Lavabit's Fight to Protect its Customers

From the moment of his announcement, speculation has been rife. His service was known to be used by Edward Snowden, so the timing led to a general assumption that law enforcement was seeking details on Snowden's communications. Levison's refusal to give further details, and his comment that he could not legally share details, further suggested that he had been served with a national security letter (NSL), complete with a gagging order.

On 28 June he received a pen-register order that, in line with the Smith Vs Maryland 1979 court case is used by the NSA to justify metadata surveillance of American citizens. It seems that the government was after one customer in particular. The name has been redacted from court papers, but his suspected offenses are listed as espionage and theft of government property – "the exact charges that have been filed against NSA whistleblower Snowden in the same Virginia court," notes Wired.

Levison declined. On July 9, with still no co-operation from Levison, the government sought a court order compelling him to comply and threatening contempt of court. This was immediately provided by U.S. Magistrate Judge Theresa Buchanan.

But, says Wired, "A week later, prosecutors upped the ante and obtained the search warrant demanding 'all information necessary to decrypt communications sent to or from the Lavabit e-mail account [redacted] including encryption keys and SSL keys.'” Although still officially wanting to monitor the one named and redacted account, compliance would have meant that all sessions between users and the site could be captured rather than just the metadata of one user.

One positive from this is that it suggests that despite NSA attempts to subvert encryption, SSL remains secure. "The fact that the NSA had to subpoena Lavabit’s encryption keys demonstrates that when used effectively, certificates and keys can stand up to even the most advance infiltration attempts,” comments Jeff Hudson, CEO of Venafi.

Again Levison objected and went to court on 1 August. His attorney told the court, "We’re not simply speaking of the target of this investigation. We’re talking about over 400,000 individuals and entities that are users of Lavabit who use this service because they believe their communications are secure. By handing over the keys, the encryption keys in this case, they necessarily become less secure.”

But the government insisted that all data other than that for the original target would be filtered out and not seen by anyone. The judge ruled for the government. But Levison still fought for his customers. Next day he handed over the SSL keys in hard copy form printed in 4-point type. 

The judge ordered a more reasonable electronic copy. Levison resisted. The judge ordered that commencing 6 August Levison would be fined $5000 per day until he provided the electronic copy. Two days later, Levison shuttered Lavabit.

His fight, however, continues, with an approach to the 4th Circuit Court of Appeals. It is an expensive process, and Levison has launched an appeal for funds. "Defending the constitution is expensive! Help us by donating to the Lavabit defense fund," he says. At the time of writing this report, the appeal has raised more than $72,000 towards its target of $96,000.

The appeal is expected to be heard by the 4th Circuit commencing 10 October 2013.

What’s hot on Infosecurity Magazine?