SAN FRANCISCO–The Lavabit case, which saw the secure email provider’s owner shut the company down after being forced to hand over to the government the encryption key that protected his users’ data, may seem like an extreme reaction to a unique situation. But, experts say it’s likely that there will be similar situations in the near future, and technology providers an users should change the way they think about what the threats to their data may be.
The FBI went to Lavabit’s founder, Ladar Levison, last year in the wake of the NSA revelations and demanded access to the encrypted emails of one of its users, Edward Snowden. After a lot of back and forth and legal wrangling, Levison eventually turned over the encryption key that protected the communications of all of his users, and then promptly closed the business. Marcia Hoffman, one of Levison’s lawyers, said that she believes there will soon be other cases like Lavabit.
“I don’t believe that Lavabit is a unicorn,” she said in a talk at the TrustyCon conference here Thursday. “We need to update our threat models. Ladar was worried about data at rest, not data in transmission. The threats are different than we thought. Security and privacy enhancing services are really in the crosshairs. To the extent that you design a service like Lavabit, you should be thinking about how you’re going to deal with government requests.”
Those threats now include not just attackers and cybercriminals, but governments and their lawyers. Hoffman said that the way the government is interpreting surveillance and wiretapping laws now has put technology companies in a difficult position. CALEA, the statute that requires telecom companies and others to help law enforcement agencies with lawful intercept and wiretapping operations specifically didn’t apply to information technology companies, she said.
“The government has taken the position that a service provider has to provide any information that the government wants,” she said. “If you don’t like turning over your keys, you can just backdoor your system. Putting this kind of pressure on Internet companies really flies in the face of what Congress decided.”
The Lavabit case is still wending its way through the court system, as Levison is appealing a contempt of court order against him. Hoffman said that the broader issues related to the case–the use of encryption and the government’s efforts to get at encrypted data–will only become more important in the months and years ahead. And she also warned users not to become too enamored of new, supposedly surveillance-resistant communications services that are springing up.
“If you don’t have a reasonable expectation of privacy in encrypted data, where do you have that expectation?” she said. “We need to stop making promises to users that we don’t know if we can keep, like NSA-proof email. I would be very skeptical of claims like that. I don’t know if anybody can actually make a promise like that.”