Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Lavabit case highlights legal fuzziness around encryption rules

Joab Jackson | Jan. 29, 2014
While privacy advocates may see Lavabit as bravely defending U.S. privacy rights in the online world, federal judges hearing its appeal of contempt-of-court charges seem to regard the now defunct encrypted email service as just being tardy in complying with government court orders.

The FBI, however, had required the information in real time, and that the information would be unencrypted. Levison balked at these requirements. Nearly two weeks after the court order was issued, he responded by offering to set up an internal process that would unencrypt the user's communications, then send the results to the FBI at the end of 60 days. The only other alternative, he argued, would be to send the law enforcement agency the encrypted data, which would be useless.

The FBI did not agree to this approach, however, and in mid-July, issued a search warrant for Lavabit's SSL keys that would unencrypt the dispatches of interest.

This move proved to be politically explosive, however. Lavabit's SSL keys could unlock the data of all of Lavabit's users, not just the one user under scrutiny. By handing over its private SSL keys, Lavabit would potentially be making every customer's email accessible to the government.

By early August, Lavabit had capitulated and handed over the keys. Shortly after, Levison shuttered the service, stating that continuing operations for the company's 400,000 users would make him "complicit in crimes against the American people." By filing an appeal, Lavabit hopes to clear the contempt of court charge -- along with any financial penalties incurred -- and possibly restore operations.

The judges questioned Lavabit's motives, however. Niemeyer noted in the first court order, "the court is clearly intent in providing unencrypted data," and chastised Lavabit for taking so long to respond. Samuels argued that Levison, being a small business owner with no counsel on hand at the time, was slow in responding, because he was still determining the best way to comply with the court order without sacrificing the privacy of the service's other users.

Niemeyer stated that Lavabit's proposed solution to setting up a process to unencrypt the data was unacceptable, noting that "the FBI didn't want a middleman," and stating that "This is not what [Lavabit] were ordered to provide." Niemeyer also criticized Lavabit for not challenging the initial June 28 order, if it felt that order to be unreasonable.

Niemeyer also had some harsh words for the law enforcement agents on the case, suggesting that they did not work closely enough with Lavabit to overcome the technical obstacles. U.S. attorney Andrew Peterson said he did not know of any reason that Lavabit could not unencrypt the data in real time, though he personally couldn't explain to the court how that would be done.

Peterson argued on behalf of the government that the court order for the SSL keys had only been issued after it was obvious "that any trust between Lavabit and the government had broken down," by mid-July. The company had treated the court orders "like contract negotiations," he said, rather than as a legal requirement. Trust had also been eroded by the long periods of silence from Lavabit.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.