icon bookmark-bicon bookmarkicon cameraicon checkicon chevron downicon chevron lefticon chevron righticon chevron upicon closeicon v-compressicon downloadicon editicon v-expandicon fbicon fileicon filtericon flag ruicon full chevron downicon full chevron lefticon full chevron righticon full chevron upicon gpicon insicon mailicon moveicon-musicicon mutedicon nomutedicon okicon v-pauseicon v-playicon searchicon shareicon sign inicon sign upicon stepbackicon stepforicon swipe downicon tagicon tagsicon tgicon trashicon twicon vkicon yticon wticon fm
13 Nov, 2013 15:21

Justice department dismisses ‘parade of hypotheticals’ in Lavabit case

Justice department dismisses ‘parade of hypotheticals’ in Lavabit case

The US government dismissed Lavabit’s parade of ‘hypotheticals’ in a DOJ legal brief filed in federal court. The government stands by its right to obtain unfettered access to encrypted email services in the potentially landmark surveillance case.

The Department of Justice’s (DOJ) 60-page appellate brief defended the government’s use of a search warrant and grand jury subpoena to obtain Lavabit’s Secure Sockets Layer (SSL): cryptographic protocols which provide for secure communications over the Internet.

The government implicitly admonished the email provider’s founder, Ladar Levison, for trammeling the FBI’s surveillance activities by effectively scuttling access to the target, widely believed to be NSA whistleblower, Edward Snowden.

“Mr. Levison alerted all of Lavabit’s users, including the target of the investigation, that Lavabit was engaged in litigation with the government and that, rather than comply with the court’s orders, he decided to shut down his business,” the DOJ said in the brief.

The government also repudiated what is called a "parade of hypotheticals" regarding potential government abuse that was used to justify complying with the lawful order.

"Were a government officer to do as Lavabit fears and 'rummage' through other users' communications without authorization, that would be a crime,” the DOJ wrote.

The Justice Department remained firm in its position that an Internet service provider can be compelled to turn over SSL keys granting access to its entire system, even if law enforcement intends to surveil one single user.

“Just as a business cannot prevent the execution of a search warrant by locking its front gate, an electronic communications service provider cannot thwart court-ordered electronic surveillance by refusing to provide necessary information about its systems,” the brief read.

Crucially, the government argues: “That other information not subject to the warrant was encrypted using the same set of keys is irrelevant; the only user data the court permitted the government to obtain was the data described in the pen/trap order and the search warrant. All other data would be filtered electronically, without reaching any human eye.”
The government brief further states that Lavabit’s business model does not supplant the law, and therefore marketing one’s business as ‘secure’ “does not give one license to ignore a District Court of the United States.”

Lavabit lost a court argument challenging a July-16 government order to hand over the encryption keys, which would have given the government access to all 400,000 thousand of its users. The US District Court for the Eastern District of Virginia ordered the firm to provide the SSL key in machine readable format by August 5 or face a fine of $5000 per day. Levison ultimately complied with the search warrant after accruing $10,000 in fines, only to close Lavabit down and stymie any further efforts at surveillance.

In October, Levinson filed a brief in the 4th US Circuit Court of Appeals, arguing that the pen register statute – which originally focused on telephony metadata but not content– does not authorize the government to seize an email service’s encryption keys, and neither does the Stored Communications Act.

The government has interpreted the law as granting them access to internet metadata including user log-in information, as well as the date, time, and duration of email transmissions.

Lavabit's appeal further stated that the Fourth Amendment forbids the seizure of its SSL keys, and protects against accessing its customers' data. He is also seeking to recoup the $10,000 penalty charge.

The Justice Department argued that most of Levison’s arguments should not be considered as they were not raised in the lower court.

Lavabit first entered the media spotlight when it revealed in July that Snowden was using the company’s encrypted email service. Kevin Poulsen of Wired earlier wrote that "that the timing and circumstances” of the original court order asking for information about an unknown customer suggests that “Snowden” was the customer.

Somewhat ironically, on Wednesday, Wired pointed out that some of the NSA documents leaked by Snowden revealed that the agency had collected SSL-encrypted data in bulk with the expectation of eventually gaining access to the private key to retroactively decrypt the information.

It remains unknown if the NSA engaged in dragnet collection activities against Lavabit.