Image 01 Image 03

Unsealed documents shed light on Lavabit case

Unsealed documents shed light on Lavabit case

You may recall that in August, the owner of secure email provider Lavabit abruptly shut down the service, leaving little indication as to why, other than a cryptic message posted at the company’s website.

Based upon limited statements made by Lavabit’s owner Ladar Levison since he shutdown the service – he has said he could not offer much detail about the case or he’d face potential charges – it seemed clear that the company was facing a government request for user data that was more than a typical law enforcement matter.  The fact that Lavabit was also an email service used by NSA leaker Edward Snowden only fueled such speculation at the time.

lavabit-header

Since then, Lavabit has struggled privately in its legal battle.  But now, at least some of that speculation is over, after a court unsealed documents in the case on Wednesday.

From the NY Times:

The full story of what happened to Mr. Levison since May has not previously been told, in part because he was subject to a court’s gag order. But on Wednesday, a federal judge unsealed documents in the case, allowing the tech entrepreneur to speak candidly for the first time about his experiences. He had been summoned to testify to a grand jury in Virginia; forbidden to discuss his case; held in contempt of court and fined $10,000 for handing over his private encryption keys on paper and not in digital form; and, finally, threatened with arrest for saying too much when he shuttered his business.

In short, Lavabit first received a request from the government in June to provide data for one of its email users (whom many still presume to be Snowden based upon the timing and the charges listed in the unsealed documents).  Because that user had enabled Lavabit’s premium secure service, Levison explained that he could not easily comply with the request because, based on Lavabit’s system, only the user is supposed to have access to the encryption key.  So the government filed a motion that compelled Lavabit to comply with the request.

Levison has said in interviews that he’d not previously had any issue with complying with standard law enforcement requests, provided there was a legitimate order to do so.  So he tried to come up with a compromise in this case, according to the NY Times.

A redacted version of that request, which was among the 23 documents that were unsealed, shows that the court issued an order July 16 for Lavabit’s encryption keys. Prosecutors said they had no intention of collecting any information on Lavabit’s 400,000 other customers. “There’s no agents looking through the 400,000 other bits of information, customers, whatever,” Jim Trump, one of the prosecutors, said at a closed Aug. 1 hearing.

But Mr. Levison said he spent much of the following day thinking of a compromise. He would log the target’s communications, unscramble them with the encryption keys and upload them to a government server once a day. The F.B.I. told him that was not enough. It needed his target’s communications “in real time,” he said.

“How as a small business do you hire the lawyers to appeal this and change public opinion to get the laws changed when Congress doesn’t even know what is going on?” Mr. Levison said.

When it was clear Mr. Levison had no choice but to comply, he devised a way to obey the order but make the government’s intrusion more arduous. On Aug 2, he infuriated agents by printing the encryption keys — long strings of seemingly random numbers — on paper in a font he believed would be hard to scan and turn into a usable digital format. Indeed, prosecutors described the file as “largely illegible.”

That last paragraph highlights the lengths to which Levison went to try and work around the circumstances.  It’s a detail that did not go unnoticed by some tech blogs, like The Verge, which ran this post with the headline, Snowden’s email provider Lavabit fought government surveillance with ultra-tiny font.

I have to admit, it was quite the creative stunt.

Not surprisingly, Levison was ordered to provide a new copy of the information, according to Wired.

“To make use of these keys, the FBI would have to manually input all 2,560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data,” prosecutors wrote.

The court ordered Levison to provide a more useful electronic copy. By August 5, Lavabit was still resisting the order, and the judge ordered that Levison would be fined $5,000 a day beginning August 6 until he handed over electronic copies of the keys.

On August 8, Levison shuttered Lavabit, making any attempt at surveillance moot. Still under a gag order, he posted an oblique message saying he’d been left with little choice in the matter.

Levison’s attorney argued that the company’s concern for its other customers had a lot to do with its hesitance to hand over the security keys to the government, according to Wired.

“The privacy of … Lavabit’s users are at stake,” Lavabit attorney Jesse Binnall told [Senior U. S. District Court Judge] Hilton. “We’re not simply speaking of the target of this investigation. We’re talking about over 400,000 individuals and entities that are users of Lavabit who use this service because they believe their communications are secure. By handing over the keys, the encryption keys in this case, they necessarily become less secure.”

In addition to the NY Times article, I recommend reading the Wired article in its entirety, as it provides a full account and timeline of Lavabit’s story.  The rest of that story, of course, remains to be seen.

The complete set of unsealed documents can be viewed here.

DONATE

Donations tax deductible
to the full extent allowed by law.

Comments

Levison is clearly quite creative, and a hero to boot. That original 4-point font submission to the federales really must have pissed them off.

    Elliott in reply to walls. | October 4, 2013 at 7:21 am

    Sort of like paying your taxes in pennies. Make them work for it. Unless the request stated clearly the format required and the statutory reason, what he did was legal.

      Musson in reply to Elliott. | October 4, 2013 at 7:25 am

      At this level legality has little to do with it. If the Govt wants to get you they will get you. Remember that Martha Stuart went to prison for changing the date on a post-it note.

At the bottom of Karl Denninger’s Market-Ticker post about SSH is a discussion of Perfect Forward Security.

In short, with the ssh keys and no PFS, the feds can view everybody’s email chain. With PFS, they can view one email.

Just another clear indication that we have unwittingly allowed our government the tools to take away all of what we consider to be our birthright under God, which is our freedoms. If they can “legally” deprive an individual his rights with bothering with even the flimsiest of reasons, and with a gun pointed to his head, then how are any of our “rights’ protected.
In the name of security and safety we have allowed and enabled a internal beast to grow to the point where it will devour us all. The time is past due to re-invigorate and re-establish our “Bill of Rights and our Constitution.
Mark Levine looks more like a genius every day.

Mark levin

Government has become a bunch of jack booted thugs.

    lichau in reply to OldNuc. | October 4, 2013 at 5:59 pm

    True,but not a recent thing.

    The apocryphal “boiling frog” story is relevant here–even if untrue. The frog WILL get out, if it can. Makes one wonder about the relative intelligence of frogs and humans.

This is why it’s a bad idea to engineer a backdoor into things like these, even if it’s your backdoor*. It is possible to design a protocol that does not give access to plaintext message traffic to anyone except sender and recipient, even the service providers**. This gives you deniability. If Levison had been able to demonstrate that he had no means to decrypt the message traffic then the Feds would have been stymied. I designed such a protocol many years ago (although reconstructing the details of it would take me a while.) The major hole in most cryptosystems is what we call rubber-hose cryptography. Hitting someone in their kidneys until they divulge their keys is a lot easier than factoring 800 digit numbers.

* this is something that applies to the NSA as well: if the US government can break crypto protocols there is no law of the universe that stops the Chinese government, say, from following suit.

** this is the case for most public key systems. The hard part comes in anonymising sender and receiver in transit while allowing them to reply to each other, without either one necessarily knowing who the other is.

    Post in a public board under anonymous name accessed by TOR with public-private key decryption. The only hazard is you need to know some method of flagging the person’s attention to that post (aka topic, date, codeword, etc…) otherwise they never find the message to decrypt.

    DrewCWSJ in reply to DavidG. | October 4, 2013 at 6:09 pm

    I just finished a great book, Nexus by Ramez Naam. The story is about a team of PHDs that create a drug that connects the brain directly to the internet and to other Nexus users. They designed in a back door that allows them to see and control other Nexus users. The feds find out and start a massive manhunt/torture/murder campaign to capture the team and get control of the back door. I found the story quite believable.

What is most concerning to me is the gag order. A federal judge ordering a private citizen that is being persecuted to not speak about it. That is terrifying.