Unsealed docs show what really happened with Lavabit

Now that the court documents have been unsealed, there's no need to guess whether Lavabit shut down because of Edward Snowden.
Written by Michael Lee, Contributor

In August, Lavabit, a secure email provider that happened to have whistleblower Edward Snowden as a customer, shut down in a cryptic manner. The company's owner and operator Ladar Levison bid the internet goodbye, saying that he had made the decision because it would otherwise mean becoming "complicit in crimes against the American people".

At the time, Levison said he wished that he could "legally share with you the events that led to my decision", but could not.

Many people, including ZDNet's Ed Bott, speculated that rather than allowing the US government to read Snowden's email, and thus compromise his business, Levison chose to shut it down.

Documents unsealed in Lavabit's appeal process against the US show that this was essentially the case, as the US government had ordered Lavabit to hand over its SSL keys.

The formerly sealed court order states: "The court determines that there is reason to believe that notification of the existence of this order will seriously jeopardize the ongoing investigation, including by giving targets an opportunity to flee or continue flight from prosecution, destroy, or tamper with evidence, change patterns of behavior, or notify confederates.

"It is further ordered that Lavabit LLC shall not disclose the existence of the application of the United States, or the existence of this order of the court ... to any other person, unless and until otherwise authorized to do so by the court."

Wired has the complete document set on its website, the first of which is dated June 10, 2013.

The documents show that the US government sought to force Lavabit to install a "pen register and the use of a trap and trace device" on a particular email account. The address is redacted in the documents, but it is believed to belong to Edward Snowden.

They also show that the FBI, which Levison was meant to assist, repeatedly visited him at his home. Levison did attempt to fight back in what little way he could, stating that he would refuse to turn up to court unless the government paid for his travel expenses. It did.

Levison later attempted to delay the process, stating that he could comply with the installation of the pen register, but only after 60 days and only if the government paid him $2,000 for "developmental time and equipment" and an additional $1,500 if the government wanted data more frequently than 60 days. He claimed that the cost of reissuing SSL certificates would be $2,000.

The SSL certificates are key to making any information useful. Levison appears to be aware of this, even conceding to the installation of the pen register device if he can get some of the documents unsealed and in front of the the public eye.

Levison's defence against handing over the SSL keys was that all of his customers' privacy will be affected if he did. The US government counter-argued that its collection of data is limited specifically to the email account in question due to the Wiretap Act and the Pen-Trap act.

The documents draw a parallel to an apartment building:

"Compelling the owner of an apartment building to unlock the building's front door so that agents can search one apartment is not a 'general search' of the entire apartment building — even if the building owner imagines that undisciplined agents will illegally kick down the doors to apartments not described in the warrant."

Though this may legally be the case, it would technically have enough information to examine any account.

Understanding that the US government is not taking no for an answer, Levison offered an alternative: Redeveloping his platform so that individual users are protected, even if he gives up his SSL keys, thus providing information on one account. He estimated that it will take 20 to 40 hours to do so.

This arrangement was refused by the US government, its legal counsel stating that "he's had every opportunity to propose solutions to come up with ways to address his concerns and he simply hasn't".

In a last-ditch effort, Levison gave the FBI a print-out of the encryption keys that it needed, but printed out over 11 pages in 4-point type, described by the court as "largely illegible". When this was not accepted, Levison was ordered to provide the keys on a CD and face fines of $5,000 per day.

Lavabit shut down two days later.

Editorial standards