Lavabit owner comes clean about NSA, FBI intrusions

US Federal Prosecutors were pursuing a notable user of Lavabit, Ladar Levison’s secure e-mail service: Edward J. Snowden, the former National Security Agency contractor who leaked classified documents that have put the intelligence agency under sharp scrutiny.   http://www.nytimes.com/2013/10/03/us/snowdens-e-mail-provider-discusses-pressure-from-fbi-to-disclose-data.html?ref=us   Mr. Levison was willing to allow investigators with a court order to tap Mr. Snowden’s e-mail account; he had complied with similar narrowly targeted requests involving other customers about two dozen times.

But they wanted more, he said: the passwords, encryption keys and computer code that would essentially allow the government untrammeled access to the protected messages of all his customers. That, he said, was too much.

“You don’t need to bug an entire city to bug one guy’s phone calls,” Mr. Levison, 32, said in a recent interview. “In my case, they wanted to break open the entire box just to get to one connection.”

On Aug. 8, Mr. Levison closed Lavabit rather than, in his view, betray his promise of secure e-mail to his customers. The move, which he explained in a letter on his Web site, drew fervent support from civil libertarians but was seen by prosecutors as an act of defiance that fell just short of a crime.

He had been summoned to testify to a grand jury in Virginia; forbidden to discuss his case; held in contempt of court and fined $10,000 for handing over his private encryption keys on paper and not in digital form; and, finally, threatened with arrest for saying too much when he shuttered his business.

Much of the attention has been focused on Internet giants like Microsoft and Google. Lavabit, with just two employees and perhaps 40,000 regular users, was a midget by comparison, but its size and Mr. Levison’s personal pledge of security made it attractive to tech-savvy users like Mr. Snowden.

While Mr. Levison’s struggles have been with the F.B.I., hovering in the background is the N.S.A., which has worked secretly for years to undermine or bypass encrypted services like Lavabit so that their electronic message scrambling cannot obstruct the agency’s spying. Mr. Levison’s case shows how law enforcement officials can use legal tools to pry open messages, no matter how well protected.

Mr. Levison said he set up Lavabit to make it impossible for outsiders, whether governments or hackers, to spy on users’ communications. He followed the government’s own secure coding guidelines, based on the N.S.A.’s technical guidance, and engineered his systems so as not to log user communications. That way, even if he received a subpoena for a user’s communications, he would not be able to gain access to them. For added measure, he gave customers the option to pay extra to encrypt their e-mail and passwords.

On occasion, he was asked to comply with government requests for specific e-mail accounts, including that of a child pornography suspect in Maryland this year. Mr. Levison said he had no qualms about cooperating with such demands, but the latest request was far broader, apparently to allow investigators to track Mr. Snowden’s whereabouts and associates. When Mr. Levison called the F.B.I. agent who had left the business card, the agent seemed interested in learning how Lavabit worked and what tools would be necessary to eavesdrop on an encrypted e-mail account.

In the days after Mr. Snowden’s e-mail, more than 4,000 new customers joined each day.

“How as a small business do you hire the lawyers to appeal this and change public opinion to get the laws changed when Congress doesn’t even know what is going on?” Mr. Levison said.

When it was clear Mr. Levison had no choice but to comply, he devised a way to obey the order but make the government’s intrusion more arduous. On Aug 2, he infuriated agents by printing the encryption keys — long strings of seemingly random numbers — on paper in a font he believed would be hard to scan and turn into a usable digital format. Indeed, prosecutors described the file as “largely illegible.”

On Aug. 5, Judge Claude M. Hilton ordered a $5,000-a-day fine until Mr. Levison produced the keys in electronic form. Mr. Levison’s lawyer, Jesse R. Binnall, appealed both the order to turn over the keys and the fine.

After two days, Mr. Levison gave in, turning over the digital keys — and simultaneously closing his e-mail service, apologizing to customers on his site.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: