Lavabit case highlights legal fuzziness around encryption rules

Defunct secure email service Lavabit argued that the government court order for encrypted email was too sweeping

While privacy advocates may see Lavabit as bravely defending U.S. privacy rights in the online world, federal judges hearing its appeal of contempt-of-court charges seem to regard the now defunct encrypted email service as just being tardy in complying with government court orders.

Attorneys from both Lavabit and the U.S. government agreed that the legal issues between them could have been resolved before heading to court, though neither party seemed to have an adequate technical answer of how Lavabit could have successfully passed unencrypted data to a law enforcement agency in order to meet the government's demands.

Three judges from the 4th U.S. Circuit Court of Appeals in Richmond, Virginia, on Tuesday heard Lavabit's appeal of a contempt-of-court ruling, which it had incurred for not turning over to the government unencrypted data of a single user, presumably Edward Snowden.

Judges Roger Gregory, Paul Niemeyer and Steven Agee presided over the hearing.

For the proceedings, the judges actively listened to and questioned the arguments of both sides, though they seemed wary of turning the case away from the specifics of why Lavabit did not comply with court orders to turn over data on one of its users, and towards the larger issues that Lavabit raised in its highly publicized defense of what scope the government should have over those parties who hold SSL (secure socket layer) keys to encrypted data.

The case had been "blown out of proportion with all these contentions," particularly around the use and possible misuse of the SSL keys, Niemeyer said. "There's such a willingness to believe" that the keys will be misused and that "the government will spy on everyone," he said.

Gregory had stated that "the encryption issue was a red herring," one that drew attention away from Lavabit's non-compliance.

The judges had noted that the case revolved around the validity of court orders, rather than the statutes that provide the basis for the court orders.

In June of last year, secure email service Lavabit was issued a court order to set up a U.S. Federal Bureau of Investigation "pen trap" in order to collect all routing data for one of its customers, thought to be Snowden. Snowden had just come to international attention for leaking classified documents from the U.S. National Security Agency. According to reports, he had used the service to alert the media of a press conference he was about to hold.

A pen trap is software that records all routing, addressing or signalling information between electronic communications, in this case email. Before the judges, Lavabit attorney Ian Samuels argued that Lavabit founder Ladar Levison agreed to set up the pen trap; the company had complied to at least one other similar court order in the past.

The FBI, however, had required the information in real time, and that the information would be unencrypted. Levison balked at these requirements. Nearly two weeks after the court order was issued, he responded by offering to set up an internal process that would unencrypt the user's communications, then send the results to the FBI at the end of 60 days. The only other alternative, he argued, would be to send the law enforcement agency the encrypted data, which would be useless.

The FBI did not agree to this approach, however, and in mid-July, issued a search warrant for Lavabit's SSL keys that would unencrypt the dispatches of interest.

This move proved to be politically explosive, however. Lavabit's SSL keys could unlock the data of all of Lavabit's users, not just the one user under scrutiny. By handing over its private SSL keys, Lavabit would potentially be making every customer's email accessible to the government.

By early August, Lavabit had capitulated and handed over the keys. Shortly after, Levison shuttered the service, stating that continuing operations for the company's 400,000 users would make him "complicit in crimes against the American people." By filing an appeal, Lavabit hopes to clear the contempt of court charge -- along with any financial penalties incurred -- and possibly restore operations.

The judges questioned Lavabit's motives, however. Niemeyer noted in the first court order, "the court is clearly intent in providing unencrypted data," and chastised Lavabit for taking so long to respond. Samuels argued that Levison, being a small business owner with no counsel on hand at the time, was slow in responding, because he was still determining the best way to comply with the court order without sacrificing the privacy of the service's other users.

Niemeyer stated that Lavabit's proposed solution to setting up a process to unencrypt the data was unacceptable, noting that "the FBI didn't want a middleman," and stating that "This is not what [Lavabit] were ordered to provide." Niemeyer also criticized Lavabit for not challenging the initial June 28 order, if it felt that order to be unreasonable.

Niemeyer also had some harsh words for the law enforcement agents on the case, suggesting that they did not work closely enough with Lavabit to overcome the technical obstacles. U.S. attorney Andrew Peterson said he did not know of any reason that Lavabit could not unencrypt the data in real time, though he personally couldn't explain to the court how that would be done.

Peterson argued on behalf of the government that the court order for the SSL keys had only been issued after it was obvious "that any trust between Lavabit and the government had broken down," by mid-July. The company had treated the court orders "like contract negotiations," he said, rather than as a legal requirement. Trust had also been eroded by the long periods of silence from Lavabit.

The judges did not seem to want to dwell on any possible Fourth Amendment issues. The ACLU has pointed out that the U.S. government possessing a set of private SSL keys that could unlock hundreds of thousands of users' emails is clearly a breach of privacy rights.

Peterson stated that the court order for the SSL keys specifically confined the law enforcement agency to only use the keys to examine the information of the one person under investigation.

The judges gave no indication of when they would return a verdict. Peterson said the government has no plans to prosecute Lavabit for obstruction of justice for shutting down its services after installing the pen trap.

Joab Jackson covers enterprise software and general technology breaking news for The IDG News Service. Follow Joab on Twitter at @Joab_Jackson. Joab's e-mail address is

Join the PC World newsletter!

Error: Please check your email address.

Tags CriminalsecurityLavabitlegalencryptiondata protection

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joab Jackson

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?