Lavabit case highlights legal fuzziness around encryption rules

Defunct secure email service Lavabit argued that the government court order for encrypted email was too sweeping

While privacy advocates may see Lavabit as bravely defending U.S. privacy rights in the online world, federal judges hearing its appeal of contempt-of-court charges seem to regard the now defunct encrypted email service as just being tardy in complying with government court orders.

Attorneys from both Lavabit and the U.S. government agreed that the legal issues between them could have been resolved before heading to court, though neither party seemed to have an adequate technical answer of how Lavabit could have successfully passed unencrypted data to a law enforcement agency in order to meet the government's demands.

Three judges from the 4th U.S. Circuit Court of Appeals in Richmond, Virginia, on Tuesday heard Lavabit's appeal of a contempt-of-court ruling, which it had incurred for not turning over to the government unencrypted data of a single user, presumably Edward Snowden.

Judges Roger Gregory, Paul Niemeyer and Steven Agee presided over the hearing.

For the proceedings, the judges actively listened to and questioned the arguments of both sides, though they seemed wary of turning the case away from the specifics of why Lavabit did not comply with court orders to turn over data on one of its users, and towards the larger issues that Lavabit raised in its highly publicized defense of what scope the government should have over those parties who hold SSL (secure socket layer) keys to encrypted data.

The case had been "blown out of proportion with all these contentions," particularly around the use and possible misuse of the SSL keys, Niemeyer said. "There's such a willingness to believe" that the keys will be misused and that "the government will spy on everyone," he said.

Gregory had stated that "the encryption issue was a red herring," one that drew attention away from Lavabit's non-compliance.

The judges had noted that the case revolved around the validity of court orders, rather than the statutes that provide the basis for the court orders.

In June of last year, secure email service Lavabit was issued a court order to set up a U.S. Federal Bureau of Investigation "pen trap" in order to collect all routing data for one of its customers, thought to be Snowden. Snowden had just come to international attention for leaking classified documents from the U.S. National Security Agency. According to reports, he had used the service to alert the media of a press conference he was about to hold.

A pen trap is software that records all routing, addressing or signalling information between electronic communications, in this case email. Before the judges, Lavabit attorney Ian Samuels argued that Lavabit founder Ladar Levison agreed to set up the pen trap; the company had complied to at least one other similar court order in the past.

The FBI, however, had required the information in real time, and that the information would be unencrypted. Levison balked at these requirements. Nearly two weeks after the court order was issued, he responded by offering to set up an internal process that would unencrypt the user's communications, then send the results to the FBI at the end of 60 days. The only other alternative, he argued, would be to send the law enforcement agency the encrypted data, which would be useless.

The FBI did not agree to this approach, however, and in mid-July, issued a search warrant for Lavabit's SSL keys that would unencrypt the dispatches of interest.

This move proved to be politically explosive, however. Lavabit's SSL keys could unlock the data of all of Lavabit's users, not just the one user under scrutiny. By handing over its private SSL keys, Lavabit would potentially be making every customer's email accessible to the government.

By early August, Lavabit had capitulated and handed over the keys. Shortly after, Levison shuttered the service, stating that continuing operations for the company's 400,000 users would make him "complicit in crimes against the American people." By filing an appeal, Lavabit hopes to clear the contempt of court charge -- along with any financial penalties incurred -- and possibly restore operations.

The judges questioned Lavabit's motives, however. Niemeyer noted in the first court order, "the court is clearly intent in providing unencrypted data," and chastised Lavabit for taking so long to respond. Samuels argued that Levison, being a small business owner with no counsel on hand at the time, was slow in responding, because he was still determining the best way to comply with the court order without sacrificing the privacy of the service's other users.

Niemeyer stated that Lavabit's proposed solution to setting up a process to unencrypt the data was unacceptable, noting that "the FBI didn't want a middleman," and stating that "This is not what [Lavabit] were ordered to provide." Niemeyer also criticized Lavabit for not challenging the initial June 28 order, if it felt that order to be unreasonable.

Niemeyer also had some harsh words for the law enforcement agents on the case, suggesting that they did not work closely enough with Lavabit to overcome the technical obstacles. U.S. attorney Andrew Peterson said he did not know of any reason that Lavabit could not unencrypt the data in real time, though he personally couldn't explain to the court how that would be done.

Peterson argued on behalf of the government that the court order for the SSL keys had only been issued after it was obvious "that any trust between Lavabit and the government had broken down," by mid-July. The company had treated the court orders "like contract negotiations," he said, rather than as a legal requirement. Trust had also been eroded by the long periods of silence from Lavabit.

The judges did not seem to want to dwell on any possible Fourth Amendment issues. The ACLU has pointed out that the U.S. government possessing a set of private SSL keys that could unlock hundreds of thousands of users' emails is clearly a breach of privacy rights.

Peterson stated that the court order for the SSL keys specifically confined the law enforcement agency to only use the keys to examine the information of the one person under investigation.

The judges gave no indication of when they would return a verdict. Peterson said the government has no plans to prosecute Lavabit for obstruction of justice for shutting down its services after installing the pen trap.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is Joab_Jackson@idg.com

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags legaldata protectionencryptionCriminalLavabit

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joab Jackson

IDG News Service
Show Comments

Father’s Day Gift Guide

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?