Website Home

Friday, October 4, 2013

Lavabit founder refused FBI order to hand over email encryption keys


The email service used by whistleblower Edward Snowden refused FBI requests to "defeat its own system," according to newly unsealed court documents.

The founder of Lavabit, Ladar Levison, repeatedly pushed back against demands by the authorities to hand over the encryption keys to his system, frustrating federal investigators who were trying to track Snowden's communications, the documents show.

Snowden called a press conference on 12 July at Moscow's international airport, using a Lavabit address. The court documents show the FBI was already targeting the secure email service before the invite was sent.

Levison is now subject to a government gag order and has appealed against the search warrants and subpoenas demanding access to his service. He closed Lavabit in August saying he did not want to be "complicit in crimes against the American people".

The court documents, unsealed on Wednesday, give the clearest picture yet of the Lavabit case. 

The documents, filed in the eastern district court of Virginia, are redacted and do not mention Snowden by name. But they do say the target of the FBI is under investigation for violations of the espionage act and theft of government property – the charges that have been filed against NSA whistleblower Snowden.

On 28 June the court authorised the FBI to install a "pen register trap and trace device" on all electronic communications being sent from the redacted email address, believed to be Snowden's. A pen register would allow the FBI to record all the "metadata" from the account including the e-mail "from" and "to" lines and the IP addresses used to access the mailbox.

Levison said that the client had enabled encryption on his email and that he could not access the email.

"The representative of Lavabit indicated that Lavabit had the technical capability to decrypt the information, but that Lavabit did not want to 'defeat [its] own system,'" the government complained.

In July, the authorities obtained a search warrant demanding Lavabit hand over any encryption keys and SSL keys that protected the site. Levison was threatened with criminal contempt – which could have potentially put him in jail – if he did not comply. Such a move would have given the government access to all of Lavabit users' information.

In an interview with The Guardian in August, Levison said he had complied with government requests for information relating to individual account holders in the past. It appears that he was once again prepared to cooperate in this case. However the government now wanted greater access.

In a court hearing on July 16 before senior US district court judge Claude Hilton, US prosecutor James Trump said Levison should be fined $1,000 a day unless he complied with the order to hand over the encryption keys.

Levison asked for the court records to be unsealed. "I believe it's important for the industry and the people to understand what the government is requesting by demanding that I turn over these encryption keys for the entire service," he said.

Trump objected, saying Levison was trying to "invite industry in and litigate as a surrogate for him the issue of whether the encryption keys are part and parcel of the pen register order."

Levison went to court to fight the demand on August 1. "The privacy of … Lavabit's users are at stake," Lavabit attorney Jesse Binnall told Hilton in a closed-door hearing. "We're not simply speaking of the target of this investigation. 

We're talking about over 400,000 individuals and entities that are users of Lavabit who use this service because they believe their communications are secure. By handing over the keys, the encryption keys in this case, they necessarily become less secure."

"Anything done by Mr Levison in terms of writing code or whatever, we have to trust Mr Levison that we have gotten the information that we were entitled to get since June 28th," Trump told the judge. "He's had every opportunity to propose solutions to come up with ways to address his concerns and he simply hasn't."

"We can assure the court that the way that this would operate, while the metadata stream would be captured by a device, the device does not download, does not store, no one looks at it," Trump said. "It filters everything, and at the back end of the filter, we get what we're required to get under the order."

"So there's no agents looking through the 400,000 other bits of information, customers, whatever. No one looks at that, no one stores it, no one has access to it."

"All right," said Hilton. "Well, I think that's reasonable."

Levison handed over the SSL keys as an 11-page printout in 4-point type which the government called "illegible".

"To make use of these keys, the FBI would have to manually input all 2,560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data," prosecutors said.

The court ordered Levison to be fined $5,000 a day beginning 6 August until he handed over electronic copies of the keys. Two days later Levison handed over the keys hours after he shuttered Lavabit.

He is continuing to appeal the search warrant and subpoenas demanding access to his service.

Lavabit has raised approximately $57,000 in an online fundraising drive to finance its appeal.

No comments:

Post a Comment