The Lavabit story
Ladar Levison fought to protect the privacy of his clients, but when one of those clients leaked damning state secrets things got ugly.
We don’t often cover paid-for services in LXF, but we really do approve of the one’s we’ve mentioned here. Even a virtual host lives on physical hardware and that needs to be maintained and protected from all manner of digital malfeasance. Email is particularly tricky to do securely, especially if your threat model accounts for black-suited agents going to your host with scary looking paperwork and removing hard drives.
An ongoing case brought by the US government two years ago seeks to compel Microsoft to hand over emails belonging to one of its Live Mail customers. The data is stored in a Dublin data centre and Microsoft has argued (successfully so far) that US law doesn’t have jurisdiction there. While its refusal may not have helped the defendant in this case, the court’s decision goes some way towards checking intelligence agencies already widespread powers of investigation.
We can applaud Microsoft for its stance here, just like we could applaud Apple for its refusal to obey court orders, filed under the obscure All Writs Act of 1789, to assist in the extraction of data from iPhones, but it’s worth noting that both of these giants, as well as Google, Yahoo!, Facebook and AOL were named as being complicit in NSA’s data-slurping PRISM programme. This programme was revealed, along with all kinds of government-shaming material by Edward Snowden in 2013.
Snowden, it was later revealed, had been using a secure email provider called Lavabit, run by Ladar Levison, to communicate the offending material to journalists. When the feds learned of this, they paid Levison a visit. With legally compelling paperwork in hand, agents insisted that Levison install a surveillance device which would intercept Snowden’s emails as they left the Lavabit network. This ‘pen register’ he claims to have agreed to, but later the feds wanted more.
Lavabit had an encrypted storage feature and the law wanted to know what Snowden had stored there, so it demanded Lavabit’s private key. This would grant the government the ability to read not just Snowden’s emails, but those of Lavabit’s 410,000 other customers.
After a protracted series of events in which papers, subpeonas and search warrants were served, Levison and his legal counsel found themselves in a Kafkaesque situation. An order of contempt was issued against Levison, but was done so without a hearing. Thus Levison was unable to defend himself or object. And without any objection, the appellate court upheld the contempt charge. Levison shutdown Lavabit in August 2013, saying to do otherwise would mean being “complicit in crimes against the American people.”
Not only is Levison a man of principle, but also a hombre con cojones. On 1 August 2013, a court ordered him to hand over the SSL keys the next day. Levison did this, but in the form of eleven pages of unscannable 4-point type. This, the court did not approve of and demanded the key be handed over in “an industry-standard electronic format”. Our hero stuck by his guns and for his principles was slapped with a contempt of court charge.
“Our hero stuck by his guns and for his principles was slapped with a contempt of court charge.”