Skip to main content

FBI Case Against Lavabit Secure Email Affects Everyone's Privacy

Lavabit's Court Case Declassified: FBI Went for the 'Nuclear Option'

"I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly 10 years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations."

So wrote Ladar Levison, owner of the Dallas-based secure email service known as Lavabit, when he abruptly shuttered the company on Aug. 8.

In his post, which is still up at Lavabit.com, Levison said legal restrictions prevented him from going into further detail.

Readers guessed the shutdown had something to do with National Security Agency (NSA) contractor-turned-leaker Edward Snowden, who was known to have used Lavabit.

MORE: 13 Security and Privacy Tips for the Truly Paranoid

That guess was confirmed Oct. 2, when a federal judge declassified court papers related to the Lavabit case.

The documents paint a picture of the legal powers the U.S. government can use to gain access to supposedly private data, throwing into question what kind of privacy rights, if any, American citizens can expect on the Internet.

"[The case] tells me that you pretty much cannot guarantee security," said Matthew Green, an assistant research professor at the Johns Hopkins Information Security Institute. "If [the government] has access to customers' data, then there is more or less nothing you [the company] can do to guarantee the security of that data."

The FBI's initial demand

The declassified documents reveal that the FBI first approached Levison in May, before the first leaked documents were published by The Guardian and The Washington Post on June 6. This was also around the time that Snowden left Hawaii — where he had worked as a private contractor for the NSA — for Hong Kong.

A June 28 warrant required Lavabit to record all metadata associated with email messages to and from a certain user and to hand that metadata over to the FBI. Metadata shows whom a message is being sent to, the time of delivery and other information.

The name of the "certain user" in question was redacted from the declassified documents. But the alleged crimes cited in the warrant match those Snowden has been charged with committing.

Levison had complied with federal warrants targeting individual users before. But in this case, the specified user had purchased Lavabit's highest security offering, which meant that all metadata concerning that user's messages was encrypted using a key that the user alone — not Levison — possessed.

Message metadata still has to be temporarily decrypted for an email service to actually send the message  — Lavabit can't send its users' emails if it doesn't know where to send them — but Lavabit didn't store that information after using it.  

That means Lavabit had nothing to give the FBI.

The nuclear option

So the FBI came back with a second, broader warrant demanding "all information necessary to decrypt the communications sent to or from the Lavabit email account [redacted] including encryption keys and SSL keys."

SSL, short for Secure Socket Layer, is a security protocol for encrypting Web traffic. Secure websites use SSL to encrypt data so that, to outside observers, data including credit card info and emails looks like a stream of random characters.

The FBI's second warrant marked a huge jump from requesting the metadata of an individual user. The agency would have gained the ability to read the metadata of not just one, but all Lavabit users.Lavabit's business model was based on providing encrypted email. Levison couldn't give the site's keys to the FBI without undermining his company's entire reason for existence.

"This may not be obvious to casual observers, but to crypto geeks, compelling a company to hand over encryption keys is the nuclear option," tweeted security researcher Christopher Soghoian, a senior policy analyst at the Speech, Privacy and Technology Project of the American Civil Liberties Union.