A Federal court struck down Lavabit’s appeal today, affirming contempt of court sanctions against the now-shuttered secure email provider that was forced to release its SSL keys to the FBI last year.
Those keys could have decrypted emails belonging to the company’s founder Ladar Levison along with Lavabit’s entire user base, a collective of 400,000 that reportedly included former National Security Agency contractor turned whistleblower Edward Snowden. Levison ultimately shut Lavabit down in August 2013 before disclosing the keys.
According to the ruling, issued today by the Unites States Court of Appeals for the Fourth Circuit, (.PDF) one of Lavabit’s biggest missteps is that it failed to raise its arguments before the District Court after it was initially held in contempt last year, something that “significantly alters the standard of review.”
Lavabit specifically argued against the Pen/Trap Statute, an order that allows the placement of a pen register and a trace-and-trap device on its system. Pen/Trap orders are court-ordered surveillance mechanisms that give the government access to all “non-content dialing, routing, addressing and signaling information” on a real-time basis for 60 days.
Lavabit’s appeal contended that the government overstepped the bounds of the Pen/Trap order when the FBI asked the firm to release its SSL keys.
Apparently Levison only made one statement in his appeal that related to the order and that was back in July when he objected to turning over the private keys, insisting the move would “compromise all of the secure communications in and out of his network.”
Levison’s argument was not comprehensive enough, in the eyes of the court, which called the remark “vague,” and simply a reflection of his personal angst at the time over having to comply with the order.
“Lavabit never challenged the statutory validity of the Pen/Trap Order below or the court’s authority to act. To the contrary, Lavabit’s only point below alluded to the potential damage that compliance could cause to its chosen business model,” Judge G. Steven Agee, who authored the decision, wrote in the ruling today.
Agee’s opinion – joined by Judges Paul Niemeyer and Roger Gregory – was that the Pen/Trap Order levied on Lavabit always covered the encryption keys.
“If Lavabit truly believed the Pen/Trap Order to be an invalid request for the encryption keys, then the Government’s continuing reliance on that order should have spurred Lavabit to challenge it,” the decision reads, adding that the company should have acted after the district court issued the order on Aug. 1.
“Lavabit failed to make its most essential argument anywhere in its briefs or at oral argument,” Judge Agee said.
Lavabit brought up a handful of other arguments – that the case should be viewed as a matter of “immense public concern,” that the firm was unrepresented during some of its proceedings, etc. – but the court found no merit in these arguments, choosing not to rule on these claims.
“We reiterate that our review is circumscribed by the arguments that Lavabit raised below and in this Court. We take this narrow course because an appellate court is not a freestanding open forum for the discussion of esoteric hypothetical questions,” Agee wrote regarding Lavabit’s claims.
“The district court did not err, then, in finding Lavabit and Levison in contempt once they admittedly violated that order,” the ruling says of Lavabit’s actions, in closing.
The 10-year-old encrypted email service used a single set of SSL keys for all of its users that would unlock all traffic coming in and out of the company’s network.
Levison publicly maintained in an interview last fall that the FBI was exceeding its statutory authority in demanding Lavabit’s keys and claimed he was being forced by law to keep quiet about the case.
Refusing to become a “listening post” for the FBI Levison elected to shut down the service in August amid looming legal threats that would have given the government access.
After filing his appeal Levison gave users a brief five day window of time in October to download their email archives and account data in October.
As Snowden is clearly tangled up in an ongoing criminal investigation his name isn’t directly mentioned in today’s ruling, but it’s common knowledge that it’s his information the FBI was seeking when it initially imposed the Pen/Trap Statute on Lavabit last year.
In a talk at February’s TrustyCon conference, one of Levison’s lawyers, former Electronic Frontier Foundation attorney Marcia Hofmann, said that the Lavabit case could prove to be just the beginning and that the incident should help prompt other outfits to reconsider how to handle government requests.
“We need to update our threat models. Ladar was worried about data at rest, not data in transmission. The threats are different than we thought. Security and privacy enhancing services are really in the crosshairs. To the extent that you design a service like Lavabit, you should be thinking about how you’re going to deal with government requests,” Hofmann said.