Feeds

Snowden's email provider gave crypto keys to FBI – on paper printouts

Lavabit founder says snoops demanded total access

High performance access to file storage

The former operator of a secure email service once used by NSA leaker Edward Snowden has been fined $10,000 for failing to give federal agents access to his customers' accounts, newly released court documents show.

In August, Ladar Levison shut down Lavabit, his security-minded email business, rather than comply with government demands that he claimed would have made him "complicit in crimes against the American people."

At the time, a gag order prevented him from discussing the details of his situation. But court documents unsealed on Wednesday reveal that the FBI wanted Levison to hand over encryption keys that would have given federal agents "real time" access to not just Snowden's account, but the accounts of all 40,000 of Lavabit's customers.

To Levison, that was going too far. "You don't need to bug an entire city to bug one guy's phone calls," he told The New York Times. "In my case, they wanted to break open the entire box just to get to one connection."

Levison claims he had complied with legal surveillance requests in the past, and that he proposed logging and decrypting just Snowden's communications and uploading them to a government server once per day.

But the FBI said that wasn't enough. It wanted access to the private SSL certificates used to encrypt all traffic on Lavabit, which Levison says would have given agents up-to-the-minute access to the emails of every Lavabit user. In July it produced a federal warrant ordering Levison to turn them over.

Prosecutors claim that monitoring Snowden was the only goal and that spying on Lavabit's other users was never part of the plan. "There's no agents looking through the 400,000 other bits of information, customers, whatever," one said during a hearing in August. But Levison still balked.

He certainly deserves credit for his pluck. Levison complied with the letter of the order, but he delivered the encryption keys as strings of numbers printed out on paper, rather than as electronic files. What's more, he intentionally printed them in a font designed to be hard to scan, one prosecutors described as "largely illegible."

Federal Judge Claude Hilton was not amused. He found Levison in contempt of court and levied a fine of $5,000 per day until the keys were provided in electronic form.

Levison held out for two days but finally relented, only to shut down Lavabit at the same time he gave up the certificates – a move a prosecutor later described as "just short of a criminal act."

Levison now says he hopes to one day revive his business, which he founded in 2004 and had been operating as a full-time job since 2010. But he also wants to make the public aware of what happened to him and the potential pitfalls for other businesses in the face of unchecked government surveillance.

"How as a small business do you hire the lawyers to appeal this and change public opinion to get the laws changed," Levison told the NYT, "when Congress doesn't even know what is going on?"

At least one Congressman has sided with Levison, however. Libertarian-leaning Rand Paul, the Republican junior senator for Kentucky, has urged voters to sign a petition against NSA spying and to donate to Campaign for Liberty, a conservative pressure group that has agreed to help fund Levison's legal defense.

"Even though he's lost his main source of income, Ladar Levison is fighting back," Paul wrote in a statement. "I believe his legal battle is a key part in our shared fight to restore our Fourth Amendment freedoms." ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.