Lavabit: the e-mail service risking everything in the fight for transparencyMonday, October 14, 2013 at 10:00 am by Sarah Berlin
For the past five months, an encrypted e-mail service called Lavabit has been locked in a mostly secret fight with the government over transparency and user privacy. Lavar Levison created Lavabit in 2004 to provide a higher level of privacy to its users than other popular e-mail hosts like Gmail. The FBI contacted Levison in May of 2013, seeking data about a particular user of Lavabit. Without knowing the target of the investigation, Levison explained how his encryption system works and the agents left. They returned at the end of June, right after Edward Snowden used a Lavabit account to call a press conference in Moscow, making it increasingly clear that the individual in question was the high-profile NSA whistleblower.
This time the agents came with a pen-register order, which enables the government to track metadata, usually through placing a listening device on phones or gaining access to a network. The order demanded that Levison hand over not just the information about this one user, but the passwords, encryption key, and computer code that would give the FBI access to the the entire service and all of its users’ communications. Despite Levison’s insistence, the FBI refused to provide any transparency measures to ensure that they would not examine the other users’ data.
He was disturbed by the lengths the government would go to in gathering intelligence on one person and concerned about protecting his users’ privacy. He initially refused to give up the encryption key and as a result, had to testify at a Grand Jury in Virginia. He eventually gave the court a paper copy of the key, temporarily stymying the request because the FBI would need to manually input the 2,560 character code. The court fined him $10,000 for this action and threatened to arrest him for speaking out in spite of the gag order the court had placed on him. On August 8, Levison shut down Lavabit rather than allow an unconstitutional invasion into his user’s privacy. On his site, he posted a letter stating,
I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations.
This case is remarkable for several reasons, first and foremost being that the public knows about it. Levison has been able to speak about some aspects of his case since the court order was unsealed last week. However, Levison still cannot confirm the subject of the investigation or whether the government sent him a National Security Letter, a type of request sanctioned by the Patriot Act that does not require judicial review and often imposes a gag-order on the recipient. The fact that Levison can talk about any of this is incredible given that only three National Security Letter recipients who challenged their order have been able to talk about what happened.
It is also notable that Levison fought the FBI’s request and has held firm in his refusal to hand over information that would endanger his users’ privacy and betray the trust they placed in his company. Levison shut down his whole business rather than comply. He is now filing an appeal through the Fourth Circuit Court of Appeals in the hopes of reopening Lavabit. These actions are significant feats given that Lavabit was a relatively small business when this started and did not have the substantial funds required to pursue an appeal. It is frightening for individuals and businesses who receive NSL’s or other similar requests, and the government counts on the fact that their fear will outweigh their outrage.
Finally, the FBI’s vehement pursuit of Lavabit user data indicates the type of complete access to information the government is trying to establish. Data on the target of an investigation is not enough; the government wants data on everyone. Levison contends that even if he had not been hosting Snowden’s e-mail account, it was only a matter of time until the government came after him. His site’s encryption, intended to protect users from invasions like this, “constitutes a gap” in the government’s intelligence, one it is determined to fill. More details will emerge in the coming weeks as Levison’s appeal moves forward, which may reveal whether there are in fact limits to what the government can ask of us.