When it shut down, Lavabit became the first company ever to reveal that the government had demanded its SSL key.Sipa/AP
NEW YORK — Ladar Levison, creator of the ultrasecure email service Lavabit, is an imperfect civil-liberties hero. He is not opposed to working with the government, and he set out to write code, not become an activist. But after being thrust into the public eye as email provider to former National Security Agency contractor and whistle-blower Edward Snowden, he could now set a crucial precedent for online privacy.
At stake is a key — a string of letters, numbers and symbols — that unlocks many of the Internet’s most basic transactions, including messaging, banking and shopping. In order to spy on a Lavabit email address widely believed to be Snowden’s — though redacted from court filings — a federal judge ordered Levison to give the government his key. With it, agents at the Federal Bureau of Investigation would have been able to unlock the encryption protecting Lavabit, known as secure sockets layer, or SSL. They would have had the capability to read everything, including email content and credit card information, flowing from its 400,000 customers. After months of stalling, Levison turned over his SSL key but shut down his company.
Levison took his case to the Fourth Circuit Court of Appeals, and in his opening brief, filed Thursday, his lawyers argued that the order to turn over the SSL key violated Fourth Amendment protections against unreasonable searches and would “eviscerate” the basic purpose of companies trying to provide secure email. It was like “requiring a hotel to turn over a master key to all of its hotel rooms” or “commanding the city of Richmond to give the police a key to every house” in the search for one man, his lawyers argued.
“It is unthinkable that Congress would have given the government the authority to seize keys that would make it possible to intercept all of Lavabit’s communications with all of its customers — communications that the customers have been told are private against exactly that kind of secret surveillance — except in the clearest possible words,” wrote Jesse Binnall, Levison’s lead attorney.
A former freelance computer programmer who launched Lavabit in 2004, Levison is happy to acknowledge the many government subpoenas with which he has complied. Lionized by many Internet-freedom advocates for shutting down Lavabit rather than let the FBI spy on what was almost assuredly Snowden’s email account, he had been willing to give the government most of Snowden’s data until prosecutors doomed his business anyway.
“It didn’t start off ideological,” he said recently in New York City, where he had arranged a weekend sprint of interviews with eager reporters. “I’m not anti-government. But I’m pro-freedom.”
Until a few months ago, during what Levison and privacy advocates call the Summer of Snowden, Lavabit’s popularity was limited to a corner of the online universe inhabited mostly by privacy fanatics, software engineers, and the odd criminal or political activist. But Lavabit’s paying users, who spent between $8 and $16 a year for extra storage space, were enough to employ Levison full time out of home offices in Dallas, where he still lives with Princess, his Italian greyhound mix.
That summer, when the privacy fanatics began to look less fanatical and more prescient, the number of people seeking Lavabit’s extra security surged. Instead of registering 100 to 200 new customers a day, there were 4,000. Just as quickly, it fell apart.
In May, weeks before Snowden’s leaks became public, an FBI agent left his business card on a windowsill next to Levison’s front door. By August, Levison would be summoned to the Eastern District of Virginia, the Justice Department’s home turf, where he was threatened with contempt of court and a $5,000-a-day fine and gagged by a judge’s order that sealed his entire case.
SSL keys are, in the world of computer engineering, the crown jewels of an online enterprise. When you shop, bank or send an email on your computer, you are often unknowingly relying on the protection of SSL encryption. It is almost ubiquitous in 21st-century commerce. Companies such as Apple, Amazon and Gmail use SSL to prove to your computer that they are who they say they are and to protect the information you exchange with them. They are required, by industry standards, to alert the companies that certify their SSL encryption if their keys ever fall into the hands of a third party. When a tiny icon of a padlock appears in your Web browser, it is because the site you are accessing is using SSL to encrypt what you are doing — to make sure that only you and your bank know that you have just deposited your grandmother’s $100 birthday check into your savings account or donated to an activist in the Middle East. Levison’s key would have unlocked everything.
Though both the FBI and NSA put serious effort into breaking SSL keys and other types of encryption with brute computing force, it is not easy, and programmers regularly invent longer and more complicated codes. The NSA has found that it is more efficient to get around the problem, often by using a variety of methods to find and store the secret keys when their owners leave them unsecured.
Such is the sacredness assigned to SSL keys that, prior to Lavabit, those who study Internet privacy professionally had never heard of a company giving them up. There were only rumors and suspicions. Declan McCullagh, a reporter for the technology website CNET, reported in July that the government had been asking businesses for SSL keys. Google and Facebook, the only major companies to respond to McCullagh's inquiries, told him that they had never turned them over, but others worried that the government had successfully pressured smaller companies that did not boast legal firepower. Levison said that he knew of peers who had been forced to turn over their keys and that many companies do not protect them "voraciously enough."
But when the Lavabit court record was unsealed earlier this month, revealing that a federal judge had approved a search warrant that ordered Levison to give his SSL key to the FBI, it was a first. The technology community was stunned.
"SSL is not some kind of obscure hacker tech. It's used by banks and Fortune 100 companies. The CIA’s website uses SSL by default," said Chris Soghoian, the principal technologist for the American Civil Liberties Union. "As far as we stand, it is a very new issue."
The court had already ruled that the FBI could install a standard device, called a pen/trap, on Lavabit's Internet connection, which would record data from the email account they were targeting. The FBI was instructed, in a court order, to take "reasonable steps" to ensure that the pen/trap would not record the subject lines or content of the emails and would keep only the metadata — the time, length and destination of each message, in addition to other information. But with the SSL key, government agents would have the ability not only to read emails, in real time, but also to decrypt every piece of information from every user of Lavabit.
"It would undermine the credibility of the company and its very reason for existence," Soghoian said.
Levison had been willing to work with the FBI. In May, when he met with the Dallas agents, he said, they told him that they were acting at the behest of the Washington, D.C., headquarters and did not know the nature of the investigation. They asked questions about Lavabit's technology and the information it collected from its users and, in a later email, suggested enrolling Lavabit in InfraGard, a partnership between the FBI and private businesses to exchange information about threats to U.S. and private infrastructure. Levison was not opposed, having suffered from spammers and credit card fraud.
On July 13, a month after the court first ordered Levison to turn over information about the email address and nearly two weeks after he was ordered to install the pen/trap, he told the FBI that he could collect the information it wanted — including login times and email recipients — and provide it when the 60-day court order expired, maybe even "intermittently," as he collected it. He asked for $2,000 to design the program and an extra $1,500 if the FBI wanted the information more frequently.
But federal prosecutors continued to demand the SSL key, and Levison delayed and hired a lawyer. In late July, the FBI installed the pen/trap on Lavabit's Internet provider but were foiled by the company's encryption. In the interim, Snowden had flown from Hong Kong to Russia on June 23, almost two weeks after Levison's first court order. In a July 31 motion, prosecutors wrote that Levison had provided "very little of the information" they wanted and that "during Lavabit's over one month of noncompliance with this Court's Pen-Trap Order" and left the rest redacted.
On Aug. 2, Levison printed out the five SSL keys he used for Lavabit's five types of encryption. The 2,560 characters were rendered in illegible 4-point type and took up 11 pages. He delivered the printout to the Dallas FBI. Prosecutors asked the court to sanction Levison, and Judge Claude Hilton told him he would be fined $5,000 for each day he refused to turn over the keys in electronic form. On Aug. 8, after Levison gave the FBI the keys and shut down Lavabit, he wrote on his website that he had been forced to choose between leaving his business or "becom[ing] complicit in crimes against the American people."
Because Snowden was known to be a Lavabit user, the shutdown made the news. Levison received initial legal help from the Electronic Frontier Foundation's Marcia Hofman — who is now part of his appeal — then set up a legal-defense fund, which he said has received hundreds of thousands of dollars. He spoke at Ron Paul’s Liberty Political Action Conference in September, and shortly thereafter, a freshman at George Mason University and member of the student group Young Americans for Liberty signed on to become his assistant. Levison is scheduled to speak at the European Parliament in Brussels this week and at a CNET debate later this month.
Levison distrusts the government's intentions in his case and said he thought it was possible that the FBI could have sought warrants in the secret Foreign Intelligence Surveillance Court — itself the subject of some of Snowden's leaks — to use the pen/trap device to read the content of Lavabit's customers' emails. With the SSL keys, he said, the government now has the capability to look back through the records it collected since it installed the device in late July and decrypt them, though doing so would exceed the district court's orders.
He also said he that believes he might have been subject to surveillance and that he has stopped using email. In a July 16 hearing, prosecutor James Trump told the court he knew that Levison had "been in contact with attorneys who also represent industry groups and others who have litigated issues like this in the Wikileaks context and others." Levison said government investigators "know things they could’ve only known this way."
"If this had happened nine months ago, I would've made the same decision … but nobody would've understood why," he said.