The email service used by whistleblower Edward Snowden
refused FBI requests to "defeat its own system," according to newly
unsealed court documents.
The founder of Lavabit, Ladar Levison, repeatedly pushed
back against demands by the authorities to hand over the encryption keys to his
system, frustrating federal investigators who were trying to track Snowden's
communications, the documents show.
Snowden called a press conference on 12 July at Moscow's
international airport, using a Lavabit address. The court documents show the
FBI was already targeting the secure email service before the invite was sent.
Levison is now subject to a government gag order and has
appealed against the search warrants and subpoenas demanding access to his
service. He closed Lavabit in August saying he did not want to be
"complicit in crimes against the American people".
The court documents, unsealed on Wednesday, give the
clearest picture yet of the Lavabit case.
The documents, filed in the eastern
district court of Virginia, are redacted and do not mention Snowden by name.
But they do say the target of the FBI is under investigation for violations of
the espionage act and theft of government property – the charges that have been
filed against NSA whistleblower Snowden.
On 28 June the court authorised the FBI to install a
"pen register trap and trace device" on all electronic communications
being sent from the redacted email address, believed to be Snowden's. A pen
register would allow the FBI to record all the "metadata" from the
account including the e-mail "from" and "to" lines and the
IP addresses used to access the mailbox.
Levison said that the client had enabled encryption on his
email and that he could not access the email.
"The representative of
Lavabit indicated that Lavabit had the technical capability to decrypt the
information, but that Lavabit did not want to 'defeat [its] own system,'"
the government complained.
In July, the authorities obtained a search warrant demanding
Lavabit hand over any encryption keys and SSL keys that protected the site.
Levison was threatened with criminal contempt – which could have potentially
put him in jail – if he did not comply. Such a move would have given the
government access to all of Lavabit users' information.
In an interview with The Guardian in August, Levison said he
had complied with government requests for information relating to individual
account holders in the past. It appears that he was once again prepared to
cooperate in this case. However the government now wanted greater access.
In a court hearing on July 16 before senior US district
court judge Claude Hilton, US prosecutor James Trump said Levison should be
fined $1,000 a day unless he complied with the order to hand over the
encryption keys.
Levison asked for the court records to be unsealed. "I
believe it's important for the industry and the people to understand what the
government is requesting by demanding that I turn over these encryption keys
for the entire service," he said.
Trump objected, saying Levison was trying to "invite
industry in and litigate as a surrogate for him the issue of whether the
encryption keys are part and parcel of the pen register order."
Levison went to court to fight the demand on August 1.
"The privacy of … Lavabit's users are at stake," Lavabit attorney
Jesse Binnall told Hilton in a closed-door hearing. "We're not simply
speaking of the target of this investigation.
We're talking about over 400,000
individuals and entities that are users of Lavabit who use this service because
they believe their communications are secure. By handing over the keys, the
encryption keys in this case, they necessarily become less secure."
"Anything done by Mr Levison in terms of writing code
or whatever, we have to trust Mr Levison that we have gotten the information
that we were entitled to get since June 28th," Trump told the judge.
"He's had every opportunity to propose solutions to come up with ways to
address his concerns and he simply hasn't."
"We can assure the court that the way that this would
operate, while the metadata stream would be captured by a device, the device
does not download, does not store, no one looks at it," Trump said.
"It filters everything, and at the back end of the filter, we get what
we're required to get under the order."
"So there's no agents looking through the 400,000 other
bits of information, customers, whatever. No one looks at that, no one stores
it, no one has access to it."
"All right," said Hilton. "Well, I think
that's reasonable."
Levison handed over the SSL keys as an 11-page printout in
4-point type which the government called "illegible".
"To make use of these keys, the FBI would have to
manually input all 2,560 characters, and one incorrect keystroke in this
laborious process would render the FBI collection system incapable of
collecting decrypted data," prosecutors said.
The court ordered Levison to be fined $5,000 a day beginning
6 August until he handed over electronic copies of the keys. Two days later
Levison handed over the keys hours after he shuttered Lavabit.
He is continuing to appeal the search warrant and subpoenas
demanding access to his service.
Lavabit has raised approximately $57,000 in an online
fundraising drive to finance its appeal.
No comments:
Post a Comment