They confirm much of what had been suspected about the conflict between the pro-privacy e-mail company and the federal government, which led to Lavabit voluntarily closing in August rather than compromise the security it promised users.
The filings show that Lavabit was served on June 28 with a so-called "pen register" order requiring it to record, and provide the government with, the e-mail "from" and "to" lines on every e-mail, as well as the IP address used to access the mailbox. Because they provide only metadata, pen register orders can be obtained without "probable cause" that the target has committed a crime.
In the standard language for such an order, it required Lavabit to provide all "technical assistance necessary to accomplish the installation and use of the pen/trap device"
A conventional e-mail provider can easily funnel email headers to the government in response to such a request. But Lavabit offered paying customers a secure email service that stores incoming messages encrypted to a key known only to that user. Lavabit itself did not have access.
Lavabit founder Ladar Levison balked at the demand, and the government filed a motion to compel Lavabit to comply. Lavabit told the feds that the user had "enabled Lavabit's encryption services, and thus Lavabit would not provide the requested information," the government wrote.
"The representative of Lavabit indicated that Lavabit had the technical capability to decrypt the information, but that Lavabit did not want to `defeat [its] own system,'" the government complained.
U.S. Magistrate Judge Theresa Buchanan immediately ordered Lavabit to comply, threatening Levison with criminal contempt -- which could have potentially put him in jail.
By July 9, Lavabit still hadn't defeated its security for the government, and prosecutors asked for a summons to be served for Lavabit, and founder Ladar Levison, to be held in contempt "for its disobedience and resistance to these lawful orders."
A week later, prosecutors upped the ante and obtained the search warrant demanding "all information necessary to decrypt communications sent to or from the Lavabit e-mail account [redacted] including encryption keys and SSL keys."
With the SSL keys, and a wiretap, the FBI could have decrypted all web sessions between Lavabit users and the site, though the documents indicate the bureau still trying only to capture metadata on one user. Levison went to court to fight the demand on August 1, in a closed-door hearing before Claude M. Hilton, Senior U. S. District Court Judge for the Eastern District of Virginia.
"The privacy of ... Lavabit's users are at stake," Lavabit attorney Jesse Binnall told Hilton. "We're not simply speaking of the target of this investigation. We're talking about over 400,000 individuals and entities that are users of Lavabit who use this service because they believe their communications are secure. By handing over the keys, the encryption keys in this case, they necessarily become less secure." [Facebook page of Bronley & Binnall, PLLC.]
... Lavabit has raised approximately $30,000 in an online fundraising drive to finance its appeal to the 4th Circuit. Today the appeals court extended the deadline for opening briefs to October 10.
The complete document set follows.
[Read on ...]
