“Lavabit, Snowden’s E-Mail Service, in a Legal Tug of War”

October 3, 2013

The New York Times on October 2, 2013 released the following:

By NICOLE PERLROTH and SCOTT SHANE

“DALLAS — One day last May, Ladar Levison returned home to find an F.B.I. agent’s business card on his Dallas doorstep. So began a four-month tangle with law enforcement officials that would end with Mr. Levison’s shutting the business he had spent a decade building and becoming an unlikely hero of privacy advocates in their escalating battle with the government over Internet security.

Prosecutors, it turned out, were pursuing a notable user of Lavabit, Mr. Levison’s secure e-mail service: Edward J. Snowden, the former National Security Agency contractor who leaked classified documents that have put the intelligence agency under sharp scrutiny. Mr. Levison was willing to allow investigators with a court order to tap Mr. Snowden’s e-mail account; he had complied with similar narrowly targeted requests involving other customers some two dozen times.

But they wanted more, he said: the passwords, encryption keys and computer code that would essentially allow the government untrammeled access to the protected messages of all his customers. That, he said, was too much.

“You don’t need to bug an entire city to bug one guy’s phone calls,” Mr. Levison, 32, said in a recent interview. “In my case, they wanted to break open the entire box just to get to one connection.”

On Aug. 8, Mr. Levison closed Lavabit rather than, in his view, betray his promise of secure e-mail to his customers. The move, which he explained in a letter on his Web site, drew fervent support from civil libertarians but was seen by prosecutors as an act of defiance that fell just short of a crime.

The full story of what happened to Mr. Levison since May has not previously been told, in part because he was subject to a court’s gag order. But on Wednesday, a federal judge unsealed documents in the case, allowing the tech entrepreneur to speak candidly for the first time about his experiences. He had been summoned to testify to a grand jury in Virginia; forbidden to discuss his case; held in contempt of court and fined $10,000 for handing over his private encryption keys on paper and not in digital form; and, finally, threatened with arrest for saying too much when he shuttered his business.

Spokesmen for the Justice Department and the F.B.I. said they had no comment beyond what was in the documents.

Mr. Levison’s battle to preserve his customers’ privacy comes at a time when Mr. Snowden’s disclosures have ignited a national debate about the proper limits of surveillance and government intrusion into American Internet companies that promise users that their digital communications are secure.

Much of the attention has been focused on Internet giants like Microsoft and Google. Lavabit, with just two employees and perhaps 40,000 regular users, was a midget by comparison, but its size and Mr. Levison’s personal pledge of security made it attractive to tech-savvy users like Mr. Snowden.

While Mr. Levison’s struggles have been with the F.B.I., hovering in the background is the N.S.A., which has worked secretly for years to undermine or bypass encrypted services like Lavabit so that their electronic message scrambling cannot obstruct the agency’s spying. Earlier in September, The New York Times, ProPublica and The Guardian wrote about the N.S.A.’s campaign to weaken encryption. Mr. Levison’s case shows how law enforcement officials can use legal tools to pry open messages, no matter how well protected.

Mr. Levison said he set up Lavabit to make it impossible for outsiders, whether governments or hackers, to spy on users’ communications. He followed the government’s own secure coding guidelines, based on the N.S.A.’s technical guidance, and engineered his systems so as not to log user communications. That way, even if he received a subpoena for a user’s communications, he would not be able to gain access to them. For added measure, he gave customers the option to pay extra to encrypt their e-mail and passwords.

Mr. Levison, who studied politics and computer science at Southern Methodist University, started Lavabit in April 2004, the same month Google rolled out Gmail. To pay his bills, he worked as a Web consultant, helping develop Web sites for major brands like Dr Pepper, Nokia and Adidas. But by 2010, the e-mail service had attracted enough paying customers to allow Mr. Levison to turn to Lavabit full time.

The agent did not mention at first who the government was pursuing, and Mr. Levison will not name the targets of the government’s investigation. The name was redacted from the court order unsealed Wednesday, but the offenses listed are violations of the Espionage Act, and the timing of the government’s case coincides with its leak investigation into Mr. Snowden, which began in May when he fled Hawaii for Hong Kong carrying laptops containing thousands of classified documents.

By then, Mr. Snowden’s Lavabit e-mail address was already public. He had listed his personal Lavabit e-mail address in January 2010, and was still using a Lavabit address this July, when he summoned reporters to a news conference at the Moscow airport.

That e-mail invitation proved to be an unintended endorsement for Lavabit’s security. Before that, Mr. Levison said that, on average, Lavabit was signing up 200 new users daily. In the days after Mr. Snowden’s e-mail, more than 4,000 new customers joined each day.

But a month before the news conference, court documents show, Mr. Levison had already received a subpoena for Mr. Snowden’s encrypted e-mail account. The government was particularly interested in his e-mail metadata — with whom Mr. Snowden was communicating, when and from where. The order, from the Federal District Court in Alexandria, Va., required Mr. Levison to log Mr. Snowden’s account information and provide the F.B.I. with “technical assistance,” which agents told him meant handing over the private encryption keys, technically called SSL certificates, that unlock communications for all users, he said.

“It was the equivalent of asking Coca-Cola to hand over its secret formula,” Mr. Levison said.

By July, he said, he had 410,000 registered users. Similar services like Hushmail, a Canadian encrypted e-mail service, had lost users in 2007 after court documents revealed that the company had handed 12 CDs’ worth of decoded e-mails from three Hushmail accounts to American law enforcement officials through a mutual assistance treaty.

“The whole concept of the Internet was built on the idea that companies can keep their own keys,” Mr. Levison said. He told the agents that he would need their request for his encryption keys in writing.

A redacted version of that request, which was among the 23 documents that were unsealed, shows that the court issued an order July 16 for Lavabit’s encryption keys. Prosecutors said they had no intention of collecting any information on Lavabit’s 400,000 other customers. “There’s no agents looking through the 400,000 other bits of information, customers, whatever,” Jim Trump, one of the prosecutors, said at a closed Aug. 1 hearing.

But Mr. Levison said he spent much of the following day thinking of a compromise. He would log the target’s communications, unscramble them with the encryption keys and upload them to a government server once a day. The F.B.I. told him that was not enough. It needed his target’s communications “in real time,” he said.

“How as a small business do you hire the lawyers to appeal this and change public opinion to get the laws changed when Congress doesn’t even know what is going on?” Mr. Levison said.

When it was clear Mr. Levison had no choice but to comply, he devised a way to obey the order but make the government’s intrusion more arduous. On Aug 2, he infuriated agents by printing the encryption keys — long strings of seemingly random numbers — on paper in a font he believed would be hard to scan and turn into a usable digital format. Indeed, prosecutors described the file as “largely illegible.”

On Aug. 5, Judge Claude M. Hilton ordered a $5,000-a-day fine until Mr. Levison produced the keys in electronic form. Mr. Levison’s lawyer, Jesse R. Binnall, appealed both the order to turn over the keys and the fine.

After two days, Mr. Levison gave in, turning over the digital keys — and simultaneously closing his e-mail service, apologizing to customers on his site. That double maneuver, a prosecutor later told his lawyer, fell just short of a criminal act.

He hopes to resurrect the business he spent a decade building. “This wasn’t about one person,” Mr. Levison said. “This was about the lengths our government was willing to go to conduct Internet surveillance on one person.””

————————————————————–

Douglas McNabb – McNabb Associates, P.C.’s
Federal Criminal Defense Attorneys Videos:

Federal Crimes – Be Careful

Federal Crimes – Be Proactive

Federal Crimes – Federal Indictment

Federal Crimes – Detention Hearing

Federal Crimes – Appeal

————————————————————–

To find additional federal criminal news, please read Federal Criminal Defense Daily.

Douglas McNabb and other members of the U.S. law firm practice and write and/or report extensively on matters involving Federal Criminal Defense, INTERPOL Red Notice Removal, International Extradition Defense, OFAC SDN Sanctions Removal, International Criminal Court Defense, and US Seizure of Non-Resident, Foreign-Owned Assets. Because we have experience dealing with INTERPOL, our firm understands the inter-relationship that INTERPOL’s “Red Notice” brings to this equation.

The author of this blog is Douglas C. McNabb. Please feel free to contact him directly at mcnabb@mcnabbassociates.com or at one of the offices listed above.


“Feds Targeted Snowden’s Email Provider the Day After NSA Whistleblower Went Public”

October 3, 2013

Wired on September 27, 2013 released the following:

BY KEVIN POULSEN

“When on June 9 Edward Snowden stood up in Hong Kong and revealed himself to the world as an NSA whistleblower, the Justice Department wasted little time in targeting his email provider. A new appeals court filing today shows the government served a court order on Texas-based Lavabit the very next day, demanding metadata on an unnamed customer that the timing and circumstances suggest was Snowden.

The June 10 records demand was issued under 18 USC 2703(d), a 1994 amendment to the Stored Communications Act that allows law enforcement access to non-content internet records without demonstrating the “probable cause” needed for a search warrant. That would include email “To” and “From” lines, and the IP addresses used to access the account, but would not include the content of the email.

That order was followed on June 28 with a so-called “pen register order”, which provides the same information prospectively — recording the metadata for every new email sent or received.

It’s not clear what information, if any, Lavabit produced at that stage of the investigation. But on July 9 the court evidently issued an “Order to Show Cause,” which in a records case is usually the result of the government asking the court to enforce a demand that hasn’t been complied with to the government’s satisfaction.

The new information is revealed in a government filing in Lavabit’s appeal in the case. Lavabit attorney Jesse Binnall on Tuesday asked the 4th U.S. Circuit Court of Appeals to unseal some information in the case so that public interest groups could learn enough to potentially file amicus briefs on the core legal issues. The government today filed its opposition to the unsealing motion — under seal, naturally — along with a public timeline of previous orders keeping the case secret.

“The entire record in the district court, including all applications, subpoenas, motions, warrants, and orders, remains under seal,” prosecutors wrote in the public filing.

The timeline shows that the government’s records demands to Lavabit in the case began on June 10, almost two months before owner Ladar Levison shut down the service on August 8 with an oblique message saying he’d been left with little choice in the matter.

“I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly 10 years of hard work by shutting down Lavabit,” Levison wrote at the time. “After significant soul searching, I have decided to suspend operations.”

Levison and his lawyer are both bound by a gag order preventing them from discussing the details of the case, or identifying who the government’s target is.

The June 29 pen register order may well have been the issue. A standard email provider can easily funnel email headers to the government in response to such a request. But Lavabit offered paying customers a secure email service that stores incoming messages encrypted to a key known only to that user. Lavabit itself did not have access.

Levison could have complied with a prospective metadata demand in a number of ways: by providing the government with Lavabit’s private SSL certificate — allowing its users to be wiretapped; by modifying the software to store a user’s private encryption key at the next login; or by recording the email metadata before it’s encrypted. But Levison may have balked at actively circumventing the privacy system he built for users.

After shutting down the site, Levison appealed on August 29. His opening brief in his appeal is due October 3.

“He’s optimistic that we use this opportunity to possibly get some good law,” attorney Binnall told WIRED earlier this month. “My client is somebody’s who’s very concerned about privacy rights and protecting the United States Constitution from unlawful searches and seizures and protecting the First Amendment.””

————————————————————–

Douglas McNabb – McNabb Associates, P.C.’s
Federal Criminal Defense Attorneys Videos:

Federal Crimes – Be Careful

Federal Crimes – Be Proactive

Federal Crimes – Federal Indictment

Federal Crimes – Detention Hearing

Federal Mail Fraud Crimes

Federal Crimes – Appeal

————————————————————–

To find additional federal criminal news, please read Federal Criminal Defense Daily.

Douglas McNabb and other members of the U.S. law firm practice and write and/or report extensively on matters involving Federal Criminal Defense, INTERPOL Red Notice Removal, International Extradition Defense, OFAC SDN Sanctions Removal, International Criminal Court Defense, and US Seizure of Non-Resident, Foreign-Owned Assets. Because we have experience dealing with INTERPOL, our firm understands the inter-relationship that INTERPOL’s “Red Notice” brings to this equation.

The author of this blog is Douglas C. McNabb. Please feel free to contact him directly at mcnabb@mcnabbassociates.com or at one of the offices listed above.