Completely private email is not legal and shouldn't be
Ladar Levison may have shut down his secure email service Lavabit, but he's not giving up yet.
In August, Levison found himself in the way of the US Department of Justice's prosecution of NSA leaker Edward Snowden. Lavabit email is strongly encrypted. DoJ subpoenaed Lavabit's private SSL encryption key to allow them to monitor Snowden's communications and the court issued a gag order to Lavabit.
Levison resisted, but finally, under a contempt order from the court and the threat of $5000 a day fines he shut down Lavabit rather than allow the government to read his users' email.
Now Levison has appealed the contempt order and subpoena to the US Court of Appeals for the Fourth Circuit. His arguments are weak. Even beyond any legal determination, his claims are unreasonable and he should lose the case.
Levison's argument boils down to a claim of legal privilege for his users' communications from proper requests from law enforcement. Why? Because he thinks so.
When considering this question, I think it's important to look at in the abstract and separate from the details of the Edward Snowden case. Everyone has their opinions on whether what Snowden did was right and whether he's a traitor or a hero or something else.
Here's the real question: when the government convinces a judge that it is necessary in order to prosecute a criminal case, and the judge issues a search warrant, should the government be allowed to compel an ISP (consider Lavabit an ISP in this sense) to do what is necessary to grant access to information?
As a general matter, the government obviously has access to this information with very few legally-recognized exceptions (doctor-patient, priest-penitent, spousal; maybe there are others, those are just the ones I know from Law & Order). "I think people should be able to communicate in absolute privacy" is not a reasonable principle; it's a recipe for crippling law enforcement. The constitution doesn't forbid all searches of private communications, just "unreasonable searches and seizures."
There's one additional point at issue here: Because the site had a single SSL certificate, Lavabit couldn't just expose Snowden's communications. They would have to expose all his users' communications. In fact, it appears that Levison was willing to give access to just Snowden's communications, but his system didn't allow it. This isn't unusual in the world of law enforcement. When exercising a search warrant or a wiretap, officers often necessarily see materials not covered by the warrant. he rule is that they have to ignore those materials.
Yes, it's reasonable to wonder whether the FBI really would limit themselves to Snowden's communications, and for Lavabit it was an especially important question. Without question, a large number of Lavabit's users had something to hide.
This problem was not the government's problem. They needed access to the information and they reasonably needed it ASAP. The government turned down Levison's offer to reengineer his software to allow a Snowden-only monitor because a) it wasn't reasonable to make them wait and b) his estimate that it would take 20-40 hours couldn't be relied on.
If the government had come to Levison looking for communications of a kidnapper holding a child for ransom, would he have resisted in the same way? Would his resistance have generated any sympathy?
Over at The Volokh Conspiracy, George Washington University Law School Professor Orin Kerr analyzes and doesn't think much of Levison's arguments. Levison is making three arguments:
- The government can't subpoena the key because it would be "abusive" and "oppressive"
- The Federal Pen Register statute doesn’t provide for such a subpoena
- This is two subarguments: a) The key doesn't qualify under the Stored Communications Act, and b) Under the Fourth Amendment, the key cannot be seized because it is not "evidence, contraband, fruits, or instrumentalities of crime".
Kerr says that Levison must prevail on all of three arguments. He thinks little of the 1, 2, and 3a. He calls 3b innovative and interesting, but ultimately insufficient. Computer warrants regularly seek passwords, which are in the same nature as Lavabit's SSL keys.
Lavabit's business model rested on the promise of absolute privacy. It turns out that, Levison's notions of the law being wrong, his business model can't be profferred honestly. Shutting down the service was the right thing to do after all.