A federal appeals court has upheld a contempt citation against the founder of the defunct secure e-mail company Lavabit, finding that the weighty internet privacy issues he raised on appeal should have been brought up earlier in the legal process.
The decision disposes of a closely watched privacy case on a technicality, without ruling one way or the other on the substantial issue: whether an internet company can be compelled to turn over the master encryption keys for its entire system to facilitate court-approved surveillance on a single user.
The case began in June, when Texas-based Lavabit was served with a “pen register” order requiring it to give the government a live feed of the email activity on a particular account. The feed would include metadata like the “from” and “to” lines on every message, and the IP addresses used to access the mailbox.
Because pen register orders provide only metadata, they can be obtained without probable cause that the target has committed a crime. But in this case the court filings suggest strongly that the target was indicted NSA leaker Edward Snowden, Lavabit’s most famous user.
Levison resisted the order on the grounds that he couldn’t comply without reprogramming the elaborate encryption system he’d built to protect his users’ privacy. He eventually relented and offered to gather up the email metadata and transmit it to the government after 60 days. Later he offered to engineer a faster solution. But by then, weeks had passed, and the FBI was determined to get what it wanted directly and in real time.
So in July the government served Levison with a search warrant striking at the Achilles’ heel of his system: the private SSL key that would allow the FBI to decrypt traffic to and from the site, and collect Snowden’s metadata directly. The government promised it wouldn’t use the key to spy on Lavabit’s other 400,000 users, which the key would technically enable them to do.
Levison turned over the keys as a nearly illegible computer printout in 4-point type. In early August, Hilton – who once served on the top-secret FISA court – ordered Levison to provide the keys instead in the industry-standard electronic format, and began fining him $5,000 a day for noncompliance.
After two days, Levison complied, but then immediately shuttered Lavabit altogether.
Levison appealed the contempt order to the 4th Circuit, and civil rights groups, including the ACLU and the EFF, filed briefs in support of his position.
But the appeals court today said that the bulk of Levison’s arguments couldn’t be considered, because he hadn’t clearly raised them in the lower court, where he represented himself without a lawyer for much of the proceedings.
Prior to appeal, Levison’s only voiced objection to turning over the SSL keys was this statement in court: “I have only ever objected to turning over the SSL keys because that would compromise all of the secure communications in and out of my network, including my own administrative traffic.”
“We cannot refashion this vague statement of personal preference into anything remotely close to the argument that Lavabit now raises on appeal: a statutory-text-based challenge to the district court’s fundamental authority under the Pen/Trap Statute,” wrote Judge G. Steven Agee, for the three appellate panel.
“Levison’s statement to the district court simply reflected his personal angst over complying with the Pen/Trap Order, not his present appellate argument that questions whether the district court possessed the authority to act at all,” wrote Agee.
The Lavabit case is the only publicly documented instance where a district judge ordered an internet company to hand over its SSL key to the U.S. government. If the practice had been given the imprimatur of the U.S. 4th Circuit Court of Appeals, it could have opened a new avenue for U.S. spies to expand their surveillance against users of U.S. internet services like Gmail and Dropbox.
“The court focused its decision on procedural aspects of the case unrelated to the merits of Lavabit’s claims,” says ACLU attorney Brian Hauss, in a statement. “On the merits, we believe it’s clear that there are limits on the government’s power to coerce innocent service providers into its surveillance activities.”
The 4th Circuit panel wasn’t terribly sympathetic to the privacy issues during oral arguments in the case. So today’s ruling on a procedural technicality is probably for the best. And the next time a secure e-mail provider tangles with the feds, you can bet it will get a lawyer earlier on in the process.