Snowden Email Provider Remains in Contempt
(CN) - The former email provider of National Security Agency leaker Edward Snowden should be held in contempt for trying to keep its metadata out of the government's hands, the 4th Circuit ruled.
Snowden publicized his Lavabit email address, email@example.com, while holed up at Moscow's Sheremetyevo International Airport over the summer before Russia gave him temporary asylum.
The former NSA contractor had gone into hiding after leaking documents about the government's secret surveillance of Americans' phone records.
When Snowden used the Lavabit email address to inform human rights activists that he would hold an airport press conference, federal agents served Lavabit with a pen/trap register order requiring it to provide metadata association with Snowden's email account.
Since Lavabit's system was not designed to retain that information, however, the company was then served with the warrant to turn over its master encryption Secure Sockets Layer (SSL) key.
Surrendering the SSL key would open the full email communications of approximately 400,000 Lavabit users to government scrutiny, an investigation method that the Electronic Frontier Foundation (EFF) likened with "trying to hit a nail with a wrecking ball."
Lavabit ultimately complied with the subpoena, but it did not surrender the key by the stipulated deadline, and employed stalling methods such as providing the government with the keys in 4-point font.
U.S. District Judge Claude Hilton in Alexandria, Va., then held the company in contempt and fined it $5,000 per day until it complied - in a standard legible format.
The website abruptly shut down a short time later, its owner stating that he would not "become complicit in crimes against the American people."
The EFF described the case as "an unprecedented use of the subpoena power."
It could undermine "the security of any website that relies on public key encryption - from Facebook to Google to Bank of America to Amazon - all with a single subpoena," the group's amicus brief to the 4th Circuit said.
"The breach of a private key should be considered a catastrophic security event," the EFF added.
The American Civil Liberties Union also filed an amicus brief.
But the Richmond, Va.-based federal appeals court upheld the warrant Wednesday, finding that Lavabit waived its appellate arguments by failing to raise them in the District Court.
"Interpreting the Pen/Trap Statute's third-party-assistance provision would require us to consider technological questions of fact," for the first time, Judge Steven Agee wrote for the three-judge panel.
Furthermore, "Lavabit failed to make its most essential argument anywhere in its briefs or at oral argument: it never contended that the district court fundamentally or even plainly erred in relying on the Pen/Trap Statute to compel Lavabit to produce its keys," the 41-page opinion states (emphasis in original). "Yet Lavabit bears the burden of showing, 'at a minimum,' plain error."
Lavabit urged the court to take the case as a matter of "immense public concern."
But Agee said that "if an issue is of public concern, that concern is likely more reason to avoid deciding it from a less-than-fully litigated record." (Emphasis in original.)