You can't get out of cooperating with government-ordered electronic surveillance by shutting down, any more than a business can stop police from executing a search warrant by locking its front gate, the US Department of Justice (DOJ) tutted at Lavabit on Tuesday.
Here's what the DOJ said on Tuesday, in a filing in an appeal by Lavabit (posted courtesy of Lawfareblog.com):
Just as a business cannot prevent the execution of a search warrant by locking its front gate, an electronic communications service provider cannot thwart court-ordered electronic surveillance by refusing to provide necessary information about its systems.
Lavabit, the former encrypted email provider to National Security Agency (NSA) secret-leaker Edward Snowden, shuttered its service in August following court orders demanding metadata about an unnamed user who just about everybody assumes was Snowden.
After much wrangling, founder Ladar Levison eventually gave the government Lavabit's crytopgraphic key in digital form, after having first printed out and handed over a copy of the key in 4-point type that left the government's judge none too pleased.
As soon as Levison gave the government the encryption key to unlock metadata on their target's email, he turned around and shut everything down.
That meant that even though the government had the key, there was nothing to open with it - including the founder's own email account, given that, as they say, he ate his own dog food.
Lavabit's suicide has pleased the government about as much as being given an encryption key it can't read without a microscope.
Which is, likely, why the government's brief sounds a tad prickly.
In the document, the DOJ says that Lavabit is wrong, wrong, wrong about everything, including:
- Feeding them encryption keys printed in teensy weensy ant-sized type,
- The notion that the company only had to help agents install a pen/trap device to monitor communications without actually helping them to decipher anything the device snooped on, and
- Nuking the whole shebang to prevent the government from using the encryption key Lavabit eventually coughed up (in non-teensy weensy, usable form).
The DOJ also countered Lavabit's assertion that handing over the encryption key would enable the government to snoop on all users' encrypted email.
Well of course the government wouldn't do that, the DOJ said. That would be illegal!
That other information not subject to the warrant was encrypted using the same set of keys is irrelevant; the only user data the court permitted the government to obtain was the data described in the pen/trap order and the search warrant. All other data would be filtered electronically, without reaching any human eye.
The DOJ also dismissed Lavabit's argument that disclosing its encryption key was not what one does if one advertises its service as being encrypted:
Lavabit’s belief that the orders here compelled a disclosure that was inconsistent with Lavabit’s "business model" makes no difference. Marketing a business as "secure" does not give one license to ignore a District Court of the United States.
In sum, an exasperated-sounding court has said that, no, of course you are NOT allowed to NOT do what a court orders you to do.
Granted, it's not breaking news at 11.
But readers will hopefully pardon journalists and security cognoscenti for keeping an eye out on the various strategies that internet service providers take to deal with government demands in these surveillance-happy times, be it Facebook patenting an easier way to pass data to the government or Lavabit's Levison slipping out the back door when agents tried to serve him with a subpoena.
Literally. He was spotted exiting through his home's rear door.
I suggest reading the court document - his evasive maneuvers are impressive, be they legalistic, business-oriented or corporeal.
What do you think? Should the Lavabit founder's civil disobedience tactics be applauded, or given the thumbs down?
Please let us know your thoughts in the comments section below.Follow @NakedSecurity