A U.S. email provider can promise its users all the security and privacy it wants; it still has to do whatever it takes to give the government access.
That’s the gist of the Justice Department’s 60-page appellate brief in the Lavabit surveillance case, filed today in the U.S. 4th Circuit Court of Appeals in Richmond, Virginia.
In the brief, the government defends its use of a search warrant and a grand jury subpoena to obtain the private encryption keys for Lavabit’s email service and website, and tacitly impugns Texas-based proprietor Ladar Levison for shutting down the site and thwarting the FBI’s surveillance plans.
“Mr. Levison alerted all of Lavabit’s users, including the target of the investigation, that Lavabit was engaged in litigation with the government and that, rather than comply with the court’s orders, he decided to shut down his business,” the government notes.
The targeted user’s name is redacted from the case, but is certainly Edward Snowden, the NSA whistleblower and known Lavabit customer who was hiding at a safe house in Hong Kong when the FBI originally approached Levison in June.
The FBI was packing a court order allowing them to collect in real-time the user’s non-content e-mail traffic, such as the “from” and “to” lines of every message sent and received, and the IP address from which the user is connecting.
“This IP address information can be particularly valuable to law enforcement in locating a fugitive,” the government writes in a footnote. “If law enforcement can discover in real-time the IP address used by a fugitive, it may be able to locate and apprehend the fugitive.”
Levison resisted the order, and the FBI returned with a grand jury subpoena demanding the master SSL keys for his website, so they could conduct the surveillance themselves. After overcoming some hurdles serving Levison with the subpoena (“After knocking on his door, FBI special agents witnessed Mr.
Levison leave the rear of his apartment, get in his car, and drive away.”), the FBI pressed the issue in court.
Levison then offered to collect the e-mail metadata himself and transmit it to the government after 60 days. By then the feds were insistent that he turn over the SSL key for the site, promising it would use the key only to monitor the targeted user, and not Lavabit’s 400,000 other users.
Lavabit lost a court argument challenging the orders in August. He stalled for two days then turned over the keys and shut down his business on August 8, mooting any attempt at prospective surveillance. He’s appealing $10,000 in sanctions.
The Justice Department brief doubles-down on the government’s position on the crucial issue in the case: whether an internet company can be compelled to turn over the master encryption keys for its entire system to facilitate court-approved surveillance on a single user.
Some of the NSA documents leaked, fittingly, by Snowden, suggest that the NSA has in the past collected SSL-encrypted data in bulk, in the hope of later obtaining the private key so it can go back and decrypt everything. There’s no evidence that the NSA performed such collection against Lavabit.
Lavabit argues that the court orders in its case violates the Fourth Amendment of the Constitution, and that he shouldn’t have been ordered to compromise the security of all of his users, when his business was founded on a promise that he protected user privacy.
The Justice Department counters that most of Levison’s arguments on appeal shouldn’t be considered, because they weren’t raised in the lower court. But in any case, the government says, Lavabit’s security promise is not a bulwark against a court order.
Just as a business cannot prevent the execution of a search warrant by locking its front gate, an electronic communications service provider cannot thwart court-ordered electronic surveillance by refusing to provide necessary information about its systems. That other information not subject to the warrant was encrypted using the same set of keys is irrelevant; the only user data the court permitted the government to obtain was the data described in the pen/trap order and the search warrant. All other data would be filtered electronically, without reaching any human eye. Finally, Lavabit’s belief that the orders here compelled a disclosure that was inconsistent with Lavabit’s “business model” makes no difference. Marketing a business as “secure” does not give one license to ignore a District Court of the United States.
The full government brief is below.