Lavabit appeals contempt of court ruling surrounding handover of SSL keys

Filed Under: Cryptography, Featured, Law & order

Lavabit logoLavabit, a now-defunct private email service, appeared in court on Tuesday to appeal against a contempt of court ruling centred around the company not handing over unencrypted data of one of its users - widely believed to be ex-NSA whistleblower Edward Snowden.

Last summer Lavabit was ordered to provide real-time email monitoring of the anonymous user. It responded by telling the federal authorities that it could only do so by following an internal process that would take a period of 60 days from when the request was made.

The federal government obviously weren't prepared to wait that long and returned with a search warrant which allowed them to grab all of the company's SSL keys, giving them the ability to potentially decrypt the traffic of all 410,000 Lavabit users, not just the one individual it had professed an interest in.

Lavabit's CEO, Ladar Levison, compelled to hand over the five SSL private keys, did so in printed form, using a 4-point font spread across 11 pages. Law enforcement were not chuffed.

After handing the keys over, Levison promptly shut his 10-year-old business down in August in order to protect customers' data. Commenting at the time, he said:

This experience has taught me one very important lesson - without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.

During yesterday's hearing, Lavabit and federal prosecutors each presented oral arguments to a panel of three judges at the 4th US Circuit Court of Appeals in Richmond, Virginia.

Judges Agee, Gregory and Niemeyer heard, and questioned, arguments from both sides though they seemed keen to focus on the specifics of why Lavabit failed to comply with a court order to hand over data on a specific user, rather than the broader question posed by Lavabit as to what else the government may do with the keys.

Judge Paul Niemeyer commented that the issue surrounding the use of those keys had been "blown out of proportion with all these contentions" of what the FBI may do with them.

Encrypted key. Image courtesy of ShutterstockCuriously, PC World reports that he also said, "There’s such a willingness to believe" that the keys will be misused and that "the government will spy on everyone", which I find to be somewhat ironic considering that the powers-that-be actually seem to be rather keen on doing exactly that lately.

Judge Gregory, however, pointed out that "the encryption issue was a red herring" and that the case should actually be focused upon Lavabit's non-compliance to a court order.

PC World also reports that US attorney Andrew Peterson, on behalf of the government, contended that "any trust between Lavabit and the government had broken down" and that the company appeared to view court orders not so much as a legal requirement but more like contract negotiations.

Now that all of the appeal arguments have been heard, the court could read its verdict at any time, though no date has been set yet. If Lavabit triumph, Levison said that the service will be resurrected.

In the meantime, the BBC speculate that the verdict could have far-reaching consequences upon secure communications in the future, quoting Brian Hauss, Legal Fellow for the American Civil Liberties Union (ACLU). Hauss said:

This case is about protecting the encryption architecture that underwrites the security of the internet.

That architecture depends on SSL [Secure Sockets Layer] encryption and SSL encryption depends on the continued privacy of the private keys of the companies that use that encryption.

If the court does not find in Lavabit's favour, technology companies will look for new ways to protect user data.


Image of encrypted key courtesy of Shutterstock.

, , ,

You might like

15 Responses to Lavabit appeals contempt of court ruling surrounding handover of SSL keys

  1. Stephen H · 174 days ago

    It sounds as if the court has already made up its mind, which is sad. If the appeals court does uphold the contempt decision, it condemns the US to becoming an Internet backwater that no user can trust with their personal data.

    So much for constitutional safeguards against government overreach. When courts decide that they should automatically trust the intentions of the government of the day, they cannot perform their proper oversight function.

    But... terrorism. It's the modern "reds under the bed" excuse for removing civil liberties and ignoring constitutional safeguards.

    • Andrew Ludgate · 173 days ago

      I liked this part:
      "Judge Gregory, however, pointed out that "the encryption issue was a red herring" and that the case should actually be focused upon Lavabit's non-compliance to a court order."

      Everyone's trying to make this a case about security, but it's not. It's a contempt of court case. While LavaBit complied with the letter of the law, he did not comply with the spirit of the request until further pressured. THIS is what the court has to decide over.

      The issue of the government compelling the disclosure of the keys in the first place is a completely separate issue, and is one that should have its own day in court. The government doesn't have the right to trample over people's privacy rights just because the timeline to gather the information in a proper manner doesn't fit their requirements. If the government wants to invade everyone's privacy, they need a very strong application for the court order showing immediate danger to the country (if it was Snowden, they don't have that... if it was some terrorist cell and they were seeking timely correspondence, maybe).

      I don't think LavaBit has a chance on the contempt of court charges. What he did was in contempt of court -- civil disobedience. What the court did prior to that is also highly questionable, but two wrongs don't make a right. So while a guilty verdict may be a rallying cry for data protection activists, it sets no legal precedent, but just confirms "don't give the court a book on fishing when it asks for a trout".

      • Stephen H · 173 days ago

        Andrew, if you are given an unlawful directive you are expected to refuse to obey it. Ladar Levison did what he could to try to uphold his country's constitution while at the same time trying to meet the demands of a pack of thugs masquerading as law enforcement officials.

        Or are you suggesting that he should have just handed over the keys and kept his business going? Surely had he done that he would have been in serious legal trouble from his clients.

        This really is about the technology as much as the law. Judges are responsible for understanding what their orders mean. In many cases they are made aware of the implications by opposing counsel - but in the case of the NSA there is no opposing counsel. That means the judge making the order must inform him or herself - something they clearly failed to do.

        • Bleeping Away · 173 days ago

          He should have followed the law, period. If he disagreed with the ruling, there are legal avenues he could have pursued to fight it.

          When a court orders you to do something either -
          A. Do it
          B. Fight it legally
          C. Make a mockery of the court *** Very bad do not attempt!

          He chose C and is now paying the price.

          I am no lawyer but I think he should have taken the original case to the supreme court.

        • *sigh*. He should have obeyed the original order. He was handing over data - manually. They wanted realtime.
          This is a service that gave users an option of encrypting their data 'at rest'. SMTP is clear text. All Levison had to do was create a filter than ran before the encryption and wrote the data to an FBI mailbox. That's it.
          Instead he played stupid (or maybe he is) and claimed it would take $2k in development to implement this feature.

          For some reason, Levison thinks due process is not valid. He thinks that a judge signing off on a subpoena for more information, based on compelling evidence presented, is not enough to gather more evidence. He thinks that because he encrypts data locally, and does a huge run-around to do it, that he doesn't have to provide data. Provide evidence. Apparently Levison would prefer people who are accused of a crime are to be charged and tried without any investigation to occur.

          The reason SSLKeys have never been requested before is because everybody knows SMTP is clear text, and it's trivial (and inexpensive) to filter.

          Why Levison thinks he's found some constitutional loophole that's being exploited by the government is beyond me. Remember, it's not a FISA court, it's not an NSL. These are straight subpoenas via a normal judicial process.

          He's in the wrong. Period.

        • Juris · 153 days ago

          Actually, in our legal system, the only way to appeal a ruling that you believe to be wrong is to follow it and then appeal. Until the time that you actually follow the order, you have no grounds for an appeal.

      • Hang on, you can't have it both ways. If LavaBit fulfilled the letter of the law, but broke the spirit, then the wider context, eg upholding your constitution is relevant.

  2. Vito · 173 days ago

    A trial attorney whose services I used (successfully) informed me that the usual outcome of judicial appeals is failure. Only about 15% of appeals actually succeed. Regardless of the merits of the appeal, that's a noteworthy statistic — one that leads me to believe that the deck is already stacked against those who file appeals.

    It certainly doesn't look promising in Lavabit's case, based on the judge's comments. It appears that he's saying, "Never mind about the consequences of doing what you're told. The fact remains that you DIDN'T do what you were told. Immediate obedience is what we demand, and you'd better do it or else..."

    That's exactly the kind of authoritarianism without circumspection or personal responsibility that is becoming all too common in The Land Of The Free™. That's not "government by the people". It's government ON the people.

  3. Our county council carried out a survey and on completion you where told that all you data had been passed to an American company's servers in the US. When I questioned this I got a response from the legal department that as the USA had signed the "safe harbor agreement" the data was as safe as if it was held on an EU based server, how wrong they were! I would have to suggest that it should be illegal for any EU based organization to use ANY US based data services or any company that has a presence in the US that would find them covered by the patriot act!

    • Bleeping Away · 173 days ago

      > I would have to suggest that it should be illegal for any EU based organization to use ANY US based data services or any company that has a presence in the US that would find them covered by the patriot act!

      I agree. Every country should have their own virtual borders that data does not cross. If you want to view a website based in another country, you better have your virtual passport at hand!

    • So if a judge in the EU were to sign a subpoena requesting information, which he should only do based on compelling evidence, then that data doesn't have to be turned over in the EU?

      Levison has conveniently left of important pieces of the puzzle in order to garner support (and money). Patriot Act has no influence on this case. There are no NSLs here. There are no FISA courts here. There's nothing 'fishy' here at all.

      The only thing fishy is a business owner (who stopped accepting new users the previous month, that's some successful business) all of sudden cried wolf about a subpoena.

  4. Andrew · 173 days ago

    It is time this world took a serious look at what the American courts are doing and condemn these actions. The British Government should use it's authority to protect citizens in the UK against snooping eyes but knowing our Government, the cowards will not stand and defend our citizens No government or agency should have the right to view private information without proof of an individuals criminal activity, when is it going to end. no Government or agency should have the right to force any organisation that has a legitimate business into disclosing without proof any kind of data

    • Randy · 169 days ago

      All governments like to spy on their citizens. It's one of the things that give them a feeling of power over us. I'm sure if the Brits condemn the U.S. for doing this it will only be with a nod and a wink.

  5. Randy · 169 days ago

    He should have complied with the government and handed over the keys, then immediately warned Snowden and deleted all his email records on the servers if Snowden asked.

  6. roy jones jr · 164 days ago

    I want to read more on this. Because I want to find out if this guy is trying to hide behind platitudes and be stubborn for no reason or if he just didn't understand what was asked of him.

    I am hoping it was the latter.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Lee Munson is the founder of Security FAQs, a social media manager with BH Consulting and a blogger with a huge passion for information security.