PJ Vogt is on Twitter here. If you'd like to subscribe to TLDR's short weekly podcast, please go here.
The Owner of An Encrypted Email Service Says "No" to the FBI (In a tiny, tiny font)
Thursday, October 03, 2013 - 11:00 AM
Yesterday, a federal judge unsealed records from the case of Lavabit, the privacy-first email service used by Edward Snowden, versus the government. It's a compelling read, and it's a rare story because it shows a company refusing to comply with demands to give up a customer's privacy.
Back in late June, the FBI asked Lavabit founder Ladar Levison for access to the metadata for an accident that was almost certainly Snowden's. Levison refused, which began a behind closed doors fight between him and the government that lasted until August. First, Levison was threatened by the judge with criminal contempt. Then, when he agreed to comply with the initial request, the FBI then asked for more data -- rather than just metadata, which would've shown who Snowden was talking to and where he was, they wanted Lavabit's SSL keys. With those, the FBI could eavesdrop on the entirety of all of Lavabit's email traffic. The FBI told the judge that while they'd have the capacity to spy on the data of any of Lavabit's 400,000 users, they just wouldn't do that. From Wired:
“We can assure the court that the way that this would operate, while the metadata stream would be captured by a device, the device does not download, does not store, no one looks at it,” [Prosecutor James] Trump said. “It filters everything, and at the back end of the filter, we get what we’re required to get under the order.”
“So there’s no agents looking through the 400,000 other bits of information, customers, whatever,” Trump added. “No one looks at that, no one stores it, no one has access to it.”
The judge ordered Levison to hand over the key, and he did. Kind of. He printed out the encryption code on 11 pages of 4 point type, so that it would be useless and illegible. The court ordered a more useful copy, and said they'd fine Lavabit $5,000 every day he refused. And so on August 8th, Levison shut down his company rather than comply.
One of the emerging themes this week is that the technology that's supposed to protect our privacy is only as reliable as the human beings responsible for it. In the case of Lavabit, Levison went much further than most people in his position would to protect his users. And because the entire case was under a gag order until yesterday, he did it out of the public eye. He'll be back in appeals court this month.