Lavabit founder: Feds ORDERED email providers to stay open
Plus: Moxie labels shuttered service's crypto no better than 'a promise not to peek'
Lavabit's founder has claimed other secure webmail providers who threatened to shut themselves down in the wake of the NSA spying revelations had received court orders forcing them to stay up.
Ladar Levison made the claim during a recent Reddit AMA (ask-me-anything) Q&A chat without going into details about the alleged strong-arm tactics.
When I was deciding whether to shut down the decision really boiled down to whether users would prefer to have their emails secretly snooped, or simply lose their service altogether. Since the court prevented me from telling anyone the situation, I had to make that choice for everyone. I had to decide on behalf of everyone without the benefit of their feedback. In the end I chose to shut down.
Why didn't I warn anyone? Because if the feds had known I was planning to shut down they would have gotten a court order requiring me to continue operating the service. If I had shut down the service after receiving such an order I would have almost certainly been charged with obstruction of justice. I've been told that other service providers have threatened a shut down and received such orders.
Asked to go into details, Levison responded: "I didn't ask and my source, who shall remain nameless, didn't tell.”
The exchange occurred in the midst of an ongoing appeal to overturn a contempt-of-court ruling against Lavabit and its owner Levison for resisting a government subpoena and search warrant that would have put the private communications of Lavabit's 410,000 customers at direct risk of government snooping.
Levison brought down the shutters on Lavabit's encrypted email service in August, rather than play ball with court orders that initially demanded metadata about an undisclosed user. Whistleblower Edward Snowden was among the paid-up users of Lavabit and it is widely assumed the court actions were the result of attempts by the National Security Agency (NSA) to get at Snowden through Lavabit.
Edward Snowden reportedly used the Lavabit email address firstname.lastname@example.org to send invites to human rights lawyers and activists to a press conference during his confinement at Moscow's Sheremetyevo International Airport back in July.
The Feds targeted Snowden’s email provider more than a month before this in a legal action that started the day after the NSA whistleblower went public, Wired reports.
A PGP key reportedly attached to the Lavabit account suggests he'd been using the service since 2010, although security experts reckon he must have used a more secure methodology for anything sensitive.
The government's move against Lavabit was resisted tenaciously by Levison. After much wrangling, Levison eventually handed over Lavabit's cryptographic key in digital form, after earlier trying to satisfy a court order by printing out and handing over a copy of the key in 4-point type, a move that irked the judge handling the case.
After Lavabit resisted complying with government demands, it was held in contempt of court and fined $5,000 a day until it turned a machine-readable version of the key over.
Days after handing over the encryption key, a move that would have made it much easier for the NSA or other federal agencies to run man-in-the-middle attacks against Lavabit, Levison pulled down the shutters on the service, which he had been running for 10 years prior to its closure.
The contempt of court order become the subject of an appeal, which argues that forcing Lavabit to hand over its encryption keys violated the US Constitution's Fourth Amendment that prohibits unreasonable searches and seizures. In the course of the latest legal exchanges, government lawyers disputed arguments by Lavabit's lawyers (PDF) that handing over the encryption key would enable the government to spy on every user of the service, not just those that they had obtained a warrant against.
That other information not subject to the warrant was encrypted using the same set of keys is irrelevant; the only user data the court permitted the government to obtain was the data described in the pen/trap order and the search warrant. All other data would be filtered electronically, without reaching any human eye.
Government lawyers argue that "just as a business cannot prevent the execution of a search warrant by locking its front gate, an electronic communications service provider cannot thwart court-ordered electronic surveillance by refusing to provide necessary information about its systems".
DoJ attorneys also dismissed Lavabit's argument that disclosing its encryption keys was incompatible with offering a secure email service. Marketing a business as a "secure" service to consumers provides no legal obstacle to court orders, US government lawyers state in the conclusion to their argument (PDF).
Lavabit claims the right to ignore those courts and thwart such investigations simply by offering for sale, to the general public, encrypted email. Because there is no reason to treat a business that offers encrypted email services differently from any other business, this court should affirm the district court’s order for sanctions.
An informed discussion of the latest legal broadsides in this landmark privacy rights case can be found in a post on the Sophos Naked Security blog.
In the wake of the Lavabit shut-down, Silent Circle closed its Silent Mail email service days afterwards. The security firm, which boasts Phil Zimmermann as a co-founder, made the move with an eye on potential trouble ahead and not in response to any "subpoenas, warrants, security letters, or anything else by any government".
Silent Circle has since allied with Lavabit's Levison to create the Dark Mail Alliance, which aims to build an email system that provides end-to-end encryption. Jon Callas, CTO of Silent Circle and cofounder of the Dark Mail Alliance, a long time collaborator with Zimmerman stretching back to their PGP days, outlined the project in an interview with El Reg here.
Was Lavabit a house built of straw?
Cryptographer Moxie Marlinspike put together a damning critique of Lavabit's claims which concluded that its security was little more than a “promise not to peek”. Marlinspike pitched into the Reddit AMA with Levison to take him to task for pre-takedown claims that Lavabit was "so secure even we can't read your email". The exchanges are recorded there and are well worth reviewing for anybody with an interest in the technical challenges ahead for anyone hoping to develop a truly secure "NSA proof" email service.
Marlinspike raised the issue because he remains concerned over how reliable any future claims Levison might make about offering bulletproof email security might be, as he explains in his opening remarks.
Yes it is completely true that there was nothing Lavabit could have done within the configuration of a standard SMTP/POP/IMAP server to be secure in the way that it advertised, without dedicated client support.
It's not Ladar's fault that the e-mail infrastructure doesn't natively support end-to-end security, but I do think that we should hold him accountable for advertising that his system provided a false level of security.
When people knowingly sell snake oil, I think we should hesitate to support their future security endeavours, particularly endeavours with virtually no technical information available in advance. What if it puts users at risk all over again?
An independent take on the daunting challenges that come with putting together a secure email system can be found in guest article by Matthew Green, a cryptographer and research professor at Johns Hopkins University, in the New Yorker here. ®