Feeds

Snowden's email provider gave crypto keys to FBI – on paper printouts

Lavabit founder says snoops demanded total access

Next gen security for virtualised datacentres

The former operator of a secure email service once used by NSA leaker Edward Snowden has been fined $10,000 for failing to give federal agents access to his customers' accounts, newly released court documents show.

In August, Ladar Levison shut down Lavabit, his security-minded email business, rather than comply with government demands that he claimed would have made him "complicit in crimes against the American people."

At the time, a gag order prevented him from discussing the details of his situation. But court documents unsealed on Wednesday reveal that the FBI wanted Levison to hand over encryption keys that would have given federal agents "real time" access to not just Snowden's account, but the accounts of all 40,000 of Lavabit's customers.

To Levison, that was going too far. "You don't need to bug an entire city to bug one guy's phone calls," he told The New York Times. "In my case, they wanted to break open the entire box just to get to one connection."

Levison claims he had complied with legal surveillance requests in the past, and that he proposed logging and decrypting just Snowden's communications and uploading them to a government server once per day.

But the FBI said that wasn't enough. It wanted access to the private SSL certificates used to encrypt all traffic on Lavabit, which Levison says would have given agents up-to-the-minute access to the emails of every Lavabit user. In July it produced a federal warrant ordering Levison to turn them over.

Prosecutors claim that monitoring Snowden was the only goal and that spying on Lavabit's other users was never part of the plan. "There's no agents looking through the 400,000 other bits of information, customers, whatever," one said during a hearing in August. But Levison still balked.

He certainly deserves credit for his pluck. Levison complied with the letter of the order, but he delivered the encryption keys as strings of numbers printed out on paper, rather than as electronic files. What's more, he intentionally printed them in a font designed to be hard to scan, one prosecutors described as "largely illegible."

Federal Judge Claude Hilton was not amused. He found Levison in contempt of court and levied a fine of $5,000 per day until the keys were provided in electronic form.

Levison held out for two days but finally relented, only to shut down Lavabit at the same time he gave up the certificates – a move a prosecutor later described as "just short of a criminal act."

Levison now says he hopes to one day revive his business, which he founded in 2004 and had been operating as a full-time job since 2010. But he also wants to make the public aware of what happened to him and the potential pitfalls for other businesses in the face of unchecked government surveillance.

"How as a small business do you hire the lawyers to appeal this and change public opinion to get the laws changed," Levison told the NYT, "when Congress doesn't even know what is going on?"

At least one Congressman has sided with Levison, however. Libertarian-leaning Rand Paul, the Republican junior senator for Kentucky, has urged voters to sign a petition against NSA spying and to donate to Campaign for Liberty, a conservative pressure group that has agreed to help fund Levison's legal defense.

"Even though he's lost his main source of income, Ladar Levison is fighting back," Paul wrote in a statement. "I believe his legal battle is a key part in our shared fight to restore our Fourth Amendment freedoms." ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.