How Lavabit, Snowden's Email Provider, Punked The Government

The Edward Snowden scandal is far from over. One of the latest developments involves Lavabit, the pro-privacy e-mail company that Snowden allegedly used to communicate his leaks of classified information. New court documents published by Wired's Kevin Poulsen show that the federal government demanded that Lavabit turn over encrypted information on its 400,000 users as part of its investigation. While Snowden was not named in the search warrant issued to Lavabit in July, "the offenses under investigation are listed as violations of the Espionage Act and theft of government property — the exact charges that have been filed against NSA whistleblower Snowden in the same Virginia court," writes Poulsen. The feds demanded that Lavabit compromise its own security in order to provide this information. But, Lavabit has not exactly complied.

While most email providers could easily hand over the information requested by the government, Lavabit encrypts all of its email messages with SSL keys known only to its paying customers. The government was not seeking individual messages, but instead only the "to" and "from" lines, along with the IP addresses used to log in to a user's mailbox, which it requested with a "pen register" order — similar to a wiretap order, but with much less evidence necessary. "Because they provide only metadata, pen register orders can be obtained without 'probable cause' that the target has committed a crime," writes Poulsen. Still, Lavabit would have had to essentially defeat its own encryption system and compromise the privacy of all its users in order to comply.

Lavabit wasn't having any of that. Instead, its founder, Ladar Levison, employed every tactic to avoid giving the government this information. When he initially claimed it couldn't be done, he was threatened with criminal contempt by a federal judge. He was then ordered to provide all of the information necessary to decrypt the wanted data. The prosecutor in the case told the court that users shouldn't worry, and that only essential information would be captured. "So there are no agents looking through the 400,000 other bits of information, customers, whatever," he said. But, that's hardly comforting to people who pay for privacy.

When the court sided with the government, Levison decided to play dumb. He provided all of the private SSL keys the following day — on an 11-page printout, in four-point font. The government was not amused, calling the document "illegible."

“To make use of these keys, the FBI would have to manually input all 2,560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data,” prosecutors complained.

Levison did not provide an electronic copy. Instead, he shuttered Lavabit on August 8, because he refused "to become complicit in crimes against the American people," he wrote on the site. But, his role is far from over — he still faces court appeals and is asking for donations to help him fund his case in the 4th Circuit Court of Appeals. If you want to support Lavabit's cause, check it out its campaign here. (Wired)
lavabitPhoto: Via Wired.