Lavabit, Edward Snowden and the Legal Battle For Privacy

The Legal Battle For Privacy

In early June 2013, Edward Snowden made headlines around the world when he leaked information about the National Security Agency (NSA) collecting the phone records of tens of millions of Americans.

It was a dramatic story. Snowden flew to Hong Kong and then Russia to avoid deportation to the US, where the government had charged him with violations of the Espionage Act. Journalists boarded a flight from Moscow to Havana on the speculation Snowden would be onboard. Some called him a hero; others branded him a traitor and a villain.

Meanwhile, on June 28, 2013, FBI agents showed up at the door of Ladar Levison. Levison owned an email service called Lavabit, and the agents had a pen register order requiring him to hand over the metadata for the email activity of a particular customer’s account. However, Levison argued that to do this, he’d have to reprogram the entire encryption system that protected his users’ privacy.

The court sealed the case, so the first the public heard of it was when Levison ended his email service, stating on Lavabit’s website: “I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul-searching, I have decided to suspend operations.”

The full text of his statement is still available on the Lavabit site.

Only recently did the court lift Levison’s gag order, at which point he could confirm what everyone had guessed: the FBI had been after Edward Snowden’s communications made through Lavabit.

Every American email service provider has a clause in its privacy and non-disclosure policies that indicates it may disclose information as necessary to comply with law. Some promise they will inform customers if or when authorities request that information.

Yet, as in the case of Lavabit and Snowden, a gag order often accompanies the request, making it illegal to tell the customer the Government has requested access to the data. In these cases, the law wins, and the contract with the customer loses.

So, what do you do when presented with an FBI warrant for private data, which you believe to be unethical and even unconstitutional?

Email Providers Face a Serious Dilemma

There are two options:

1. You can fight these orders in court. However, smaller email Service Providers do not have the money on hand to fund an expensive legal battle and to pay “contempt of court” fees for non-compliance during the case. This lack of resources puts these companies at a serious disadvantage in their ability to push back. They have to give in.

2. You can give in and follow the letter of the request, but in a way that’s inconvenient for law enforcement. This buys time and can limit the scope of what the officers or agents can access. However, depending on the actions taken, it can also seriously hinder the email provider’s business.

For Lavabit, when law enforcement wanted Levinson to hand over an encryption key that would have not only exposed Snowden but also his other customers, he decided to close shop. He did not have the resources to fight the government in court and could not guarantee the privacy and security of his users’ email.

The Privacy Predicament

It is egregious that the government’s requests in pursuit of Snowden were so broad as to impinge on the privacy of 410,000 other unrelated users of Lavabit’s service. This is blatantly unconstitutional. It would be as if the police received a warrant to wiretap one person’s phone line and then listened to all calls in the city that included that phone line. Though it may not be technically possible to narrow the scope down to the communications of a specific individual, this does not give the government the right to infringe on the privacy of everyone who happens to have a phone.

This affair with Lavabit and Snowden preceded the recent iPhone decryption issue, when the FBI tried to force Apple to put in a backdoor in iOS software, post facto, so it could decrypt an iPhone belonging to Syed Farook, responsible for the San Bernardino shootings in December 2015.

Apple pushed back in legal proceedings. The FBI dropped the case when it found a third-party to unlock the iPhone.

Although that legal battle ended, another fight has begun. The government wants cellphone providers to build in legitimate “second front doors” to encrypted devices, so that it can access on demand with a court order.

This will jeopardize the privacy of average American citizens without making it significantly easier to catch the bad guys, who will inevitably get their unbreakable encryption elsewhere. Hundreds of companies outside the US offer secure encryption technology. These companies make it easy for people to get encryption outside the reach of American law.

If the fight for second front doors wasn’t enough, discouraging developments have worked their way through the courts, too. In June, a federal district court in Virginia ruled the federal government does not need a warrant to hack into an individual’s computer. Given the Fourth Amendment bars unlawful searches and seizures, it’s unlikely this ruling will hold up in appeal. Nonetheless, it speaks volumes for how the courts and governments view privacy and security.

The Fight Continues

It’s likely that many more court battles lie ahead as organizations and individuals go head-to-head with the government to argue their right to privacy.

Enter the Lavabit Legal Defense Foundation (known as LavaLegal for short). Lavabit’s founder Ladar Levison launched the nonprofit to help service providers avoid complying with unconstitutional requests, such backdoors and handing over encryption keys. The nonprofit will operate on donations.

If LavaLegal receives enough funding, it can help small companies continue operating as usual while pushing back on perceived unconstitutional requests, until the courts can make decisions in their cases. For small businesses, this could be a lifeline that lets them continue operating while paying hefty legal fees.

By Erik Kangas

Sofia Jaramillo
Augmented Reality in Architecture Augmented reality (AR) is a growing field of study and application in the world of architecture. This useful tool can help us visualize architectural designs by superimposing them onto real-world scenes ...
Louis
Real-time Enterprise Software Data Enterprise software startups are capitalizing on real-time data to continually improve revenue, costs, cash flow, marketing, and sales as their business grows. The majority of software startup CEOs spoken with have ...
Harish Chauhan
Adopting a Multi-cloud Strategy Cloud has been in existence since 2006 when Amazon Web Service (AWS1) first announced its cloud services for enterprise customers. Two years later, Google launched App Engine, followed by Alibaba and ...
JK Chelladurai
Maintain telecom tax compliance The Telecommunications industry is one of the most heavily taxed service industries. In countries such as the United States, providers have to keep on top of Federal, State, and District taxes, ...
Dinesh Varadharajan
The Future with Automation Many entrepreneurs believe digital technologies will transform the way their companies work. By 2022, the worldwide hyper-automation technology market is expected to be worth $596.6 billion. And by 2055, almost half ...

SECURITY TRAINING

  • Isc2

    ISC2

    (ISC)² provides IT training, certifications, and exams that run online, on your premises, or in classrooms. Self-study resources are available. You can also train groups of 10 or more of your employees. If you want a job in cybersecurity, this is the route to take.

  • App Academy

    App Academy

    Immersive software engineering programs. No experience required. Pay $0 until you're hired. Join an online info session to learn more

  • Cybrary

    Cybrary

    CYBRARY Open source Cyber Security learning. Free for everyone, forever. The world's largest cyber security community. Cybrary provides free IT training and paid IT certificates. Courses for beginners, intermediates, and advanced users are available.

  • Plural Site

    Pluralsite

    Pluralsight provides online courses on popular programming languages and developer tools. Other courses cover fields such as IT security best practices, server infrastructure, and virtualization.