Had e-mail provider given up key, all users' data would have been compromised.
The American government obtained a secret order from a federal judge in Virginia demanding that Lavabit hand over its private SSL key, enabling authorities to access Edward Snowden’s e-mail, and e-mail belonging to Lavabit's 400,000 other users as well. That sealed order, dated July 10 2013, was first published on Wednesday by Wired reporter Kevin Poulsen.
A judge at the Fourth Circuit Court of Appeals, where the case is currently being heard, unsealed the set of court documents on Wednesday.
Lavabit, the Texas-based e-mail provider, provided secure e-mail services to thousands of people, including Snowden, the former National Security Agency contractor. Neither Ladar Levison, the owner of the shuttered e-mail service, nor his attorney, Jesse Binnall, immediately responded to Ars’ request for comment. However, Ars also received a copy of the unsealed documents from the Lavabit defense team.
The new 162-page set of documents shows that Lavabit was first served with a “pen register” and "trap and trace device" order, which would require the handover of one of its user’s login details. As Lavabit encrypts those details, that wouldn't have done much good for the government's case. Indeed, Levison told the court in a July 16 hearing that he had "always agreed to the installation of the pen register devices," as they would have yielded almost zero useful data.
"Pen/trap devices" have become standard operating procedure for law enforcement officials in recent years. If Lavabit hadn't encrypted the information, using one of the devices would have given the authorities all header information from Snowden’s account, IP addresses, date and time information, among other things.
Key to the kingdom
Lavabit was then served with a search warrant for the SSL private key and a wiretap, which requires a notably higher legal standard than the previous court order for the pen register. By July 9, prosecutors asked the court to hold Levison in contempt of court, and he continued to resist, arguing that by handing over the key, he would be compromising the security of all users.
In an August 1 hearing, Judge Claude Hilton said that it was effectively Levison's fault that sites have only a single private SSL key.
"You're blaming the government for something that's overbroad, but it seems to me that your client is the one that set up the system that's designed not to protect that information, because you know that there needs to be access to calls that go back and forth to one person or another," the judge asked Levison's attorney, Jesse Binnall. "And to say you can't do that just because you've set up a system that ...has to be unencrypted, if there's such a word, that doesn't seem to me to be a very persuasive argument."
Binnall goes on to explain that Levison would be willing to log "the particular users in this case," but noted that it would be "burdensome."
Within a month, Lavabit still had not complied to the court's satisfaction—in fact he handed over pages of the key typed in 4-point font—and Levison was ordered to pay a $5,000 fine for each day he did not comply. On August 8, he shuttered Lavabit entirely, destroying the company’s servers.
"There's information that I can't even share with my lawyer, let alone with the American public,”Levison told Democracy Now in August 2013. “So if we're talking about secrecy, you know, it's really been taken to the extreme, and I think it's really being used by the current administration to cover up tactics that they may be ashamed of.”
UPDATE 7:00pm CT: In a press release published on his Facebook page, Levison confirmed the unsealing and laid out his defense.
“People using my service trusted me to safeguard their online identities and protect their information. I simply could not betray that trust," he said. "If the Obama administration feels compelled to continue violating the privacy rights of the masses just so they can conduct surveillance on the few then he should at least ask Congress for laws providing that authority instead of using the courts to force businesses into secretly becoming complicit in crimes against the American people.”
Courtesy: arstechnica
