As a reminder, Lavabit was voluntarily shut down by its owner Ladar Levison after he failed to successfully challenge the court ordered search warrant that required him to hand over the SSL key for the site.
The key would have allowed the government to access email correspondence of all 400,000 of Lavabit’s users, although they officially stated they were after one unnamed user in particular (widely believed to be NSA whistleblower Edward Snowden).
But the stakes in the continuing legal fight are even higher, as Levison is trying to create a precedent that would make it impossible for the US government to force an Internet company to hand over its systems’ master encryption keys.
“The government has no general entitlement to enlist innocent third parties in its surveillance efforts; it may do so only to the extent that the law explicitly provides. In this case, neither the pen-trap order nor the Stored Communications Act warrant validly allowed the government to seize Lavabit’s private encryption keys,” it is stated in the brief.
“The pen register statute does not authorize the government to demand that sort of assistance; a service provider only must help the government ensure that its pen-trap device is installed and operated ‘unobtrusively and with a minimum of interference with the services’ provided. And the warrant was riddled with flaws: it sought information that does not pertain to a subscriber; it imposed an undue burden on the company; it did not have as its object the fruits, instrumentalities, or evidence of crime; and it permitted general rummaging through all of Lavabit’s customer communications.”
Regarding the claims that the warrant imposed an undue burden on the company, Levison’s counsel argues that “the company was required to either provide the government its encryption keys in secret, while continuing to take money from customers based on assurances that the system was secure against unmonitored eavesdropping, or provide the keys and shut down.”
“The former choice was inconsistent with Lavabit’s ethical obligations to its users, in addition to being a black-letter example of civil fraud; the latter destroyed Mr. Levison’s livelihood,” they added.
The government has already submitted an appellate brief arguing the opposing side, and the 4th US Circuit Court of Appeals is expected to reach a decision about the matter shortly. Unfortunately for Internet users, the government in this case has little to lose and much to gain, and the government’s gain will surely be their loss.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.