Email Security Trampled in Snowden Pursuit, Groups Say

     (CN) – It undermined Internet security everywhere when federal investigators infiltrated Lavabit after learning that National Security Administration whistle-blower Edward Snowden sent email from the site, two nonprofits told the 4th Circuit.
     Snowden publicized his Lavabit email address, edsnowden@lavabit.com, while holed up at Moscow’s Sheremetyevo International Airport this summer before Russia gave him temporary asylum.
     The former National Security Agency contractor had gone into hiding after leaking documents about the government’s secret surveillance of Americans’ phone records.
     When Snowden used the Lavabit email address to inform human rights activists that he would hold an airport press conference, federal agents served Lavabit with a pen register order requiring it to provide metadata association with the email account the government sought.
     Since Lavabit’s system was not designed to retain that information, however, the company was then served with the warrant to turn over its master encryption Secure Sockets Layer (SSL) key.
     U.S. District Judge Claude Hilton in Alexandria, Va., refused to quash the warrants, but Lavabit still refused to surrender the key by the stipulated deadline.
     The court then held Lavabit in contempt and levied a $5,000-per-day fine until it complied.
     Though Lavabit ultimatlely complied, it abruptly shut down its service a short time later, obliquely citing government pressure as the reason.
     In an Aug. 8 open letter, Lavabit owner Ladar Levison said, “I have been forced to make a difficult decision to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit.”
     The service reopened briefly in mid-October to afford users a chance to download an archive of their stored messages and personal account information.
     As Levison appeals the contempt order to the 4th Circuit, the American Civil Liberties Union and the Electronic Frontier Foundation filed amicus briefs Thursday on behalf of Lavabit.
     Snowden is not explicitly mentioned in either brief, and the NSA is mentioned in the ACLU’s brief as a source of cybersecurity expertise.
     In fact, as the case caption suggests, the actual names of the defendants in the case, United States of America v. Under Seal 1; Under Seal 2, remain under seal.
     Both briefs argue that the subpoena was unreasonable and unnecessary.
     Rather than simply furthering an investigation of a single individual, surrender of the SSL key would open all communications made by the estimated 400,000 Lavabit users to government scrutiny, according to the briefs.
     “This is like trying to hit a nail with a wrecking ball,” the EFF’s brief says.
     It said such a search violates the Fourth Amendment protections against overly broad warrants.
     “The government interfered with Lavabit’s possessory interest in the key, in the process destroying its business and threatening to expose the private communications of its customers,” the brief states.
     It said the warrant “had no limitations or protections for these innocent customers, casually destroying their privacy as collateral damage. Seeking Lavabit’s private key to access the communications of one customer fails the minimization and particularity requirements of the Fourth Amendment and turns the warrant at issue here into a general warrant – no different than a warrant to search all houses in a city to find the papers of one suspect.”
     In calling the subpoena “arbitrarily excessive,” the EFF highlighted some of the less burdensome alternatives Lavabit offered the government.
     Investigators refused an offer by Lavabit to disclose information pertaining only to the target of the investigation, the EFF.
     The ACLU noted how “Lavabit offered to write new code that would allow it to provide daily updates of the non-content information related to the target of the government’s investigation, including the target’s ‘login and subsequent logout date and time, the IP address used to connect,’ and ‘non-content headers … from any future emails sent or received using the subject account.'”
     In rejecting this proposal, the government allegedly quibbled over the lack of “real-time access” to Snowden’s data.
     The EFF described the case as “an unprecedented use of the subpoena power.”
     It could undermine “the security of any website that relies on public key encryption — from Facebook to Google to Bank of America to Amazon – all with a single subpoena,” the brief states.
     “The breach of a private key should be considered a catastrophic security event,” the EFF added.
     On Saturday, anti-secrecy activists marched outside the U.S. Capitol to demand the Congress investigate the mass surveillance programs Snowden revealed.

%d bloggers like this: