In the 1980s, it wasn’t clear how the Fourth Amendment applied to data and online communications. In a traditional physical search of a home, law enforcement goes to a judge asking for permission to conduct a search. The judge then signs off on the warrant, at which point, the agents or officers can conduct the search. It’s immediately obvious to the person whose home has been ransacked that a search has actually taken place—the police almost always leave a paper copy of the warrant, providing proof that the search was legitimate and that it was executed.
However, in the digital world, things work a bit differently. Under the SCA, law enforcement sends a court order—which requires a lesser legal standard than a warrant—to a provider. Unless the request is overbroad or asks for irrelevant information, the provider is expected to comply. Also, unless the provider has a specific policy to notify users (absent being under a gag order), there’s no way for the target to know that her or his data is being targeted. Or, put another way, in the case of Snowden’s data at Lavabit, Levison couldn’t tell him that the government wanted his data—but Snowden probably figured it out anyway.
While it was popularly understood at the time that the SCA required a warrant for e-mail, the SCA imposes a warrant requirement only for unopened e-mail less than 180 days old.
This warrant requirement turned on the (outdated) question of storage: Starting with the creation of e-mail in the 1960s, messages were transmitted from one computer to another and stored locally. This was still true even into the 1980s. Given that digital storage was expensive, it was believed that there was little motivation to keep e-mails longer than necessary. So, 180 days seemed like an adequate length of time before a message was considered “abandoned”—ostensibly relinquishing the strongest of privacy interests.
The ECPA draws a distinction between “electronic computing services” (ECS) and “remote computing services” (RCS)—a line that makes no sense today. Under 18 USC 2703(d), however, “contents of any wire or electronic communication” held at an RCS are to be turned over if that data has been held for more than 180 days. At the time, it was presumed that e-mails would only be held for relatively short periods of time (days or weeks) before being transmitted to another point, hence the ECS moniker. Meanwhile, RCS, which provides remote “computer storage or processing services,” is really more about an off-site location that is contracted to perform certain tasks (such as spreadsheet-based accounting), nearly all of which can be performed today on any smartphone. This is a reference to mainframe terminals, popular at the time.
In 1991, Senator Patrick Leahy (D-Vermont), one of ECPA’s primary authors, convened a task force to examine whether the law was adequately protecting e-mail. The group found that the law was working just fine. However, the technology behind e-mail hadn’t changed much in the intervening five years.
Modern e-mail, however, works a bit differently. Since the advent of Rocket Mail (later, Yahoo Mail) and Hotmail in 1996—where e-mail messages were not downloaded to a local machine but more often viewed through a browser and messages could be kept more or less indefinitely on the remote service—and the release of Gmail in 2004 (“built on the idea that you should never have to delete mail”), the distinction between ECS and RCS has been out-of-date. The law has failed to catch up.
* * *
Somehow, due to the slowness of the United States Postal Service and/or the lagging internal mail delivery procedures at the FBI, it took roughly another two weeks for the same FBI special agents to turn up at Levison’s door again, this time with a pen/trap order, issued by the FISC.
With the pen/trap order, according to a government filing submitted in 2014, investigators could get all non-content information. That meant all the metadata (dates, times, duration of connection, to/from, and more) of a specific account.
However, Lavabit was built on the Elliptic Curve Integrated Encryption scheme, encrypting the entire message, including metadata. “Safeguards were incorporated into the system which prevented anyone, like myself, with access to the server from extracting any sensitive data from memory during processing,” Levison told me years later.
While the government could install its pen/trap device on Lavabit’s network, it would be functionally useless—all it would allow them to do would be to capture encrypted traffic. So, that’s where the “reasonable steps” portion came into play.
Lavabit had a Transport Layer Security (TLS) private key that would be able to unlock all the encrypted traffic between customers and Lavabit.
“In other words, while the data [was] theoretically available, in practice I could not access it without modifying the software. The system was intended to prevent a system administrator, like myself, from surrendering a user’s private data without their knowledge (or password). This design is what led the FBI to demand the Lavabit TLS private key.”
But that key would not only allow the government to access Snowden’s real-time traffic, but also that of all other Lavabit users. And that’s where Levison drew the line. Levison tried to explain to the agents that he wasn’t sure that the law allowed for compelled decryption on such a vast scale.
He told them, “I’m uncomfortable turning over the encryption keys. I would have to consult with a lawyer before I did anything.”
“I would say the conversation ended within 15 or 20 minutes because it had reached a dead end.”
* * *
As a child growing up in Inner Sunset, a neighborhood near Golden Gate Park, Ladar Levison spent a lot of time at the nearby California Academy of Sciences, so that he could use their fast Internet connection. Before he was 13, they even put him to work creating web pages for endangered species. He poured over 2600 magazine and even administered his own dial-up bulletin board system (BBS), a precursor to the modern chat room. In 1995, when Levison was just 14 years old, he left home without telling his parents, and boarded a bus for Las Vegas to attend the third-ever DEF CON, a well-known annual hacker convention.
On April 1, 2004, Google changed e-mail forever by offering one gigabyte of storage, far more than other competitors offered at the time. For two years, Levison had been sitting on a domain name—Nerdshack.com—that he was trying to find a creative outlet for.
When Gmail debuted, Levison, then a political science student at Southern Methodist University, was doing some contract work here and there, but he wanted to do his own thing. And from the beginning of Gmail, Levison was disturbed by the entire business model behind the free service. After all, there’s an old adage about tech companies: “If you’re not paying for the product, you are the product.” In other words, while Gmail didn’t charge users for the service, Google routinely scans all messages and sells ads against them as a way to make money.
So, Nerdshack (which would eventually change its name to Lavabit), was born.
“I didn’t like the idea that Google was going to be profiling people’s private messages for advertising,” Levison said. “I was creating the type of service that I wanted to use myself. It was developed with the type of features that I would choose to use. You have to remember, I was involved in that information security community and I wanted to build the type of service that my friends couldn’t break into.”
Early on, Levison offered TLS support, and thought user-level encryption was a way to secure himself against NSLs.
“I knew about the PATRIOT Act, I remember thinking that it was slightly too aggressive, that the pendulum had swung too far,” he said. “I didn’t know what instruments were in it and how they would be applied. The idea that the FBI would come to me with one of these NSLs—I knew I would have to pick between violating the United States Code and jail. Knowing myself, I would pick jail rather than hand over user data.”
However, Levison wasn’t an absolute opponent to government surveillance. He just was opposed to indiscriminate surveillance with inadequate oversight. In other words, as a third-party e-mail provider, he didn’t want to be in a position where he would have to give up data o
n his own customers, as the Smith decision would require.
“I wasn’t trying to end surveillance—I was trying to remove the service provider from the surveillance equation,” he said.
“In other words, I didn’t want intelligence agencies and law enforcement to be coming to us in secret and forcing us to turn over large swaths of data without being able to tell users that they were being targeted. It felt wrong to take money from customers while you were spying on them. My grandfather was in retail, he ran a series of toy stores. He taught me ‘the customer is always right.’ How could the customer be right if you were spying on them for somebody else?”
* * *
E-mail works in multiple steps. The first step is you, the author of the e-mail, have to write a message. When you sit down at your computer (or tap at your smartphone), type out a message to someone, and press send, the first thing that has to happen is that your device has to establish a connection to your mail server (Gmail, Lavabit, or whatever). There are two primary types of security protocols that are used to encrypt e-mails.
The security protocol known as TLS (or as it was previously known, Secure Sockets Layer [SSL]) creates a cryptographically secure link to that server. It’s a type of encryption that only protects messages in transit. The e-mail provider then has to figure out to what server to send the message. If you use Gmail and you’re sending a message to Lavabit, then Gmail’s servers have to talk to Lavabit’s servers and deliver the message. However, as of June 2013, very few major e-mail providers were employing TLS.
PGP (Pretty Good Privacy), by contrast, uses a much more cumbersome method to encrypt messages from end to end, and doesn’t rely on what the mail server is or isn’t doing. It requires that both parties on either side have a PGP key and have previously exchanged them (or looked them up on a public key server). PGP is notoriously difficult to set up and use regularly, particularly on a mobile device. The overwhelming majority of e-mail users do not encrypt their messages this way. PGP protects messages from the moment that they are sent to the moment that they are received, both in transit and at rest.
By coincidence, prior to the FBI showing up at his door, Levison wrote to his customers that protecting their e-mail from the strongest of adversaries, the United States government, with TLS was difficult.
We should note that this encryption process is only secure if you select a strong password. If your password is weak, an attacker would only need to brute force the password to crack our encryption. We should also note that this feature only protects messages on the Lavabit servers. Messages can always be intercepted before they reach Lavabit or between Lavabit’s servers and your personal computer, if SSL is not used. Finally, messages can be retrieved from your local hard drive if encryption software isn’t used on your computer to protect the files. These vulnerabilities are intentional. Our goal was to make invading a user’s privacy difficult, by protecting messages at their most vulnerable point. That doesn’t mean a dedicated attacker, like the United States government, couldn’t intercept the message in transit or once it reaches your computer.
* * *
When Levison refused to comply with the June 28, 2013, order that the FBI agents presented him with, he began looking for a lawyer. His first call was to the Electronic Frontier Foundation, who eventually referred him to Marcia Hofmann, a well-known San Francisco attorney who specializes in computer crime law. Levison hired her as his attorney on July 8.
On July 9, Levison received a formal court summons to appear before US District Judge Claude Hilton on July 16, 2013, in Virginia, to explain why he had not complied with the June 28 order. As Hofmann was not admitted to the bar in Virginia, she could no longer represent him—she was only his counsel for two days.
With what he later described as a “limited budget of $10,000,” Levison quickly set out to find Virginia lawyers who were familiar with this element of the law. But as his entire case remained under seal, he could not even publicly say that he was looking for such an attorney, much less why. After interviewing over a dozen attorneys, none of whom he found satisfactory, Levison was forced to appear pro se, or on his own behalf, which put him at a significant disadvantage.
Within days, Levison did find a Fairfax, Virginia, attorney, Jesse Binnall, who promptly asked the court to unseal the case and “quash” the warrant that required the installation of the pen/trap device and the furnishing of the SSL keys to make it usable, likening what the government was asking for to an eighteenth-century-style general warrant, which the Founders abhorred.
For its part, prosecutors countered that all the pen register order allowed it to do, and all it was going to do, was to obtain metadata for Snowden’s account.
“It cannot be that a search warrant is ‘general’ merely because it gives the government a tool that, if abused, contrary to law, could constitute a general search,” Neil MacBride, the US attorney for the Eastern District of Virginia, wrote in a filing to the court.
In other words, the government was authorized to take any and all lawful measures to meaningfully impose the pen/trap device on Lavabit’s servers as a way to get access to Snowden’s metadata—even if that meant capturing traffic on every other user. In a sense, it really boiled down to whether or not one felt that the government could be trusted with so much information that it promised not to examine.
Levison was skeptical of the government’s behavior, and thought that what was being asked of him was a step too far—his fears would later be confirmed by the Edward Snowden documents. Meanwhile, the Department of Justice (DOJ) and FBI clearly felt that they were wholly trustworthy and would not overstep their bounds.
On August 1, 2013, Levison was ordered to provide his TLS keys to the FBI in Dallas by 5 PM CT on Friday, August 2. At 1:30 PM, Levison went to that office in person and handed over several keys: 11 pages of text in 4-point font, which prosecutors later described as “largely illegible.”
“It seemed only natural to turn that over,” he said. “I figured at that point, they had been coming after me for six weeks, the least they could do is spend the weekend typing in the encryption keys.”
But really, it was a ruse to buy himself more time to shut down the entire service. Levison had made a quiet deal with himself that were he to be ordered to hand over the TLS keys, he would rather commit digital hara-kiri than compromise his users’ privacy. During this whole period, he had ordered a slew of portable hard drives that could be used to backup the software that had powered the Lavabit system.
On Monday, August 5, prosecutors were livid about the format the encryption keys had been delivered in. They went back to court, and successfully got an ex parte court order demanding that Levison provide them in a usable, electronic format, by that same day at 12 PM CT, or he would face a contempt of court order and a fine of $5,000 per day.
After being served with the order the following day, Levison went to play volleyball, had a beer, and began contemplating the onerous task that lay ahead of him. He went home, took a shower, and then headed to his Dallas data center, and began moving all of Lavabit’s data onto the portable drives. Working all night, his last action was to copy the SSL keys to a CD (as the FBI had requested) and then deleted everything on the Lavabit servers.
On August 7, he drove the five miles up the road to the FBI Field Office, handed over the CD, drove home, put up a brief announcement on his website that Lavabit had shut down—he still couldn’t say why, as the case remained under seal—and went to sleep.
As he wrote:
I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on—the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress ha
s passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.
Days later, on August 13, appearing on Democracy Now with his lawyer at his side, Levison was cagey. “I was faced with the choice of watching it suffer or putting it to sleep quietly,” he said, still staying quiet as to why.
The government could have attempted to collect the $10,000 for missing the deadline by two days, but it didn’t. Levison remained a free man, albeit a man without a business.
Levison appealed up to the 4th US Circuit Court of Appeals, and ultimately lost in April 2014, largely on procedural grounds—the court didn’t even address the heart of Levison’s argument, that the order to disclose the SSL keys was overbroad.
“Even though I expected to get arrested, I was careful in my actions,” Levison said later.
“I positioned myself legally and politically such that it would be difficult for them to pursue me. They would have had to convince a jury that I have an obligation to operate a service strictly for their surveillance needs. That I don’t have the right to shut down my own business.”
* * *
The story of Lavabit is in some ways a prelude to the “FBI v. Apple” showdown of 2016. It illustrates the lengths to which the government is willing to go to obtain e-mail information, and how difficult e-mail is to protect—even though, to most of us, it feels like one of the most private forms of communication that we have.
Habeas Data Page 18