Feeds

Snowden's email provider gave crypto keys to FBI – on paper printouts

Lavabit founder says snoops demanded total access

Providing a secure and efficient Helpdesk

The former operator of a secure email service once used by NSA leaker Edward Snowden has been fined $10,000 for failing to give federal agents access to his customers' accounts, newly released court documents show.

In August, Ladar Levison shut down Lavabit, his security-minded email business, rather than comply with government demands that he claimed would have made him "complicit in crimes against the American people."

At the time, a gag order prevented him from discussing the details of his situation. But court documents unsealed on Wednesday reveal that the FBI wanted Levison to hand over encryption keys that would have given federal agents "real time" access to not just Snowden's account, but the accounts of all 40,000 of Lavabit's customers.

To Levison, that was going too far. "You don't need to bug an entire city to bug one guy's phone calls," he told The New York Times. "In my case, they wanted to break open the entire box just to get to one connection."

Levison claims he had complied with legal surveillance requests in the past, and that he proposed logging and decrypting just Snowden's communications and uploading them to a government server once per day.

But the FBI said that wasn't enough. It wanted access to the private SSL certificates used to encrypt all traffic on Lavabit, which Levison says would have given agents up-to-the-minute access to the emails of every Lavabit user. In July it produced a federal warrant ordering Levison to turn them over.

Prosecutors claim that monitoring Snowden was the only goal and that spying on Lavabit's other users was never part of the plan. "There's no agents looking through the 400,000 other bits of information, customers, whatever," one said during a hearing in August. But Levison still balked.

He certainly deserves credit for his pluck. Levison complied with the letter of the order, but he delivered the encryption keys as strings of numbers printed out on paper, rather than as electronic files. What's more, he intentionally printed them in a font designed to be hard to scan, one prosecutors described as "largely illegible."

Federal Judge Claude Hilton was not amused. He found Levison in contempt of court and levied a fine of $5,000 per day until the keys were provided in electronic form.

Levison held out for two days but finally relented, only to shut down Lavabit at the same time he gave up the certificates – a move a prosecutor later described as "just short of a criminal act."

Levison now says he hopes to one day revive his business, which he founded in 2004 and had been operating as a full-time job since 2010. But he also wants to make the public aware of what happened to him and the potential pitfalls for other businesses in the face of unchecked government surveillance.

"How as a small business do you hire the lawyers to appeal this and change public opinion to get the laws changed," Levison told the NYT, "when Congress doesn't even know what is going on?"

At least one Congressman has sided with Levison, however. Libertarian-leaning Rand Paul, the Republican junior senator for Kentucky, has urged voters to sign a petition against NSA spying and to donate to Campaign for Liberty, a conservative pressure group that has agreed to help fund Levison's legal defense.

"Even though he's lost his main source of income, Ladar Levison is fighting back," Paul wrote in a statement. "I believe his legal battle is a key part in our shared fight to restore our Fourth Amendment freedoms." ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.