Open Navigation

Lavabit Founder Details Government Surveillance Of Secure Email While Documents Disclose Epic Trolling Of Feds

John Biggs 11 years

Ladar Levison, founder of secure email provider Lavabit, has posted a Facebook message detailing his current situation in regards to the shutdown of the service. “I simply couldn’t operate Lavabit while my lawyers appealed the demand for our [Lavabit’s] encryption keys without the government agreeing to provide the transparency demanded by my conscience. The ethical implications ultimately prompted my decision to suspend the [Lavabit] service,” he wrote in a post describing the lengths to which the US government wanted to go to police his secure email provider.

Lavabit was created so every law-abiding citizen has access to a secure and private email service. During an investigation into several Lavabit user accounts, the federal government demanded both unfettered access to all user communications and a copy of the Lavabit encryption keys used to secure web, instant message and email traffic. After having a motion to quash the search warrant was denied by Judge Claude Hilton of the U.S. District Court for the Eastern District of Virginia. Notably Judge Hilton served on the FISA Court from 2000 through 2007. Judge Hilton subsequently issued a $5,000 per day contempt of court citation thus forcing Lavabit to surrender their encryption keys. Ladar Levison, the owner and operator of Lavabit, then made the difficult decision to suspend operations and “limit the damage to user’s 4th amendment right to privacy.”Lavabit maintains that the government had no legal basis for demanding it’s confidential information, namely passwords, encryption keys and source code. That providing such information to the federal government would allow investigators to access sensitive information including passwords, credit card transactions, email messages and instant messages. The government would have also been able to detect and record IP addresses, thereby allowing them to track and record the physical location of users as they accessed Lavabit’s services. This access far exceeded the authority given to investigators by the pen trap and trace laws enacted by Congress. Under the law the government only had the legal right to collect metadata associated with the accounts under investigation. Mr. Levison felt that providing such access to the government would have been in direct conflict with the promise of privacy that Lavabit made with its users and “would have violated the 4th amendment rights of people not involved with an investigation.”

In short, the government wanted far more data than Levison had any cause to give, resulting in a showdown that has destroyed his livelihood.

Most amusing, however, is how Levison trolled investigators. After investigators asked Levison for the site’s private SSH keys, he printed an 11-page list in four-point type, something the government called “illegible.”

“Moreover, each of the five encryption keys contains 512 individual characters – or a total of 2,560 characters,” wrote prosecutors. “To make use of these keys, the FBI would have to manually input all 2560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data.”

Sadly Snowden’s fondness for Lavabit is what led to its downfall. As soon as Edward Snowden went public, Feds filed a “pen register” to grab “information about each communication sent or received by the account, including the date and time of the communication, the method of communication, and the source and destination of the communication” of a specific individual. This data, termed “metadata” by the feds, could only be related to one customer of the site. However, in a supreme bit of overreach the government went on to ask for the keys to the Lavabit security system.

The site, while massively important, didn’t seem to be extremely popular. Before it was suspended in August Lavabit provided email accounts for 410,000 registered users and 10,000 of those paid up to $16 a year for encrypted email storage. While there are many alternate solutions – MyKolab seems to be the most popular these days – it also seems important for folks to use PGP signing and encryption on their private emails as a matter of habit and depend far less on the security of cloud providers. Given that Tweets are now considered property of the company that hosts them and not the writer, all cloud services are suspect.

Fans of the service have gathered together to help fund Lavabit’s defense. You can read the unsealed complaint below.