Lavabit, the private email service that shut down last year after a court order called for its private SSL (secure socket layer) keys, will make its case Tuesday before a U.S. federal appeals court.
Although tangentially related to former NSA contractor Edward Snowden’s activities, the case could eventually affect all Web service providers, such as Google or Facebook, in that it could set precedents for the legal scope that law enforcement agencies will have over those holding the keys to encrypted data.
“This case is about protecting the encryption architecture that underwrites the security of the Internet,” said Brian Hauss, a legal fellow for the American Civil Liberties Union (ACLU). “That architecture depends on SSL encryption and SSL encryption depends on the continued privacy of the private keys of the companies that use that encryption.”
Before the 4th U.S. Circuit Court of Appeals in Richmond, Virginia, lawyers for the now defunct email service will argue that the government electronic wiretap orders that Lavabit received—orders that spurred the company to shutter operations—were far too broad, and jeopardized the Fourth Amendment right to privacy of its users.
Snowden reportedly used the Lavabit email service just after he exposed the first of what would become many confidential National Security Agency (NSA) documents.
Lavabit was founded by Ladar Levison, who set the operation up as an encrypted email service. By 2013, it had attracted over 400,000 users.
Just after Snowden had fled the U.S. in June 2013, the FBI produced a court order demanding from Lavabit metadata about a single account, presumably Snowden’s, although many of the early records dealing with the case remain under a court seal. The order cited a 1994 amendment to the Stored Communications Act that allows federal law enforcement agencies to traffic data without a search warrant.
Soon after, the U.S. Federal Bureau of Investigation obtained another “pen register order” allowing for a “pen trap” to collect all routing data for the individual. A pen trap records all routing, addressing or signalling information between electronic communications, in this case email.
Lavabit agreed to the pen trap, but refused to turn over to the government its SSL keys that would allow the law enforcement agency to decrypt the communications in real time. Lavabit’s SSL keys worked for all of Lavabit’s users, not just the one user under scrutiny. By handing over its private SSL keys, Lavabit would be making all of its users’ email open to the government.
Lavabit offered to develop a work-around that would capture only the email of the person under scrutiny. The FBI declined Lavabit’s proposal, however, and the company was held in contempt of court for not handing over the keys in a timely fashion.
By August, Lavabit had capitulated and handed over the keys. Shortly after, Levison shuttered the service. Levison had argued that by nature of its business, a secure email service can’t host a surreptitious government pen trap. Doing so betrays the entire service it is offering to its customers.
Although both parties are expected to focus on procedural and technical considerations, the appeal will also raise many far-reaching questions about how much access law enforcement agencies should be allowed in their investigations.
Court orders that call for a company’s SSL keys in order to pursue a single suspect are far too broad and could chill free speech, some argue.
”If, in the name of criminal law, we violate the privacy of an entire swath of innocent people, we risk violating some of the necessary rights of citizens to keep our democracy healthy,” said Aris Michalopoulos, co-founder of the Empeopled social networking site. Empeopled filed a brief in support of Lavabit in the case.
As the law currently stands in relation to electronic services, “people aren’t able to speak freely, without looking over their shoulder, and worrying that somebody is listening,” Michalopoulos said.
Already the actions of law enforcement agencies have left other companies wary of offering similar secure email services.
For instance, Silent Circle, a communications provider co-founded by PGP inventor Phil Zimmermann, shut its encrypted email service in August, citing how the government’s actions in the Lavabit case would make such services impossible to run.