Under Lock & Key

While news of online spying by the U.$. government is growing, a court case may provide even broader access for government agencies. This case involves Lavabit, the former email provider for MIM(Prisons). On January 28, the owner of Lavabit went to court to appeal the contempt of court ruling against the company for failing to hand over encryption keys to his email service. The 4th US Circuit Court of Appeals has not yet rendered a verdict, but it will have significant implications on what the government can demand of email providers in the future. This case revolves around the Lavabit SSL keys. These keys were used to decrypt incoming traffic from Lavabit users accessing via an encrypted connection. If Lavabit had given up the keys before shutting down their operation, the government could capture every users password next time they logged in and have full access to their email.

Last June Lavabit was ordered to give the government a live feed of email activity for a specific account. People generally assume this was Edward Snowden's account based on court filing information that refers to his violations of the Espionage Act and theft of government property. Lavabit founder Lader Levison offered to transmit the information requested after 60 days, claiming he needed time to reprogram his system to collect the information. We can't be sure what Levison would have ultimately handed over, but this is further evidence that users can not rely on their email providers for security. In fact, in court Lavabit's attorney claims that Levison had complied with at least one similar court order in the past.(1)

In July, after Levison's delay, the FBI served Levison with a search warrant demanding the private SSL keys that would enable them to decrypt all traffic to and from the site. The government promised to only use the keys for the individual targeted and said they would not spy on the other 410,000 Lavabit users.(2)

The FBI had already begun collecting encrypted data from Lavabit's upstream provider in anticipation of getting the key to decrypt it, and they still have this data.(2) If the government has the SSL keys, all emails for an unknown period of time for all users on the Lavabit email system are in the hands of the government.

After an August 1 court order upholding the government's demand for the Lavabit SSL keys, Levison did turn them over, but as an 11 page printout in 4-point type.(1) This was clearly an attempt to comply in form without making the key usable, or at least delaying its usability. But in spite of the paper form, the government now has the Lavabit SSL keys, all they need to do is manually enter the 2,560 characters. While tedious, this is certainly doable and we think it likely that they quickly completed this work.

The government responded to the printout by demanding an electronic format and on August 6 began fining Levison $5,000 per day until he complied with the FBI's order. Levison shut down Lavabit altogether on August 8.(2)

Although the government and the appellate court Judge hearing the case both claim the SSL keys could not be used for anything other than the individual target in question, the search warrant and sanctions order both place no restrictions on what can be done with the key.(2) Not that we think the government complies with these sorts of formalities anyway.