Lavabit Details Unsealed: Refused To Hand Over Private SSL Key Despite Court Order & Daily Fines

from the as-expected dept

It appears that some of the details that resulted in Lavabit shutting down have been unsealed, and Kevin Poulsen, over at Wired, has the details and it's pretty much what most people suspected. The feds got a court order, demanding that Lavabit effectively hand over the keys to everyone's emails. Lavabit's Ladar Levison refused, and he was then threatened with $5,000/day fines, contempt of court charges and possibly more.

Initially, Lavabit was sent a pen register order letting the government know every time Ed Snowden logged in (Snowden's name is redacted, but it's clear that this is about him). Lavabit said that it wouldn't defeat its own encryption system, and the court quickly ordered Lavabit to comply:
By July 9, Lavabit still hadn’t defeated its security for the government, and prosecutors asked for a summons to be served for Lavabit, and founder Ladar Levison, to be held in contempt “for its disobedience and resistance to these lawful orders.”

A week later, prosecutors obtained the search warrant demanding “all information necessary to decrypt communications sent to or from the Lavabit email account [redacted] including encryption keys and SSL keys.”
Once again, Levison refused to reveal the SSL keys, leading to the $5,000 per day fine imposed by Magistrate Judge Theresa Buchanan. The fines began August 6th. Lavabit shut down on August 8th.

Again, something along those lines was what many people had assumed happened, but now it's been confirmed. Kudos to Levison for standing his ground on this. I know that people in our comments like to insist that every company should act this way, but it's not nearly as easy when its your life's work on the line, and you have the entire US government (including huge monetary fines and the possibility of jail time) coming down on you.

Filed Under: doj, ed snowden, email, encryption, fbi, ladar levison, pen register, privacy, ssl, wiretap
Companies: lavabit


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 2 Oct 2013 @ 8:56pm

    So to sum up, it's non-targetted, it would intercept *all* Lavabit users. 'Probable cause' doesn't have any meaning in that instance.

    They also wanted to do it in a way that would let them not just read emails but also write fake emails. i.e. write fake untraceable evidence, since emails can and are used as evidence.

    "accomplish the installation and use of the pen/trap device"

    They've also substituted a 'device' for the request for data. So instead of the data being handed over in a way that a court can verify (and Lavabit can verify in its role as guardian of the data), a black box is added with an unverifiable promise that it only does legal stuff and grabs nothing else. The leaks show these devices go far beyond their legal remit.

    The judge, a non-techie, trusts the badge, without understanding the issue.

    "“He’s had every opportunity to propose solutions to come up with ways to address his concerns and he simply hasn’t.”"

    *He* should address HIS concerns? What some sort of self arguing?

    "“It filters everything, and at the back end of the filter, we get what we’re required to get under the order....No one looks at that, no one stores it, no one has access to it."

    Liar. It splits the data into filtered and unfiltered. The filter is made available to the FBI agent, the unfiltered+filtered is stored in the NSA giant database aka 'lockbox'. General 'collect it all' collects it all. We got that from the leaks.

    But the key to me is, IT LETS THEM FAKE COMMUNICATIONS. He would be handing over a key that would let the NSA make fake & send emails, impersonating any Lavabit user with an audit trail that would pass forensic investigation. I assume that was the intention when they didn't just want Lavabit's email, they wanted the ability to put a device in with Lavabits own SSL keys.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.