Lavabit, the private email service that shut down last year after a court order called for its private SSL (secure socket layer) keys, will make its case Tuesday before a U.S. federal appeals court.
Although tangentially related to former NSA contractor Edward Snowden's activities, the case could eventually affect all Web service providers, such as Google or Facebook, in that it could set precedents for the legal scope that law enforcement agencies will have over those holding the keys to encrypted data.
"This case is about protecting the encryption architecture that underwrites the security of the Internet," said Brian Hauss, a legal fellow for the American Civil Liberties Union (ACLU). "That architecture depends on SSL encryption and SSL encryption depends on the continued privacy of the private keys of the companies that use that encryption."
Before the 4th U.S. Circuit Court of Appeals in Richmond, Virginia, lawyers for the now defunct email service will argue that the government electronic wiretap orders that Lavabit received — orders that spurred the company to shutter operations — were far too broad, and jeopardized the Fourth Amendment right to privacy of its users.
Snowden reportedly used the Lavabit email service just after he exposed the first of what would become many confidential National Security Agency (NSA) documents.
Lavabit was founded by Ladar Levison, who set the operation up as an encrypted email service. By 2013, it had attracted over 400,000 users.
Just after Snowden had fled the U.S. in June 2013, the FBI produced a court order demanding from Lavabit metadata about a single account, presumably Snowden's, although many of the early records dealing with the case remain under a court seal. The order cited a 1994 amendment to the Stored Communications Act that allows federal law enforcement agencies to traffic data without a search warrant.
Soon after, the U.S. Federal Bureau of Investigation obtained another "pen register order" allowing for a "pen trap" to collect all routing data for the individual. A pen trap records all routing, addressing or signalling information between electronic communications, in this case email.
Lavabit agreed to the pen trap, but refused to turn over to the government its SSL keys that would allow the law enforcement agency to decrypt the communications in real time. Lavabit's SSL keys worked for all of Lavabit's users, not just the one user under scrutiny. By handing over its private SSL keys, Lavabit would be making all of its users' email open to the government.
Lavabit offered to develop a work-around that would capture only the email of the person under scrutiny. The FBI declined Lavabit's proposal, however, and the company was held in contempt of court for not handing over the keys in a timely fashion.
Sign up for CIO Asia eNewsletters.