Lavabit Tried Giving The Feds Its SSL Key In 11 Pages Of 4-Point Type; Feds Complained That It Was Illegible
from the kudos-to-ladar dept
We already wrote about the basics of Lavabit’s Ladar Levison standing up to the feds, however, the full filing has now been released, and (on top of that), Kevin Poulsen has updated his story with more details, so it’s worth digging in a bit. Lavabit was hit with an initial pen register, which it refused, leading to the order to hand over the SSL keys. The new details show that Lavabit explained to the judge that giving up Lavabit’s SSL keys wouldn’t just let the feds spy on Snowden, but all of Lavabit’s customers, and for obvious reasons, the company had a huge problem with that:
“The privacy of … Lavabit’s users are at stake,” Lavabit attorney Jesse Binnall told Hilton. “We’re not simply speaking of the target of this investigation. We’re talking about over 400,000 individuals and entities that are users of Lavabit who use this service because they believe their communications are secure. By handing over the keys, the encryption keys in this case, they necessarily become less secure.”
And it becomes clear that Levison then was actually willing to abide by the initial pen register, to basically figure out a way to just tap Snowden, but at this point the government was no longer willing to stop there. The government pushed for getting the SSL key, basically promising not to abuse it:
“We can assure the court that the way that this would operate, while the metadata stream would be captured by a device, the device does not download, does not store, no one looks at it,” [Prosecutor James] Trump said. “It filters everything, and at the back end of the filter, we get what we’re required to get under the order.”
“So there’s no agents looking through the 400,000 other bits of information, customers, whatever,” Trump added. “No one looks at that, no one stores it, no one has access to it.”
“All right,” said [Judge Claude] Hilton. “Well, I think that’s reasonable.”
The judge then made a ruling that should cast a massive chill over anyone setting up private communications services:
[The government’s] clearly entitled to the information that they’re seeking and just because you-all have set up a system that makes that difficult, that doesn’t in any way lessen the government’s right to receive that information just as they could from any telephone company or any other e-mail source that could provide it easily.”
Yikes. So, even if you set up a secure communication system, this judge says that you have to let the feds wiretap it.
Somewhat amusingly, Lavabit tried to comply “by turning over the private SSL keys as an 11 page printout in 4-point type.” The feds complained that “the FBI would have to manually input all 2,560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data.” Poor, poor FBI. The judge has no problem putting a massive burden on Lavabit, but asking the FBI to actually do some data entry is too onerous? Yup. Apparently. The court then ordered Levison to provide a more useful electronic copy, which then resulted in the $5,000/day fine for failing to live up to that, and then the closure of the site.