Ladar Levison, founder of secure email provider Lavabit, has posted a Facebook message detailing his current situation in regards to the shutdown of the service. “I simply couldn’t operate Lavabit while my lawyers appealed the demand for our [Lavabit’s] encryption keys without the government agreeing to provide the transparency demanded by my conscience. The ethical implications ultimately prompted my decision to suspend the [Lavabit] service,” he wrote in a post describing the lengths to which the US government wanted to go to police his secure email provider.
In short, the government wanted far more data than Levison had any cause to give, resulting in a showdown that has destroyed his livelihood.
Most amusing, however, is how Levison trolled investigators. After investigators asked Levison for the site’s private SSH keys, he printed an 11-page list in four-point type, something the government called “illegible.”
“Moreover, each of the five encryption keys contains 512 individual characters – or a total of 2,560 characters,” wrote prosecutors. “To make use of these keys, the FBI would have to manually input all 2560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data.”
Sadly Snowden’s fondness for Lavabit is what led to its downfall. As soon as Edward Snowden went public, Feds filed a “pen register” to grab “information about each communication sent or received by the account, including the date and time of the communication, the method of communication, and the source and destination of the communication” of a specific individual. This data, termed “metadata” by the feds, could only be related to one customer of the site. However, in a supreme bit of overreach the government went on to ask for the keys to the Lavabit security system.
The site, while massively important, didn’t seem to be extremely popular. Before it was suspended in August Lavabit provided email accounts for 410,000 registered users and 10,000 of those paid up to $16 a year for encrypted email storage. While there are many alternate solutions – MyKolab seems to be the most popular these days – it also seems important for folks to use PGP signing and encryption on their private emails as a matter of habit and depend far less on the security of cloud providers. Given that Tweets are now considered property of the company that hosts them and not the writer, all cloud services are suspect.
Fans of the service have gathered together to help fund Lavabit’s defense. You can read the unsealed complaint below.