The Federal Bureau of Investigation secretly obtained a court order compelling Lavabit, the email service used by National Security Agency whistleblower Edward Snowden, to hand over its private SSL key, thereby allowing the FBI to monitor Lavabit’s users.
The FBI order was handed down on July 16, according to Wired, shortly after Lavabit refused to bypass the company’s internal security systems to facilitate a government request asking the email provider to trace the internet IP address of an individual user.
Government documents indicate that the FBI sent Lavabit a so-called “pen register” order on June 28, forcing the Texas-based company to record the connection information belonging to a particular user each time that user logged in to check his or her email. Lavabit was then required to turn that data over to the government.
The pen register came down just weeks after the first Snowden leaks were published in the Guardian and The Washington Post. Among the unveiled programs was PRISM – a massive electronic data mining program employed to collect and store communication data extracted from internet companies including Google, Facebook, Microsoft, and others.
While the identity of the FBI’s Lavabit target was not disclosed in the filings, the suspect is described as having committed violations under the Espionage Act, indicating with near certainty that Snowden was the motivating factor.
The June 28 order, as seen by Wired, required Lavabit to turn over all “technical assistance necessary to accomplish the installation and use of the pen/trap device.”
When the company – which is now embroiled in a court battle with the government – refused to comply, authorities filed a motion to compel, saying the single user “enabled Lavabit’s encryption services, and this Lavabit would not provide the requested information.”
“The representative of Lavabit indicated that Lavabit had the technical capability to decrypt the information, but that Lavabit did not want to ‘defeat its own system,’” the order went on.
Prosecutors soon asked that founder Ladar Levinson and Lavabit be held in contempt “for its disobedience and resistance to these lawful orders.” A search warrant was issued demanding “all information necessary to decrypt communications sent to or from the Lavabit email account [redacted] including encryption keys and SSL keys.”
A search warrant and SSL key would grant the government unobstructed access to Lavabit’s servers, and a court informed Levinson that he would be fined $5,000 each day he refused to hand over the necessary information.
“I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly 10 years of hard work by shutting down Lavabit,” Levinson wrote on August 8. “After significant soul searching, I have decided to suspend operations.”
Now embroiled in a costly legal battle, Levinson has already raised over $20,000 to pay the necessary legal fees. That makes up half of Levinson’s goal, he said, because unfortunately “defending the constitution is expensive.”