are now available to the public while the case is on appeal in the Fourth Circuit.
Lavabit was created so every law-abiding citizen has access to a secure and private email service. During an investigation into several Lavabit user accounts, the federal government demanded both unfettered access to all user communications and a copy of the Lavabit encryption keys used to secure web, instant message and email traffic. After having a motion to quash the search warrant was denied by Judge Claude Hilton of the U.S. District Court for the Eastern District of Virginia. Notably Judge Hilton served on the FISA Court from 2000 through 2007. Judge Hilton subsequently issued a $5,000 per day contempt of court citation thus forcing Lavabit to surrender their encryption keys. Ladar Levison, the owner and operator of Lavabit, then made the difficult decision to suspend operations and “limit the damage to user’s 4th amendment right to privacy.”
The statement goes on to remind users and privacy advocates that by suspending operation, Levinson has come to rely on donations to fund the ongoing legal battle. It also describes how the new information about the NSA has led to a massive uptick in subscriptions.
While catering to a niche market for most of it’s history, the recent revelations about American surveillance efforts caused what Mr. Levison describes as a “massive increase in user registrations, usage and revenue in our final month of operation.” When the service was suspended on August 8th, it boasted over 410,000 registered users, of which approximately 10,000 were paying $8 or $16 a year for premium features like encrypted storage."