Encrypted e-mail service Lavabit was pressured by the FBI to provide private SSL keys for all of its traffic, according to unsealed court documents that provide more details about the service's shutdown. The Texas e-mail provider's refusal to provide details about one specific account, believed to be that of NSA whistleblower Edward Snowden, forced the courts to threaten daily fines and possible imprisonment if it continued to disobey the FBI's order.
The original "pen register" request from the FBI asked that Lavabit provide "information about each communication sent or received by the account," including meta data such as the time of the message, method, source, and destination, according to Wired. Lavabit refused to comply with this June 28th order, claiming that the user had "enabled Lavabit's encryption services" and so it would not be possible. Magistrate Judge Theresa Buchanan ordered for Lavabit to complete the pen register request, with the threat of criminal contempt.
By July 9th, prosecutors asked for the company and founder Ladar Levison to be held in contempt for disobeying the orders. One week later, a search warranted was obtained, requesting "all information necessary to decrypt communications sent to or from the Lavabit e-mail account" owned by the user "including encryption keys and SSL keys." This second request would have allowed for the FBI to decrypt and monitor all Lavabit traffic, though the unsealed documents state that it would just be for this same metadata.
At a closed-door court appearance on August 1st, Lavabit fought the new order, claiming that the privacy of "over 400,000 individuals and entities" was at stake, though Levison was seemingly willing to comply with the first order rather than the second, more potentially damaging version. Unfortunately, the US government wanted to go along with the second, claiming Levison had "every opportunity to propose solutions to come up with ways to address his concerns," and assuring the court that data picked up would be filtered to just collect the data they require.
Senior US District Court Judge Claude M. Hilton for the Eastern District of Virginia ruled in favor of the US government, and denied Lavabit's request to unseal records, citing an ongoing criminal investigation. Levison complied with the order by printing the private SSL keys onto 11 pages in 4-point type, but this was deemed "illegible," and Levison was compelled to provide something usable. On August 5th, the judge ruled that, unless Levison provided the keys, he would be fined $5,000 each day from August 6th onwards. Lavabit closed on August 8th.
Levison has responded to the unsealing of the documents, maintaining that the government has "no legal basis for demanding its confidential information," and that the proposed access "far exceeded the authority given to investigators by the pen trap and trace laws enacted by Congress." Since the shutdown, donations to the Lavabit Legal Defense Fund has hit $150,000, though Levison advises that funds of at least $250,000 would be needed if the case reaches the Supreme Court.
Shortly after Lavabit suspended operations, legal blog Groklaw also closed itself, citing the potential monitoring of e-mail by the NSA. Another encrypted e-mail provider, Silent Circle, stopped offering its Silent Mail services, under the fear of similar potential government legal issues to Lavabit.
0 comments :
Post a Comment