In early June 2013, Edward Snowden made headlines around the world when he leaked information about the National Security Agency (NSA) collecting the phone records of tens of millions of Americans.
It was a dramatic story. Snowden flew to Hong Kong and then Russia to avoid deportation to the US, where the government had charged him with violations of the Espionage Act. Journalists boarded a flight from Moscow to Havana on the speculation Snowden would be onboard. Some called him a hero; others branded him a traitor and a villain.
Meanwhile, on June 28, 2013, FBI agents showed up at the door of Ladar Levison. Levison owned an email service called Lavabit, and the agents had a pen register order requiring him to hand over the metadata for the email activity of a particular customer’s account. However, Levison argued that to do this, he’d have to reprogram the entire encryption system that protected his users’ privacy.
The court sealed the case, so the first the public heard of it was when Levison ended his email service, stating on Lavabit’s website: “I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul-searching, I have decided to suspend operations.”
The full text of his statement is still available on the Lavabit site.
Only recently did the court lift Levison’s gag order, at which point he could confirm what everyone had guessed: the FBI had been after Edward Snowden’s communications made through Lavabit.
Every American email service provider has a clause in its privacy and non-disclosure policies that indicates it may disclose information as necessary to comply with law. Some promise they will inform customers if or when authorities request that information.
Yet, as in the case of Lavabit and Snowden, a gag order often accompanies the request, making it illegal to tell the customer the Government has requested access to the data. In these cases, the law wins, and the contract with the customer loses.
So, what do you do when presented with an FBI warrant for private data, which you believe to be unethical and even unconstitutional?
There are two options:
1. You can fight these orders in court. However, smaller email Service Providers do not have the money on hand to fund an expensive legal battle and to pay “contempt of court” fees for non-compliance during the case. This lack of resources puts these companies at a serious disadvantage in their ability to push back. They have to give in.
2. You can give in and follow the letter of the request, but in a way that’s inconvenient for law enforcement. This buys time and can limit the scope of what the officers or agents can access. However, depending on the actions taken, it can also seriously hinder the email provider’s business.
For Lavabit, when law enforcement wanted Levinson to hand over an encryption key that would have not only exposed Snowden but also his other customers, he decided to close shop. He did not have the resources to fight the government in court and could not guarantee the privacy and security of his users’ email.
It is egregious that the government’s requests in pursuit of Snowden were so broad as to impinge on the privacy of 410,000 other unrelated users of Lavabit’s service. This is blatantly unconstitutional. It would be as if the police received a warrant to wiretap one person’s phone line and then listened to all calls in the city that included that phone line. Though it may not be technically possible to narrow the scope down to the communications of a specific individual, this does not give the government the right to infringe on the privacy of everyone who happens to have a phone.
This affair with Lavabit and Snowden preceded the recent iPhone decryption issue, when the FBI tried to force Apple to put in a backdoor in iOS software, post facto, so it could decrypt an iPhone belonging to Syed Farook, responsible for the San Bernardino shootings in December 2015.
Apple pushed back in legal proceedings. The FBI dropped the case when it found a third-party to unlock the iPhone.
Although that legal battle ended, another fight has begun. The government wants cellphone providers to build in legitimate “second front doors” to encrypted devices, so that it can access on demand with a court order.
This will jeopardize the privacy of average American citizens without making it significantly easier to catch the bad guys, who will inevitably get their unbreakable encryption elsewhere. Hundreds of companies outside the US offer secure encryption technology. These companies make it easy for people to get encryption outside the reach of American law.
If the fight for second front doors wasn’t enough, discouraging developments have worked their way through the courts, too. In June, a federal district court in Virginia ruled the federal government does not need a warrant to hack into an individual’s computer. Given the Fourth Amendment bars unlawful searches and seizures, it’s unlikely this ruling will hold up in appeal. Nonetheless, it speaks volumes for how the courts and governments view privacy and security.
It’s likely that many more court battles lie ahead as organizations and individuals go head-to-head with the government to argue their right to privacy.
Enter the Lavabit Legal Defense Foundation (known as LavaLegal for short). Lavabit’s founder Ladar Levison launched the nonprofit to help service providers avoid complying with unconstitutional requests, such backdoors and handing over encryption keys. The nonprofit will operate on donations.
If LavaLegal receives enough funding, it can help small companies continue operating as usual while pushing back on perceived unconstitutional requests, until the courts can make decisions in their cases. For small businesses, this could be a lifeline that lets them continue operating while paying hefty legal fees.
By Erik Kangas
