Lawyers for secure email provider Lavabit just filed the reply brief in a case that will determine whether an internet company can be compelled to turn over the master encryption keys for its entire system to facilitate court-approved surveillance on a single user.
It bears repeating: the government has no general entitlement to search through the information of an innocent business. It may do so only to the extent that the law and Constitution permit. The government proposed, in this case, to search through a vast amount of data to find a tiny amount relevant to its investigation, with no oversight from anyone, at a time when the government’s theories of its own surveillance power are at their apex. It ruined a small business in doing so […]
The surveillance statutes and the Fourth Amendment do not allow the government to chart this course. The judgment of the district court should therefore be reversed.
Earlier this month the government defended its use of a search warrant to obtain Lavabit’s keys. In a brief at the 4th U.S. Circuit Court of Appeals, the government said it needed the master keys to facilitate a “pen register” order allowing the FBI to collect email metadata — like “from” and “to” lines — on a particular unnamed target, believed to be NSA leaker Edward Snowden.
Levison had offered to collect the email metadata himself and transmit it to the government after 60 days. But the government was insistent that he turn over the SSL key for the site, promising it would use the key only to monitor the targeted user, and not Lavabit’s 400,000 other users.
Lavabit lost a court argument challenging the orders in August. Levison stalled for two days then turned over the keys and shut down his business on August 8, mooting any attempt at prospective surveillance.
Even though Levison shut down the site, its possible the U.S. got what it was after. Some of the NSA documents leaked by Snowden show that the NSA collects SSL-encrypted data in bulk, in the hope of later obtaining the private key so it can go back and decrypt everything.