Ever wonder what really happened to Lavabit, the private email service provider that shut down last August? You might have heard of Lavabit, as the service was famously used by Edward Snowden, the NSA whistleblower who since been accused of cyber espionage against the US government. Lavabit shut down just weeks after Snowden’s NSA spying revelations hit the headlines, but until now its reasons for doing weren’t entirely clear.
Thanks to the 4th U.S. Circuit Court of Appeals, where the Lavabit case is being argued, court documents were unsealed and have now shed some light on why the private email service chose to cease operations.
According to the unsealed documents, Lavabit was served last June 28 with a so-called “pen register,” which can be obtained without probable cause, to provide the government with, the e-mail “from” and “to” lines of every e-mail, as well as the IP address used to access a particular mailbox – presumed to be that of Snowden’s.
Ladar Levison, Lavabit’s founder, dismissed the request since his business is to provide a secure email service to paying customers. He maintained that complying with the order would violate Lavabit’s contract with its users. The government responded by filing a motion to force Lavabit to comply, to which the company answered that its users “enabled Lavabit’s encryption services, and thus Lavabit would not provide the requested information.”
“The representative of Lavabit indicated that Lavabit had the technical capability to decrypt the information, but that Lavabit did not want to ‘defeat [its] own system,’” the government complained.
U.S. Magistrate Judge Theresa Buchanan ordered Levison to comply, and threatened that he could be jailed for criminal contempt if he did not. However, even in the face of this threat, Levison refused to comply, leading the government to obtain a search warrant demanding “all information necessary to decrypt communications sent to or from the Lavabit e-mail account [redacted] including encryption keys and SSL keys.”
Levison argued that what the government wanted wasn’t right, since it would force Lavabit to violate the privacy of more than 400,000 of its users. However, he stated that Lavabit would now comply and give the SSL keys for the particular account that the government originally wanted.
The government refused this offer, stating that this had now expired and that it assured the court that no one will ever see the information of other Lavabit users as the pen/trap device does not download and store information. It only filters the metadata stream in order to get the information they require.
Claude M. Hilton, Senior U. S. District Court Judge for the Eastern District of Virginia, favored the government, ruling that it was entitled to the information it is seeking and ordered Levison to comply.
Levison was not about to just give the government what it wanted without making it sweat however, and so he fired back by producing an 11-page print out in 4-point type of the private SSL keys. The government was not amused and stated that in order for the information to be usable, the FBI would have to “manually input all 2,560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data.”
The court ordered a more useful copy but Lavabit still refused to comply. By August 5, the court ordered that Levison would be fined $5,000 a day beginning August 6 until he handed over electronic copies of the keys.
On August 8, instead of giving the government what it wanted and breaking its contract with its users, Levison decided to shut down the service altogether. At the time, Levison was still under a gag order and could not divulge the reason behind the shut down, but he did leave a cryptic message telling his ordeal with the government.
What happened to Lavabit is proof that the government will do anything and everything it can to spy on its people, even if good people, like Levison is fighting to keep people’s privacy.