DOJ appeals: Lavabit can't shut down to thwart electronic surveillance

The government is arguing that an email provider located in the United States, namely Lavabit, can “market ‘secure’ services,” but that promise to users does not give the provider the right to shut down in order to “thwart court-ordered electronic surveillance.”

Encryption and key, DOJ appeals that Lavabit can't shut down to thwart electronic surveillance

Shortly before the Department of Justice filed an appellate brief in the U.S. 4th Circuit Court of Appeals, Ladar Levison, who operated the Texas-based company Lavabit, appeared on Reddit’s IAmA where he explained the concept of Dark Mail. “If Grandma is on a dark mail domain, the message will travel securely to her. If Grandma is on an insecure domain (aka a domain that doesn't support dark mail) your email client will indicate that you're sending an insecure email using bright colors. In that scenario the message will travel naked, over SMTP, with nothing but SSL to protect it.”

The Dark Mail Alliance has a Dark Mail initiative Kickstarter campaign that has raised over $85,000 with 14 days to go to reach its $196,608 goal. It states, “No one can guarantee that a third-party is or is not eavesdropping on a series of communications, but Dark Mail can guarantee that when a third-party does gain access, or demands access, the privacy users rightfully deserve is maintained without fail.” With Silent Circle and Lavabit as the founding partners — both of which shut down their email services in August after a summer of Snowden’s NSA surveillance revelations — there are high hopes for the Dark Mail project.

Yet many Lavabit users had high security and privacy hopes before the government wanted the keys to the kingdom to access what is believed to be Edward Snowden’s emails. Levison fought valiantly before he turned “over the private SSL keys as an 11 page printout in 4-point type,” which the government called “illegible.” On August 7, after hand-delivering a disk “containing the encryption keys” to the FBI’s office in Dallas, the DOJ wrote, “Mr. Levison alerted all of Lavabit’s users, including the target of the investigation that Lavabit was engaged in litigation with the government and that, rather than comply with the court’s order, he decided to shut down his business.”

Security whiz Moxie Marlinspike recently wrote a critique of Lavabit, starting with Lavabit’s former front page claim that it is “so secure that even our administrators can’t read your e-mail.” There is a “critical difference between a service that ‘can’t read’ and ‘won’t read’ your email,” explained Marlinspike. He gave his reasons for believing that Lavabit’s “primary security claim actually wasn’t true.” Then Levison took to Ars Technica to reply to that criticism.

But on Reddit’s IAmA, Levison and Marlinspike continued their somewhat heated debate, which included whether or not Lavabit’s claims were security “snake oil.” Yesterday, 11/12/13, the Department of Justice pinged in via an 11,685-worded appellate brief that ripped into Levison and “Lavabit’s parade of hypotheticals” and other legal arguments, including:

Nothing in the search warrant required Lavabit to shut down. Nor was Lavabit ever under an obligation to ‘intentionally defraud its users about the security of the system.’ A provider does not defraud its users by both promising security and complying with lawful court orders. Lavabit publicly advised its users that Lavabit would comply with valid legal process. Users who expected otherwise were not defrauded; at worst, they had the unreasonable belief that Lavabit was entitled to ignore court orders.

“In essence, Lavabit is claiming that private businesses have the authority to nullify the Pen/Trap statute simply by offering SSL encryption services that any service provider can purchase for a modest sum,” argued the DOJ. “Just as a business cannot prevent the execution of a search warrant by locking its front gate, an electronic communications service provider cannot thwart court-ordered electronic surveillance by refusing to provide necessary information about its systems.”

Lavabit’s use of a single lock to secure all its users communications does not mean the government’s procurement of Lavabit’s key for the purpose of inspecting one user’s communications is overbroad. Lavabit used a single set of keys to encrypt all users’ communications. Lavabit’s analogy – that the government demanded the master key to every room in a hotel when it had authority to search only a single room – is based on a false premise. 

The Justice Department continued over the course of 59 pages. “Lavabit’s belief that the orders here compelled a disclosure that was inconsistent with Lavabit’s ‘business model’ makes no difference. Marketing a business as ‘secure’ does not give one license to ignore a District Court of the United States.”

We are supposed to believe that the government will not abuse the crypto key because “were a government officer to do as Lavabit fears and ‘rummage’ through other users’ communications without authorization, that would be a crime.” The DOJ’s brief concluded:

Here, Lavabit claims the right to ignore those courts and thwart such investigations simply by offering for sale, to the general public, encrypted email. Because there is no reason to treat a business that offers encrypted email services differently from any other business, this Court should affirm the district court’s order for sanctions.

While the Lavabit “fight” is far from over, we should not “have to abandon all hope,” according to Phil Zimmermann, the founder of Silent Circle. Zimmermann, the “godfather of email cryptography” is part of the Dark Mail Alliance. He previously said don’t give up hope. “If you just do it by fighting them in court, you might lose. But if you do it by changing the architecture, well, that gives you a big advantage."

The Dark Mail Kickstarter campaign can be found here.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon