“Lavabit, Snowden’s E-Mail Service, in a Legal Tug of War”

October 3, 2013

The New York Times on October 2, 2013 released the following:

By NICOLE PERLROTH and SCOTT SHANE

“DALLAS — One day last May, Ladar Levison returned home to find an F.B.I. agent’s business card on his Dallas doorstep. So began a four-month tangle with law enforcement officials that would end with Mr. Levison’s shutting the business he had spent a decade building and becoming an unlikely hero of privacy advocates in their escalating battle with the government over Internet security.

Prosecutors, it turned out, were pursuing a notable user of Lavabit, Mr. Levison’s secure e-mail service: Edward J. Snowden, the former National Security Agency contractor who leaked classified documents that have put the intelligence agency under sharp scrutiny. Mr. Levison was willing to allow investigators with a court order to tap Mr. Snowden’s e-mail account; he had complied with similar narrowly targeted requests involving other customers some two dozen times.

But they wanted more, he said: the passwords, encryption keys and computer code that would essentially allow the government untrammeled access to the protected messages of all his customers. That, he said, was too much.

“You don’t need to bug an entire city to bug one guy’s phone calls,” Mr. Levison, 32, said in a recent interview. “In my case, they wanted to break open the entire box just to get to one connection.”

On Aug. 8, Mr. Levison closed Lavabit rather than, in his view, betray his promise of secure e-mail to his customers. The move, which he explained in a letter on his Web site, drew fervent support from civil libertarians but was seen by prosecutors as an act of defiance that fell just short of a crime.

The full story of what happened to Mr. Levison since May has not previously been told, in part because he was subject to a court’s gag order. But on Wednesday, a federal judge unsealed documents in the case, allowing the tech entrepreneur to speak candidly for the first time about his experiences. He had been summoned to testify to a grand jury in Virginia; forbidden to discuss his case; held in contempt of court and fined $10,000 for handing over his private encryption keys on paper and not in digital form; and, finally, threatened with arrest for saying too much when he shuttered his business.

Spokesmen for the Justice Department and the F.B.I. said they had no comment beyond what was in the documents.

Mr. Levison’s battle to preserve his customers’ privacy comes at a time when Mr. Snowden’s disclosures have ignited a national debate about the proper limits of surveillance and government intrusion into American Internet companies that promise users that their digital communications are secure.

Much of the attention has been focused on Internet giants like Microsoft and Google. Lavabit, with just two employees and perhaps 40,000 regular users, was a midget by comparison, but its size and Mr. Levison’s personal pledge of security made it attractive to tech-savvy users like Mr. Snowden.

While Mr. Levison’s struggles have been with the F.B.I., hovering in the background is the N.S.A., which has worked secretly for years to undermine or bypass encrypted services like Lavabit so that their electronic message scrambling cannot obstruct the agency’s spying. Earlier in September, The New York Times, ProPublica and The Guardian wrote about the N.S.A.’s campaign to weaken encryption. Mr. Levison’s case shows how law enforcement officials can use legal tools to pry open messages, no matter how well protected.

Mr. Levison said he set up Lavabit to make it impossible for outsiders, whether governments or hackers, to spy on users’ communications. He followed the government’s own secure coding guidelines, based on the N.S.A.’s technical guidance, and engineered his systems so as not to log user communications. That way, even if he received a subpoena for a user’s communications, he would not be able to gain access to them. For added measure, he gave customers the option to pay extra to encrypt their e-mail and passwords.

Mr. Levison, who studied politics and computer science at Southern Methodist University, started Lavabit in April 2004, the same month Google rolled out Gmail. To pay his bills, he worked as a Web consultant, helping develop Web sites for major brands like Dr Pepper, Nokia and Adidas. But by 2010, the e-mail service had attracted enough paying customers to allow Mr. Levison to turn to Lavabit full time.

The agent did not mention at first who the government was pursuing, and Mr. Levison will not name the targets of the government’s investigation. The name was redacted from the court order unsealed Wednesday, but the offenses listed are violations of the Espionage Act, and the timing of the government’s case coincides with its leak investigation into Mr. Snowden, which began in May when he fled Hawaii for Hong Kong carrying laptops containing thousands of classified documents.

By then, Mr. Snowden’s Lavabit e-mail address was already public. He had listed his personal Lavabit e-mail address in January 2010, and was still using a Lavabit address this July, when he summoned reporters to a news conference at the Moscow airport.

That e-mail invitation proved to be an unintended endorsement for Lavabit’s security. Before that, Mr. Levison said that, on average, Lavabit was signing up 200 new users daily. In the days after Mr. Snowden’s e-mail, more than 4,000 new customers joined each day.

But a month before the news conference, court documents show, Mr. Levison had already received a subpoena for Mr. Snowden’s encrypted e-mail account. The government was particularly interested in his e-mail metadata — with whom Mr. Snowden was communicating, when and from where. The order, from the Federal District Court in Alexandria, Va., required Mr. Levison to log Mr. Snowden’s account information and provide the F.B.I. with “technical assistance,” which agents told him meant handing over the private encryption keys, technically called SSL certificates, that unlock communications for all users, he said.

“It was the equivalent of asking Coca-Cola to hand over its secret formula,” Mr. Levison said.

By July, he said, he had 410,000 registered users. Similar services like Hushmail, a Canadian encrypted e-mail service, had lost users in 2007 after court documents revealed that the company had handed 12 CDs’ worth of decoded e-mails from three Hushmail accounts to American law enforcement officials through a mutual assistance treaty.

“The whole concept of the Internet was built on the idea that companies can keep their own keys,” Mr. Levison said. He told the agents that he would need their request for his encryption keys in writing.

A redacted version of that request, which was among the 23 documents that were unsealed, shows that the court issued an order July 16 for Lavabit’s encryption keys. Prosecutors said they had no intention of collecting any information on Lavabit’s 400,000 other customers. “There’s no agents looking through the 400,000 other bits of information, customers, whatever,” Jim Trump, one of the prosecutors, said at a closed Aug. 1 hearing.

But Mr. Levison said he spent much of the following day thinking of a compromise. He would log the target’s communications, unscramble them with the encryption keys and upload them to a government server once a day. The F.B.I. told him that was not enough. It needed his target’s communications “in real time,” he said.

“How as a small business do you hire the lawyers to appeal this and change public opinion to get the laws changed when Congress doesn’t even know what is going on?” Mr. Levison said.

When it was clear Mr. Levison had no choice but to comply, he devised a way to obey the order but make the government’s intrusion more arduous. On Aug 2, he infuriated agents by printing the encryption keys — long strings of seemingly random numbers — on paper in a font he believed would be hard to scan and turn into a usable digital format. Indeed, prosecutors described the file as “largely illegible.”

On Aug. 5, Judge Claude M. Hilton ordered a $5,000-a-day fine until Mr. Levison produced the keys in electronic form. Mr. Levison’s lawyer, Jesse R. Binnall, appealed both the order to turn over the keys and the fine.

After two days, Mr. Levison gave in, turning over the digital keys — and simultaneously closing his e-mail service, apologizing to customers on his site. That double maneuver, a prosecutor later told his lawyer, fell just short of a criminal act.

He hopes to resurrect the business he spent a decade building. “This wasn’t about one person,” Mr. Levison said. “This was about the lengths our government was willing to go to conduct Internet surveillance on one person.””

————————————————————–

Douglas McNabb – McNabb Associates, P.C.’s
Federal Criminal Defense Attorneys Videos:

Federal Crimes – Be Careful

Federal Crimes – Be Proactive

Federal Crimes – Federal Indictment

Federal Crimes – Detention Hearing

Federal Crimes – Appeal

————————————————————–

To find additional federal criminal news, please read Federal Criminal Defense Daily.

Douglas McNabb and other members of the U.S. law firm practice and write and/or report extensively on matters involving Federal Criminal Defense, INTERPOL Red Notice Removal, International Extradition Defense, OFAC SDN Sanctions Removal, International Criminal Court Defense, and US Seizure of Non-Resident, Foreign-Owned Assets. Because we have experience dealing with INTERPOL, our firm understands the inter-relationship that INTERPOL’s “Red Notice” brings to this equation.

The author of this blog is Douglas C. McNabb. Please feel free to contact him directly at mcnabb@mcnabbassociates.com or at one of the offices listed above.



“N.S.A. Experiment Traced U.S. Cellphone Locations”

October 3, 2013

The New York Times on October 2, 2013 released the following:

By CHARLIE SAVAGE

“WASHINGTON — The National Security Agency in 2010 and 2011 conducted a secret pilot project to test the collection of bulk data about the location of Americans’ cellphones, but the agency ultimately decided against putting such a program into play for now, according to intelligence officials.

The existence of the pilot project, which has not previously been reported, was recently declassified by James R. Clapper, the director of national intelligence, but it has not been publicly disclosed. It was outlined in a draft answer obtained by The New York Times and written for Mr. Clapper to read at a Senate Judiciary Committee hearing on Wednesday if he is asked about the topic.

The answer is one paragraph long and contains scant details. It says that the N.S.A. does not currently collect locational information under Section 215 of the Patriot Act, the provision that forms the asserted legal basis of its once-secret program that is collecting logs of all domestic phone calls from telephone companies.

“In 2010 and 2011 N.S.A. received samples in order to test the ability of its systems to handle the data format, but that data was not used for any other purpose and was never available for intelligence analysis purposes,” the draft answer says, adding that the N.S.A. has promised to notify Congress and seek the approval of a secret surveillance court in the future before any locational data was collected using Section 215.

An official familiar with the test project said its purpose was to see how the locational data would flow into the N.S.A.’s systems. While real data was used, it was never queried as part of any investigation, the official said. It was unclear how many Americans’ locational data was ingested as part of the project or whether the N.S.A. has held onto that information.

But Senator Ron Wyden, an Oregon Democrat who receives classified briefings as a member of the Intelligence Committee and who has raised oblique concerns about cellphone location tracking, said in a statement on Wednesday that there was more to know about the matter than the government has declassified.

“After years of stonewalling on whether the government has ever tracked or planned to track the location of law-abiding Americans through their cellphones, once again, the intelligence leadership has decided to leave most of the real story secret — even when the truth would not compromise national security,” Mr. Wyden said.

Questions about what, if anything, the N.S.A. has been doing in the bulk tracking of Americans’ movements using cell-site location data have been simmering for several years. The issue flared again last week following an ambiguous exchange between Mr. Wyden and Gen. Keith B. Alexander, the director of the N.S.A., at a Senate Intelligence Committee hearing.

Mr. Wyden has been a critic of domestic surveillance programs and filed legislation in 2011 and again this year that would require warrants for obtaining someone’s locational data for a criminal investigation, while leaving ambiguous whether a similar step was also necessary in the context of a national security investigation. It is unclear what prompted his concerns.

At the hearing, he asked Mr. Alexander “whether the N.S.A. has ever collected or made any plans to collect Americans’ cell-site information in bulk.”

General Alexander replied that the N.S.A. “is not receiving cell-site location data and has no current plans to do so” under Section 215 of the Patriot Act, which allows the secret surveillance court to issue orders for records from businesses — like telephone companies — if the records are “relevant” to an intelligence investigation.

But General Alexander also said there was other classified information that the N.S.A. had sent to the committee in July, in response to a written version of the same question, that provided “additional detail” responsive to the issue.

It is legally unclear whether long-term tracking of people’s locations and movements by the government raises privacy rights under the Fourth Amendment. In a 1979 case involving small-scale collection of “metadata” about telephone calls — information related to the calls, like the number dialed and the duration, but not the contents of the communications — the Supreme Court ruled that such records were not protected by the Constitution because people have already revealed the existence of their calls to telephone companies and so have no reasonable expectation of privacy.

But in 2012, the court ruled that the police’s use of a G.P.S. tracker attached to a suspect’s car violated Fourth Amendment privacy rights. The case turned on the fact that the police had to trespass on the suspect’s property to attach the device, but five justices separately suggested that any long-term, automated collection of a person’s public movements might raise Fourth Amendment issues.”

————————————————————–

Douglas McNabb – McNabb Associates, P.C.’s
Federal Criminal Defense Attorneys Videos:

Federal Crimes – Be Careful

Federal Crimes – Be Proactive

Federal Crimes – Federal Indictment

Federal Crimes – Detention Hearing

Federal Mail Fraud Crimes

Federal Crimes – Appeal

————————————————————–

To find additional federal criminal news, please read Federal Criminal Defense Daily.

Douglas McNabb and other members of the U.S. law firm practice and write and/or report extensively on matters involving Federal Criminal Defense, INTERPOL Red Notice Removal, International Extradition Defense, OFAC SDN Sanctions Removal, International Criminal Court Defense, and US Seizure of Non-Resident, Foreign-Owned Assets. Because we have experience dealing with INTERPOL, our firm understands the inter-relationship that INTERPOL’s “Red Notice” brings to this equation.

The author of this blog is Douglas C. McNabb. Please feel free to contact him directly at mcnabb@mcnabbassociates.com or at one of the offices listed above.