The FBI did not agree to this approach and in mid-July, issued a search warrant for the Lavabit SSL keys that would unencrypt the dispatches of interest. Lavabit responded by contesting the warrant. The company did set up a pen register on behalf of the FBI, but did not provide the key to unencrypt the messages.
On Aug. 1, the district court denied Lavabit's motion, ordering the company to hand over the key. Levison had responded by submitting the private key as an 11-page printout in barely legible 4-point type.
Lavabit was subsequently charged with contempt of court, which came with a $5,000-a-day fine for not complying to the warrant. Soon after, Levison provided the key, six weeks after the original order. Levison then shuttered the service, stating that handing the key to the government compromised the security of the Lavabit service.
Levison subsequently filed an appeal to clear the contempt of court charge, along with any financial penalties incurred, and possibly restore operations. The judges heard the case in January.
Privacy advocates hoped the case would address fundamental questions about how easily a government agency can obtain private keys to a user's communications without that person's knowledge. The three judges on the case — Roger Gregory, Paul Niemeyer and Steven Agee — focused on how Lavabit responded to the orders and search warrants.
Their decision pointed to a number of procedural errors Lavabit and its legal team made. Lavabit first challenged the constitutional issues around the pen tap order in its appeal.
"In the district court, Lavabit failed to challenge the statutory authority for the pen trap order, or the order itself, in any way," the decision noted.
"When a party in a civil case fails to raise an argument in the lower court and instead raises it for the first time before us, we may reverse only if the newly raised argument establishes 'fundamental error' or a denial of fundamental justice," the judges wrote. They concluded Lavabit did not adequately argue that the FBI made such a fundamental error.
The ACLU, which filed an amicus brief in the appeal, believes that the case left fundamental privacy issues unresolved.
"On the merits, we believe it's clear that there are limits on the government's power to coerce innocent service providers into its surveillance activities. The government exceeded those limits when it asked Lavabit to blow up its business — and undermine the encryption technology that ensures our collective cybersecurity — to get information that Lavabit itself offered to provide," Hauss wrote.
Sign up for CIO Asia eNewsletters.