Sign in with
Sign up | Sign in

FBI Case Against Lavabit Secure Email Affects Everyone's Privacy

FBI Case Against Lavabit Secure Email Affects Everyone's Privacy
By

"I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly 10 years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations."

So wrote Ladar Levison, owner of the Dallas-based secure email service known as Lavabit, when he abruptly shuttered the company on Aug. 8.

In his post, which is still up at Lavabit.com, Levison said legal restrictions prevented him from going into further detail.

Readers guessed the shutdown had something to do with National Security Agency (NSA) contractor-turned-leaker Edward Snowden, who was known to have used Lavabit.

MORE: 13 Security and Privacy Tips for the Truly Paranoid

That guess was confirmed Oct. 2, when a federal judge declassified court papers related to the Lavabit case.

The documents paint a picture of the legal powers the U.S. government can use to gain access to supposedly private data, throwing into question what kind of privacy rights, if any, American citizens can expect on the Internet.

"[The case] tells me that you pretty much cannot guarantee security," said Matthew Green, an assistant research professor at the Johns Hopkins Information Security Institute. "If [the government] has access to customers' data, then there is more or less nothing you [the company] can do to guarantee the security of that data."

The FBI's initial demand

The declassified documents reveal that the FBI first approached Levison in May, before the first leaked documents were published by The Guardian and The Washington Post on June 6. This was also around the time that Snowden left Hawaii — where he had worked as a private contractor for the NSA — for Hong Kong.

A June 28 warrant required Lavabit to record all metadata associated with email messages to and from a certain user and to hand that metadata over to the FBI. Metadata shows whom a message is being sent to, the time of delivery and other information.

The name of the "certain user" in question was redacted from the declassified documents. But the alleged crimes cited in the warrant match those Snowden has been charged with committing.

Levison had complied with federal warrants targeting individual users before. But in this case, the specified user had purchased Lavabit's highest security offering, which meant that all metadata concerning that user's messages was encrypted using a key that the user alone — not Levison — possessed.

Message metadata still has to be temporarily decrypted for an email service to actually send the message  — Lavabit can't send its users' emails if it doesn't know where to send them — but Lavabit didn't store that information after using it.  

That means Lavabit had nothing to give the FBI.

The nuclear option

So the FBI came back with a second, broader warrant demanding "all information necessary to decrypt the communications sent to or from the Lavabit email account [redacted] including encryption keys and SSL keys."

SSL, short for Secure Socket Layer, is a security protocol for encrypting Web traffic. Secure websites use SSL to encrypt data so that, to outside observers, data including credit card info and emails looks like a stream of random characters.

The FBI's second warrant marked a huge jump from requesting the metadata of an individual user. The agency would have gained the ability to read the metadata of not just one, but all Lavabit users.Lavabit's business model was based on providing encrypted email. Levison couldn't give the site's keys to the FBI without undermining his company's entire reason for existence.

"This may not be obvious to casual observers, but to crypto geeks, compelling a company to hand over encryption keys is the nuclear option," tweeted security researcher Christopher Soghoian, a senior policy analyst at the Speech, Privacy and Technology Project of the American Civil Liberties Union.

Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

Display all 6 comments.
This thread is closed for comments
  • 3 Hide
    jakjawagon , October 9, 2013 5:39 AM
    "His initial submission of the SSL key came in the form of a multipage printout in tiny text."

    Brilliant. The equivalent of paying your bill in pennies.
  • 4 Hide
    f-14 , October 9, 2013 7:19 AM
    Martin Niemöller (1892-1984) was a prominent Protestant pastor who emerged as an outspoken public foe of Adolf Hitler and spent the last seven years of Nazi rule in concentration camps.

    Niemöller is perhaps best remembered for the quotation:

    First they came for the Socialists, and I did not speak out--
    Because I was not a Socialist.

    Then they came for the Trade Unionists, and I did not speak out--
    Because I was not a Trade Unionist.

    Then they came for the Jews, and I did not speak out--
    Because I was not a Jew.

    Then they came for me--and there was no one left to speak for me.
  • 0 Hide
    aphorise , October 9, 2013 5:24 PM
    I think the print is more in favor logical than lack of corporation - it would less sense to transmit SSL certificates over none-secure channels (e-mail or whatever) - physical 1:1 exchange is the only way in which it can remain out of electronic storage.
  • 0 Hide
    aphorise , October 10, 2013 2:20 AM
    I think the print is more in favor logical than lack of corporation - it would less sense to transmit SSL certificates over none-secure channels (e-mail or whatever) - physical 1:1 exchange is the only way in which it can remain out of electronic storage.
  • 0 Hide
    bhglennie , October 10, 2013 9:25 AM
    Did Research in Motion (RIM) ,now Blackberry, come under attack after it was declared the most secure phone a few years ago? I know that Apple, Samsung, Nokia and others rather than improve their security (for reasons of profitability supposedly) went on a campaign to destroy RIM's reputation. When Wall St got involved, 'experts' denounced the Blackberry phone, and drove down the stock price.
    I guess 'free enterprise' lost out to the huge monopolies, and possibly the U.S. security comlex- NSA, CIA, FBI, and others.
  • 0 Hide
    Zule32 , October 17, 2013 11:19 AM
    Start working at home with Google! Its by-far the best job Ive had. Last Wednesday I got a brand new BMW since getting a check for $6474. I began this 8-months ago and immediately was bringing home at least $77 per hour. Useful Reference http://goo.gl/w7ceUX
    WORK LESS EARN MORE
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS