Faced with the untenable decision of becoming what he called a “listening post” for the FBI, Lavabit founder Ladar Levison said he had an ethical obligation to his customers and the community to shut down the secure email service used by NSA whistleblower Edward Snowden.
Levison, who this week filed an appeal of the court order demanding the SSL keys that would unlock all the traffic coming in and out of his company’s network, gave a wide-ranging interview with CBC Radio’s The Current program. He told the Canadian show that his company’s fate was sealed the day the FBI showed up on his doorstep looking for help because if he had turned over the keys in secret to the federal authorities and was found out, Lavabit’s customers would have fled.
Levison said he believes there are three things that should be held scared and above all else remain confidential: system passwords, encryption keys and source code.
“They were demanding those encryption keys. They were demanding the password to my business’ identity and once they had it, they could masquerade as my business and intercept everything coming in and out of my network: passwords, credit card numbers, user names, email content, instant messages, all of that was secured by this set of encryption keys,” Levison said.
Levison said the FBI wanted to monitor all of his customers’ movements, not just Snowden’s, whose name has been redacted from court documents as the FBI’s target. The comment merits note because this week during a CATO Institute daylong program on NSA surveillance, ACLU principal technologist Chris Soghoian said companies such as Lavabit, secure messaging provider Silent Circle and secure backup specialists SpiderOak, are differentiated by the privacy and security features in their products.
“The U.S. is a leader in small businesses providing secure communications services,” Soghoian said during a panel discussion. “When the U.S. government compels a Lavabit to comply, it’s a death sentence. Comply, and your reputation is destroyed. Secure communication services are under threat. We should want this part of the economy to grow.”
Levison reiterated during the CBC interview that he did not want to subvert the trust his company had built with its users by turning over the keys in secret and being forced by law to keep quiet about it, even though he believed the FBI was exceeding its statutory authority in demanding Lavabit’s SSL keys.
“I’ve had people tell me that the government describes it as a gap in their surveillance network,” he said of secure messaging providers such as Lavabit. The government even described its frustration with the Tor anonymity network in Snowden documents, in particular a NSA presentation called “Tor Stinks,” released by the Guardian last week. “You’re one of the few services left in the U.S. they are not actively monitoring,” Levison said he was told. “They wanted to close that gap in their surveillance network. But because of the way it was designed, the only way to close that gap was to put a monitoring device on my network and demand my encryption keys. Couple that with the ferocity with which they wanted it kept secret made it even more bothersome.”
Levison said this saga began in May when an FBI agent left a business card on his door along with a note asking him for a meeting. Levison and the agent exchange emails and Levison said the FBI wanted to ask questions about his service, streamlining the process of serving subpoenas and getting him enrolled in Infragard.
Lavabit was a POP or IMap email service provider offering free service along with a paid version that also offered secure storage that included encryption of email messages. He said the FBI wanted to conduct surveillance on the unnamed customer—Levison said he did not know who Snowden was at the time—and wanted the ability to intercept not only his password but content, record it and send it back to their servers.
“When the FBI first approached me with a court order on June 28, they told me they were going after content, passwords and metadata,” Levison told CBC. “Only when I got a lawyer did I realize they had a right only to the metadata. In fact, I was going to add code that would log metadata daily and turn that over to them. The FBI declined the offer and continued to pursue my SSL keys.”
Levison said the FBI wanted to collect metadata and more information on their own from his company’s network, and refused to give him the transparency he requested that they were collecting data only on this one specific customer.
“They said ‘Give us your private information and trust us,’” Levison said. “And that’s not a tenable position for me.”
Wired reported today on Levison’s appeal to the 4th U.S. Circuit Court of Appeals and also has the full 42-page document available on its website.