Unsealed Lavabit docs show that Feds demanded SSL keys

Lavabit founder Ladar Levison speaking at the 2013 Liberty Political Action Conference (LPAC) in Chantilly, Virginia. Photo: Gage Skidmore.

Edward Snowden. Photo: The Guardian/Reuters.

Ever since Lavabit, the privacy-oriented email provider used by whistleblower Edward Snowden, shut down abruptly in August, we've been wondering what, exactly, the Feds had demanded of founder Ladar Levison. As he wrote in his cryptic note, he felt that he was facing an order that would make him "complicit in crimes against the American people" but he was legally unable to say more.

But now, thanks to unsealed records, we're able to get some insight into what the NSA and the Feds demanded of Lavabit (and, presumably, of other companies that have not shut down): first they asked him to decrypt the communications of one of their customers (almost certainly Edward Snowden). When they were told that this wasn't technically possible, they demanded that the system be modified to make it possible, and when Lavabit balked, they got a court order requiring that Lavabit turn over its SSL keys, compromising all of the company's users' communications. Funnily enough, Levison "complied" with this court-order by turning over the keys as 11 pages of 4-point type, but the court didn't go for that.

Hilton ruled for the government. “[The] government’s clearly entitled to the information that they’re seeking, and just because you-all have set up a system that makes that difficult, that doesn’t in any way lessen the government’s right to receive that information just as they could from any telephone company or any other e-mail source that could provide it easily,” said Hilton.

The judge also rejected Lavabit’s motion to unseal the record. “This is an ongoing criminal investigation, and there’s no leeway to disclose any information about it.”

In an interesting work-around, Levison complied the next day by turning over the private SSL keys as an 11 page printout in 4-point type. The government, not unreasonably, called the printout “illegible.”

“To make use of these keys, the FBI would have to manually input all 2,560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data,” prosecutors wrote.

The court ordered Levison to provide a more useful electronic copy. By August 5, Lavabit was still resisting the order, and the judge ordered that Levison would be fined $5,000 a day beginning August 6 until he handed over electronic copies of the keys.

On August 8, Levison shuttered Lavabit, making any attempt at surveillance moot. Still under a gag order, he posted an oblique message saying he’d been left with little choice in the matter.

Edward Snowden’s E-Mail Provider Defied FBI Demands to Turn Over Crypto Keys, Documents Show [Kevin Poulsen/Wired]

Related coverage by Nicole Perlroth and Scott Shane in the New York Times. “You don’t need to bug an entire city to bug one guy’s phone calls,” Levison told the Times. “In my case, they wanted to break open the entire box just to get to one connection.”

And more from Cyrus Farivar in Ars Technica.

(Thanks, Sulka!)