Snowden leaks: Lavabit secure email chief battles on
- 31 January 2014
- From the section Technology
Lavabit, a private email service used by whistleblower Edward Snowden, has been in court appealing against a government order to hand over its encryption keys. Commentators say the case could represent a landmark for internet privacy.
In August 2013 Lavabit's owner, Ladar Levison, suspended the facility after being ordered to turn over information about one of his accounts. The name of the account's owner is unconfirmed but many reports assume it was Snowden's.
Mr Levison refused to hand the data over and met a demand to release the service's encryption keys by handing over an 11 page printout listing the keys' digits in tiny type, in effect making them unusable.
He said turning these keys over to the FBI in a usable form would compromise the security of more than 400,000 account holders, who had believed their communications to be private.
When he was threatened with daily fines until he handed over electronic copies of the keys, he instead shut the service down without warning, and issued a statement on his website saying he would not "become complicit in crimes against the American people".
He is now challenging the government's actions in court and has also joined a group called the Dark Mail Technical Alliance, which aims to develop a new encrypted email protocol.
Interview with Ladar Levison
The BBC's technology TV show Click met Mr Levison at the US 4th Circuit Court of Appeals in Richmond, Virginia.
How are you feeling about finally having your day in court?
I'm happy that for the first time the issue is being discussed in a forum that is open to the public. I'm just afraid that it may have been unsealed too late and the court may decide not to provide wisdom or guidance on the substantive issue at hand, whether or not the government has the authority to demand these SSL [secure sockets layer] encryption keys.
It is unfortunate that so much of the hearing was spent focused on the procedural issues raised by the government and not the substantive question on whether or not the government has the right to demand the SSL encryption key of a business.
It just goes to illustrate why a matter like this, one of national import can't be adjudicated in secret if the litigant is to be given a full and fair hearing. I certainly don't think I was afforded that at the district level.
A further illustration of that is just how far off the record [it] was when it came to the technological facts of the case. And that again goes to two things.
One, the government completely refused to answer any of my questions about how they would be using the keys, how their device would function, and two, the proceedings at the district level moved with such speed and we had so little time to prepare that no witnesses were called, no questions were asked, no facts were collected that could be considered at this stage.
So, it's truly unfortunate but there still is the simple substantive question of law, whether or not the government should be allowed to collect encryption keys. And if they choose to rule on procedural grounds it could do nothing but devastate the technology sector because it would leave this issue unsettled.
What was also apparent in the hearing was the technology has advanced past the knowledge base of the judicial system.
The real issue is that the pace with which things were moving, and in some cases are still moving, has not afforded counsel for either side the adequate time to go and truly understand the technology.
And the simple fact is unless you are an engineer or cryptographer you don't fully understand, one how these systems work, and two the real import of what these keys do and how they function.
I think it's interesting that they said the government has the right to collect this information without the use of an intermediary, but what about the service provider's right to communicate with his customers without the government being the intermediary?
They would say you have to trust the government.
I trust the government when they provide adequate transparency, and when I can verify that they are not abusing the authority they have been given.
I do not trust a government who operates in secret.
Why do people need services like Lavabit or Dark Mail if they have nothing to hide?
Because you shouldn't have to worry about what you're saying coming back to bite you. In a world where every communication is monitored and recorded, people no longer have the ability to speak openly and freely.
Not just about political issues, but about their own personal issues. And we've seen throughout history that when that's the case, societies become a very dark and oppressive place. And governments become rather tyrannical.
Do you think there might come a day when you have to leave the United States?
I think there may come a day when the United States is no longer associated with the word freedom in people's minds. The sad thing is that I think that I am too much of an American to abandon my country when that happens.
Can you tell us what the future holds for you and Dark Mail?
I just feel that the ability for individual law-abiding citizens to communicate privately without a fear of government surveillance is so important and the courts and the politicians so naive that the only way to ensure that we retain this ability to communicate privately is to come up with a long-term technical solution.
And that's what Dark Mail is trying to do.
They are trying to bring cryptography down to the common man. It's unfortunate but in the world today the only people who can have a secure conversation electronically, are cryptographers.
The people that need to be able to communicate securely, the lawyers, the activists, the doctors, they don't know how to use the current suite of encryption technologies.
The Department of Justice's case
US government lawyers set out their defence of the FBI's actions in court documents released at the end of last year. Their central argument was as follows:
Just as a business cannot prevent the execution of a search warrant by locking its front gate, an electronic communications service provider cannot thwart court-ordered electronic surveillance by refusing to provide necessary information about its systems.
That other information not subject to the warrant was encrypted using the same set of keys is irrelevant; the only user data the court permitted the government to obtain was the data described in the pen/trap [electronic copy of the encryption keys] and the search warrant.
All other data would be filtered electronically, without reaching any human eye.
Lavabit's belief that the orders here compelled a disclosure that was inconsistent with Lavabit's "business model" makes no difference. Marketing a business as "secure" does not give one licence to ignore a District Court of the United States.
You can see more of the interview with Ladar Levison of Lavabit on this weekend's episode of Click.
The following link provides the show's broadcast times in the UK and on BBC World.