Snowden’s email provider Lavabit loses federal appeal
Wednesday’s decision out of the United States Court of Appeals for the Fourth Circuit affirms a judge’s ruling from last summer in which Lavabit owner Ladar Levison was found to be in civil contempt for failing to immediately adhere to the government’s demands for info on a single user amongst his email service’s 400,000 or so customers.
Levison of Dallas, Texas was compelled last June to install a pen/trap device on his servers to collect information about an unnamed Lavabit subscriber widely presumed to be former National Security Agency contractor Edward Snowden, but refused to cooperate at first because he said that supplying the government with the court-ordered data in a decrypted form as requested would have compromised his security-centric internet business and the privacy of its nearly a-half million customers.
According to Levison, supplying investigators with the secure socket layer, or SSL, keys that encrypted and decrypted all traffic coming in and out of his site was the only way to provide the government with the data pertaining to the one user in question. After weeks of legal back-and-forth with the Department of Justice last summer, Levison suggested that he personally log and decrypt the sought-after information himself and deliver it to the government. Federal agents insisted that they needed real-time access to communications, however, and moved that he be charged with civil contempt for failing to provide the assistance necessary to decipher those messages.
Levison ultimately supplied the requested SSL keys, but only after six weeks of disputes in and out of court that ended on August 5, 2013 with the government asking for sanctions due to his continuing failure to comply with their orders. Almost perfectly in concurrence with the surrendering of those keys, Levison shut down Lavabit and issued a statement saying that continuing to provide his service would make him “complicit in crimes against Americans.” With the matter still entirely under seal at the time, Levison was barred from even acknowledging that he had been approached by the Dept. of Justice, let alone had handed them his SSL keys.
Indeed, Judge G. Steven Agee of the Fourth US Circuit Court of Appeals wrote on Wednesday that, without the type of encryption implemented by Levison, “internet communications move exposed en route to their destination, allowing outsiders to ‘listen in.’”
“When a private key becomes anything less than private, more than one user may be compromised,” Agee agreed. “As a result, exposing one key-pair could affect all of Lavabit’s estimated 400,000-plus email users.”
Nevertheless, Agee said that the Fourth Circuit was no place for the encryption matter and its subsequent impact on the privacy of Lavabit’s customers to be heard. Instead, his three-person appellate panel affirmed the District Court’s early finding of contempt and refused to rule any further on the underlying issues largely considered to be much more important by web experts.
“As a party appealing from a civil contempt order, Lavabit may ask us to consider ‘whether contempt was proper’ and may challenge ‘the order alleged to have been violated’ unless ‘earlier appellate review was available,’” Agee wrote. Levison, however, failed to challenge the statutory authorization of the court’s request for user data, he said, and instead had argued in appeal at length about the repercussions of relinquishing SSL keys.
“There is such willingness and a desire to argue about secret keys being provided…and the government’s going to take full advantage of that and spy on everybody,” the appeals panel said during oral arguments in January,“What was ordered here was with respect to a particular target to provide unencrypted data pursuant to that order.”
“We’re only here,”one judge added during those arguments,“because of [Lavabit’s] refusal to do what the initial request was — which was the pen register. The encryption key became a red herring.”
On Wednesday, Agee all but refused to acknowledge the encryption issue. “The matter of what questions may be taken up and resolved for the first time on appeal is one left primarily to the discretion of the courts of appeals, to be exercised on the facts of individual cases,” he quoted from a precedent-setting case. "In this circuit, we exercise that discretion sparingly. Our settled rule is simple: ‘[a]bsent exceptional circumstances . . . we do not consider issues raised for the first time on appeal.”
“Lavabit tenders other reasons why we should exercise our discretion to hear its Pen/Trap Statute argument, but we find no merit in those arguments,” he added.
“It makes no difference then that Lavabit’s Pen/Trap Statute argument presents a supposedly 'pure question of law,'" Agee wrote elsewhere, “. . . or that Lavabit was unrepresented during some of the proceedings below, or that Lavabit believes this case to be one of 'public concern.'"
After Wednesday’s opinion was revealed, the attorney who argued in the Fourth Circuit against the government in January told the Associated Press that the court’s decision fell short of endorsing the government’s own conduct with regards to compelling companies to hand over user data.
"The court did not say the government's actions in this case were legal," Ian Samuel told the AP.
"This is not a decision that says the government's surveillance theories in this case are correct. It's really a story about an unrepresented litigant in closed proceedings happening,” Samuel added to Politico. “It's really a story about an unrepresented litigant in closed proceedings happening at warp speed about 1000 miles from his house understandably not raising the issues the way counsel" would have.
Brian Hauss, an attorney for the American Civil Liberties Union, agreed in a statement circulated to reporters on Wednesday that “The court focused its decision on procedural aspects of the case unrelated to the merits of Lavabit’s claims.”
“On the merits, we believe it’s clear that there are limits on the government’s power to coerce innocent service providers into its surveillance activities. The government exceeded those limits when it asked Lavabit to blow up its business—and undermine the encryption technology that ensures our collective cybersecurity—to get information that Lavabit itself offered to provide,” added Hauss. His group, the ACLU, was among several that submitted briefs to the Fourth Circuit in support of Lavabit ahead of January’s arguments.
By Wednesday afternoon, neither Lavabit nor the government yet to announce if and how they would proceed with the case. Earlier this year, however, the ACLU’s Hauss told RT’s Andrew Blake that “It would be deeply troubling” if government decided to follow through with finding Levison in contempt.
“If the government were to start coercing internet service providers to fundamentally undermine their services, on pain of obstruction of justice charges, I think a lot of companies would respond by either shutting down or designing services that are effectively impossible to wiretap in any way,” he said.“That would be a tremendous waste of resources, and it would effectively prevent law enforcement from getting even the targeted information it needs to build a case. That’s why it’s so important for the government to show restraint when coercing service providers to assist in its investigations."