Lavabit's Forgotten Encryption Fight Looms Over the Apple Case
A look back at an encryption fight that could be repeated in the Apple and FBI case.
On June 9, 2013, a then-unknown intelligence contractor named Edward Snowden revealed himself to be the source behind a series of explosive scoops based on top secret National Security Agency documents. The next day, a secret court in Virginia ordered the owner of a small email provider in Texas to help investigators surveil Snowden's email communications.
That order set off a long legal fight that was mostly shrouded in complete secrecy for two months, until Ladar Levison, the owner of the email provider called Lavabit, decided to shut down his service rather than "become complicit in crimes against the American people," as he put it at the time.
Even then, most details of the case remained under seal until October 2013, when a judge in Alexandria agreed to publish part of the court documents filed in the fight. Finally, in early March of this year, almost three years later, the judge ordered even more documents to be released.
Some information in the court documents still remains redacted, such as the basis, or "probable cause," as to why the US government was interested in Snowden's email data. In fact, the US government went to great lengths to redact who the case was really about. But a mistake in the redaction process confirms it was indeed about Snowden's email.
But more importantly, read again three years later, the documents shed the light on a case that in many ways shares many similarities with the recent fight between the FBI and Apple.
At the heart of both cases there's the same fundamental question: How far can the US government force tech companies to go to help access their users' data?
THE LAVABIT CASE
After Snowden outed himself, the government wanted to get a bunch of information from Snowden's Lavabit account, including his IP address and the unique ids (MAC addresses) of the computers he used while sending emails from the service, as well as payment and other records.
Levison responded to the government's order by mail on June 11, providing "very little" of the information the government wanted, according to the documents. At that point the US government got another order compelling Levison to install what's known as a "pen register" to get Snowden's email metadata in real-time.
When the feds showed up at Levison's door to hand deliver him the order, he said that'd be impossible, because the target of the investigation had paid to have an extra layer of protection on his account, so all that information was encrypted. But the FBI had done its homework, and already had another card under its sleeve: If only Levison agreed to hand over the encryption keys protecting Lavabit's server, then the feds themselves could "capture the user's connections, and password in the clear."
A few days later Levison himself admitted that the FBI's solution was technically possible in an email to the prosecutor.
Yet, Levison kept fighting.
In a hearing on July 16, Levison went to court by himself, without the help of a lawyer, arguing he had been ready to comply with the pen register order ever since he met with the FBI agents, but he also said giving up the encryption keys was too much, because it would compromise the privacy of all his customers, not just the one target of this investigation.
"Those keys are used to secure the traffic for all users," Levison said, according to a transcript. "I've always been willing to accept the [pen register] device. I just have some concern about ensuring that it's used properly," he later added.
Levison, who claimed to have brought a copy of Lavabit's encryption keys in case he was forced to give them up, also asked for the case to be made public.
"I believe it's important for the industry and the people to understand what the government is requesting by demanding that I turn over these encryption keys for the entire service," he added.
The prosecutor snarkily dismissed this request, arguing that all Levison wanted was to get the industry "to come in and litigate as a surrogate for him."
"I don't think he's entitled to try to make this a public proceeding to invite others in to litigate those issues on his behalf," said Assistant US Attorney James Trump, adding that by industry he meant groups and others "who have litigated issues like this in the WikiLeaks context and others."
Judge Claude Hilton didn't directly weigh on the merits of Levison's argument, but eventually rejected it, simply saying that "this was a criminal investigation" and it required secrecy.
The prosecutor reiterated that this was just about one account, and dismissed Levison's concern that the FBI could spy on all his 400,000 customers saying there wouldn't be any agents "looking through the 400,000 other bits of information, customers, whatever." In a previous filing, the US government had also argued that giving up SSL keys wasn't a big deal because Levison could just change them after the government was done intercepting data from Snowden's email account.
Eventually, Judge Hilton ordered Levison to turn over the keys in 24 hours.
Within the deadline, Levison complied with the order, but delivered the 2,560 characters making up the keys in an extremely small font spread over an 11-page printout.
Then the government complained and got the court to impose a sanction of $5,000 per each day of delay until Levison delivered the keys in an electronic form. Two days and $10,000 later, Levison apparently gave up, sending a "usable version of Lavabit's encryption keys" to the government.
The next day, however, he shut down his service, making those keys completely useless.
THE SHADOW OF LAVABIT OVER THE APPLE VS FBI CASE
While many circumstances in the Lavabit case are different than the case of the San Bernardino shooters' iPhone, there are also obvious similarities. In the Lavabit case, the feds argued it was just about one account; in the Apple case, the US government claims this is just about one phone. In both cases, the feds argued that it's not too burdensome to simply hand over some code.
Given Lavabit's precedent, some are worried that what happened with Levison and his small email provider could happen again with the giant Apple. That's not just speculation—the Justice Department explicitly cited the Lavabit case in a footnote in its most recent filing in the case.
The government's argument is essentially that its current order, which asks Apple to undermine some security features of the iPhone's operating system so that it can hack into it, is just a friendly request that could very well anticipate a more unkind one: get Apple to surrender its developer encryption keys so that investigators can write and install their own version of Apple's operating system to get around its security measures.
"Such a move would signal a race to the bottom of the slippery slope that has haunted privacy advocates: A world where companies can be forced to sign code developed by the government to facilitate surveillance," Julian Sanchez, a surveillance expert and fellow at the Cato Institute, wrote in a blog post on Thursday.
Sanchez also notes that what's even more worrying is that such a request could potentially rely on firmer legal ground that the FBI's current one, which relies on an obscure and controversial 1789 law.
"'Give us your dev key' is probably on firmer ground legally than 'write custom code for us' but arguably way, way scarier."
"'Give us your dev key' is probably on firmer ground legally than 'write custom code for us' but arguably way, way scarier," Sanchez said earlier.
Furthermore, several tech companies have been forced to give up their source code in the past, as a ZDNet investigation published on Thursday revealed. It's unclear if those cases involved encryption keys, but it wouldn't be a stretch for the US government to argue that it makes no difference.
Whether the judge in the Apple case, and the judges who will hear the inevitable appeals, will side with the government—if it ever decides to request Apple's keys—remains to be seen. In the meantime, Levison, who's been working on a more secure replacement for email since shutting down Lavabit, chastised the government for trying to draw a parallel with his case, calling it "disturbing."
In a statement published on Wednesday, Levison highlighted the fact that the appeals court that held up the sanctions against him for refusing to comply with the pen register order based his decision "on a contrived procedural technicality," not on the merits of the original request. In other words, according to him, Lavabit's case shouldn't be considered a precedent, although it does have something in common with the Apple case.
"The current Apple case, together with the Lavabit case, join a growing litany of recent court decisions which have eroded away our personal liberties," he wrote. "Taken together, these rulings force us to ask difficult questions. Specifically, can the federal government be trusted to defend our rights, and protect our freedom?"