What Would You Do?
Lavabit Founder Discusses the Day the FBI Came Knocking for the Data He Promised To Protect
By Angelique Carson, CIPP/US
Ladar Levison remembers June 28 pretty well. Temperatures reached 108 degrees in Dallas, TX, and Sandra Bullock’s The Heat was released nationwide. But Levison was feeling a different kind of heat that day when the FBI showed up unannounced at his Dallas apartment and told him they wanted access to his company’s computer system—a system he’d designed specifically to protect his customers from the threat of surveillance.
Levison is the founder of Lavabit, a now-defunct e-mail provider that allowed its users—including Edward Snowden, it’s been highly rumored—to send fully encrypted messages.
“When I set about to create Lavabit on day one, it was not to be a service focused on privacy,” Levison said. “That really developed in the first few months, when all the revelations were hitting the media about the NSA, and I started thinking about the tenuous position they were putting service providers in, and I decided I didn’t want to be put in that position.”
But on that day in June, agents came armed with a “pen register/trap-and-trace” device order, historically used to trace numbers dialed on a telephone. In 1979, the Supreme Court ruled that because a user knowingly exposes a phone number to a phone company when dialing and the phone company may monitor the call for billing, numbers do not enjoy privacy protections under the Fourth Amendment—though the content of the conversation does. Congress later passed the Pen Register Statute to regulate the use of such surveillance devices, requiring police to get a warrant to conduct a trap.
Why does that matter? Because it doesn’t just apply to phone communications anymore. Under the USA PATRIOT Act, the government can use pen/trap orders to intercept Internet communications via an Internet service or e-mail provider.
And that’s exactly what the FBI wanted to do, Levison said.
“Of course, (the agents) didn’t have the order with them. It arrived on their Blackberry a few minutes after they arrived at my door, and they forwarded it to me via e-mail,” Levison recalled. “But during the next two-plus-hour conversation, I had to rely upon them to tell me what it said.”
What it said, the agents told him, was that the order gave them the right to collect Lavabit’s metadata, including user logins, passwords and message content.
“I didn’t realize until I got a lawyer involved almost two weeks later that a pen register/trap and trace order only gives them the ability to collect meta-information and not content,” Levison said. “That’s a really important distinction, because that’s not the way they presented it.”
The FBI abstained from responding to this allegation when contacted by The Privacy Advisor.
The information the FBI said it wanted would, in a typical system, be kept in log files. But because Levison’s model was based on trust and privacy, he didn’t even keep those records. They would need Levison’s SSL keys—the keys that would unlock all of the information Levison’s business promised to protect. While the FBI said it only wanted login and logout dates and time and the originating IP address, with SSL keys agents could also unlock user identity and passwords to decrypt the content of their messages.
At that point in his impromptu meeting with the agents, Levison, a political science major with an info-security background and a self-described “stubborn SOB,” said he would need to consult an attorney first.
“They almost seemed surprised and offended when I refused,” he said. “Because all I could imagine is that most small companies in my condition would bend over backwards to cooperate with the FBI because they don’t want to get arrested. But it’s just the way I’m wired. I’ve worked in that space a lot protecting financial documents and financial information, so the prospect of turning over SSL keys just did not sit well with me. And because of my background in political science, I understood what my rights were and how to fight this kind of demand.”
That’s when the FBI agents left his apartment and immediately asked a judge to issue an order to compel, meaning he had to provide “all the technical assistance necessary to install the trap and trace” device.
“I was willing, but I was telling them they weren’t going to get login information and they weren’t going to get that much content,” Levison said. “Up until that point, they had been really hesitant to put a request for SSL keys in writing. It would be like saying ‘technical assistance’ meant giving them the administrative passwords to all my systems—because that’s essentially what they were asking for.”
Next, Levison was issued a summons to appear in a DC court and fined $10,000 for being in contempt of court. He searched frantically for a lawyer, but even having lunch with one to describe the case would cost more than he could afford. So he showed up in a DC court and represented himself—forced to give up the SSL keys.
“As soon as that gavel fell, I was served a search warrant,” he said.
And then he made headlines.
“I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly 10 years of hard work by shutting down Lavabit,” Levison wrote on the company’s homepage. Adding that he was legally forbidden from sharing the reasons behind his decision, he shared a lesson he’d learned during his ordeal: that without “Congressional action or a strong judicial precedent, I would_strongly_recommend against anyone trusting their private data to a company with physical ties to the United States.”
The media picked up quickly on the story, perhaps because it was such an abrupt and radical move, or perhaps because Levison seemed to be in a league of his own, fighting the U.S. government in a way even tech giants seemingly hadn’t when approached for data on users. But in the end, Levison said, shutting down wasn’t really a choice.
“I had advertised my system as being secure and private because that was the focus of my service. If it came out that I had turned over the SSL keys, I would have gone out of business anyways,” he said. “Not to mention I was having serious stress-related issues with the ethical implications of what was going on. I had asked them to prove to me that meta-information was the only information they were collecting, and I would go along with that. And they couldn’t do that, in fact they were unwilling to. And I’m left with the only possible conclusion being that they wanted to collect more than they were authorized to.”
Today, Levison is fighting the court’s contempt charge against him, claiming the initial search warrant and subpoena were illegal and unconstitutional. He’s hoping his case will set a precedent that the government can’t demand a tool so essential to a company’s privacy and security as its SSL keys.
The U.S. Attorney General’s office did not return calls requesting comment.
Levison again made headlines recently when he announced a partnership with the founder of now-defunct Silent Circle, another e-mail encryption service. The two met by chance at an event last month and decided there was enough media hype around the self-imposed shutdown of each of their services that they could together create a new business venture that “wouldn’t allow service providers to be put in a position of compromising their users’ privacy anymore.”
Dark Mail, as it’s called, will focus on security from end-to-end and prevent third parties from being able to conduct surveillance—at the service-provider level—in secret. It will encrypt the contents of a message on a user’s device in a way that it couldn’t be decrypted until it reached the receiver’s device.
“What I am trying to accomplish with my new venture is what I was trying to accomplish with Lavabit to begin with, and that is to move surveillance back to the individual instead of the service provider,” Levison said. “That’s the way our Constitution intended it to be. There’s a reason surveillance was supposed to be difficult, and that was to protect the privacy of the society. I believe that, and I designed my business along those principles.”
As it stands now, those principles cost Levison the company he spent 10 years developing and a $10,000 fine. He’s hoping the court decides, at the end of his pending case, that the same thing can’t happen to the next guy.
Read More by Angelique Carson:
Fordham Law Develops Privacy Curriculum for Middle Schoolers
LIBE Adopts Compromise Amendments; Sends Draft to Council
Baker: The Grandfather of Privacy Was A Fogey