Lavabit Tried to Hand Over Encryption Keys in a Tiny Font, But It Didn't Work

On Wednesday, Lavabit, Edward Snowden’s secure email service of choice, lost its appeal against an earlier ruling that found company owner Ladar Levison in contempt of court for refusing to hand over secure SSL encryption keys. The fact that he kinda maybe eventually did at one point—but printed out over 11 pages in illegible 4pt font—apparently didn’t count.

Ars Technica reports that a US federal appeals court upheld the district court's contempt of court ruling mainly because of an apparent procedural error on the part of Lavabit. Basically, what the court said it boiled down to was that Levison was too late with his claims that the government asked for more than it's able to. He should have brought that argument to the district court before he was found in contempt, according to Judge G. Steven Agee’s opinion, which is available in full here.

You can read more of Levison’s side of the story in this piece by Motherboard’s DJ Pangburn, but to quickly recap, the gist from the court documents is as follows: The government asked for access to the unencrypted metadata of one of Lavabit’s users in 2013, presumed to be Edward Snowden. This resulted in a tussle over the technical procedure of how to do this, and ultimately led to a warrant for Lavabit’s SSL keys.

At the time, Levison argued he couldn’t hand over the keys, because the encryption keys would compromise all of his users’ communications, not just one person’s. As the documents explain, “When a private key becomes anything less than private, more than one user may be compromised. Like some other email providers, Lavabit used a single set of SSL keys for all its various subscribers for technological and financial reasons.”

So Levison did allow the government to set up their data-collecting device, known as a "pen/trap device," but without the keys a lot of the information gleaned was useless. On August 1, 2013, a court told Levison he had to hand over the keys by the following day, and judge Agee wrote, “Despite the unequivocal language of the August 1 Order, Lavabit dallied and did not comply.”

Part of that “dalliance” was him presenting the FBI with “an 11-page printout containing largely illegible characters in 4-point type,” just before the deadline. Apparently that didn’t cut it.

There’s no mention on whether the FBI attempted to pore over 11 sides of that with a magnifying glass, but they clearly weren’t amused and asked for the keys in “an industry-standard electronic format.” They didn't get that, and the court eventually found Levison and Lavabit in contempt and imposed sanctions to get the keys. Levison closed down the email service.

So that’s what Levison was appealing against, but he’s lost his battle. The main point was that Lavabit didn’t argue their main point in the appeal—that the government was exceeding its statutory authority with its order for the keys—with the district court at the beginning. Agee wrote:

Lavabit never mentioned or alluded to the Pen/Trap Statute below, much less the district court’s authority to act under that statute. In fact, with the possible exception of an undue burden argument directed at the seizure warrant, Lavabit never challenged the district court’s authority to act under either the Pen/Trap Statute or the SCA [Stored Communications Act].

He explained that the appeals court rarely takes into account issues raised for the first time when they get to them—they’re just there to decide if the district court made a mistake in their ruling—and that’s essentially the rather anticlimactic end to the appeal case.

It’s a shame that it’s played out this way, as the constitutional issues raised along with questions around what the government is in fact able to do in terms of accessing encrypted data are left hanging.

And Levison’s going to have to take the technical implications of those into account with his new Dark Mail service if he doesn’t want a repeat of history.