Long Before the Apple-FBI Battle, Lavabit Sounded a Warning

While Apple's very public battle has dominated mainstream media, Lavabit's case played out in secret under seal for many months.
Brandon Thibodeaux for WIRED

Three years ago, Ladar Levison, the founder of the now-defunct secure email service known as Lavabit, was in the same position Apple finds itself today: facing off against a formidable government foe with unlimited resources and an aggressive determination to break his tech company's defiance.

But although the two have found themselves on the same path, their fates are already proving to be very different. Where Apple's very public battle has received strong support from dozens of tech giants like Microsoft and Facebook and has dominated mainstream media for weeks and been discussed in congressional hearings and presidential debates, Levison's case played out in secret under seal for many months. He was left largely to fight the government on his own under extreme duress, including the threat of arrest if he didn't do what it wanted---which was hand over the encryption keys for his email service so the government could access Edward Snowden's Lavabit account and look at his email.

But the two cases also differ for another important reason: Levison didn't have the resources or time to assemble a highly skilled legal team to fight his battle and properly exercise his right to due process. Although he approached one of the attorneys who is now representing Apple for help, he couldn't afford the lawyer's fees and in the absence of other options ended up representing himself during the initial stages of his fight---a move that ultimately proved to be his, and Lavabit's, undoing.

"There was a lot more pressure back in 2013," he told WIRED recently. "Everything happened over the course of a few weeks, which is an incredibly short period of time [to mount an adequate defense]."

Levison shut down Lavabit back then rather than let the government undermine the privacy of his users, and the legal case against him ended on a technicality months after it began. But it was the canary in the coal mine that foreshadowed what was to come. It highlighted the extraordinary and aggressive measures the government was willing to take in its standoff with tech companies and also highlighted how the odds are stacked against firms, and the customers they represent, who don't have the resources or friends that Apple has to fight back.

But Levison's case has an even more direct connection to Apple's battle than this: it made a surprising cameo this month in a brief filed by US attorneys in that case. The attorneys invoked the Lavabit case in a footnote as part of a not-so-veiled threat to Apple, suggesting that if the tech giant continued to defy a court order to create a software tool that could help the government access the San Bernardino iPhone, the government's next step might be to compel Apple to hand over its source code and signing key so the FBI could create the software tool itself.

"For the reasons discussed above, the FBI cannot itself modify the software on Farook’s iPhone without access to the source code and Apple’s private electronic signature," the government wrote in the footnote. "The government did not seek to compel Apple to turn those over because it believed such a request would be less palatable to Apple. If Apple would prefer that course, however, that may provide an alternative that requires less labor by Apple programmers. See In re Under Seal, 749 F.3d 276, 281-83 (4th Cir. 2014) (affirming contempt sanctions imposed for failure to comply with order requiring the company to assist law enforcement with effecting a pen register on encrypted e-mail content which included producing private SSL encryption key)."

The sealed case referenced in the footnote is Levison's. The implication is that a 4th Circuit Appellate Court ruling in the Lavabit case set a precedent for the government to demand Apple's source code and signing key. Levison took umbrage at this in a Facebook post published Tuesday night, lambasting the government for grossly misrepresenting his case. The ruling that the government cited in its footnote simply upheld a contempt citation against Levison issued by a lower court. It wasn't a ruling on the substantive legal issue raised in his case---whether the government had the authority to compel Lavabit to hand over its encryption keys. The three-judge panel punted on that important question by ruling that Levison had forfeited his right to appeal, based on what Levison says was a "contrived" technicality.

"The government's citation of the Lavabit case, and their description of its outcome, is disturbingly disingenuous," Levison wrote on Facebook. "The language used [in the footnote] is incredibly misleading, as it insinuates a precedent unsupported by the appellate court’s ruling.... This verbiage suggests the seizure of third party encryption keys was found lawful by the appellate court, which is wholly unsupported by the appellate court’s opinion."

A review of the Lavabit case is insightful for what it tells us about the battles that tech companies are facing today and the importance of due process to ensure that they have the ability to adequately defend themselves and their customers.

"The current Apple case, together with the Lavabit case, join a growing litany of recent court decisions which have eroded away our personal liberties," he wrote in his Facebook post. "Taken together, these rulings force us to ask difficult questions. Specifically, can the federal government be trusted to defend our rights, and protect our freedom?"

How It Began

On June 28, 2013, shortly after newspapers published the first NSA leaks from Edward Snowden, FBI agents showed up at Levison's door in Texas to serve him with a pen register order for the email account of one of his customers. Pen register devices collect metadata like the "to" and "from" lines on email messages as well as the IP addresses used to access the email account, but they don't collect the content of communications. The agents also told him verbally, however, that they wanted his SSL keys---the keys used to encrypt passwords and other data that passed between his customers and his web site.

Levison has been barred from identifying the target of the investigation, and information about the customer was redacted from court documents later made public, but as WIRED and others reported in 2013, there was never doubt in anyone's mind that the target was Edward Snowden, who was known to have a Lavabit email account and was hiding in a safe house in Hong Kong when Levison was served with the pen register order. A recent clerical error made by the government confirmed that Snowden was the target.

Levison spoke to the FBI agents without seeing the pen register order---they said they had sent it to him in email---and he told them he needed to consult an attorney. But as with the Apple case, the government didn't wait to get a response from him. Instead, they immediately filed a motion to compel his compliance. US Magistrate Judge Theresa Buchanan ordered Lavabit to comply or face a criminal contempt citation.

The problem was that Levison, like Apple, had specifically engineered his system with privacy in mind and it was not designed to log metadata. In order to comply, he had to figure out a way to capture that data and at the same time quickly find an attorney to represent him, which wasn't easy since the Fourth of July holiday was approaching.

Going After the Source Code

A week later on July 9, when he hadn't provided the government with any metadata, authorities filed for a summons ordering him to appear at a US District Court in Virginia on July 16 to explain why he hadn't complied. Two days later, the government served him with a grand jury subpoena demanding his SSL keys. They would later issue a search warrant for his SSL keys as well---which meant they had used three methods to obtain them, including the pen register order, the grand jury subpoena and the warrant. They said they were seeking the keys because his system wasn't engineered to provide metadata. Levison said he would modify his system to provide the metadata, but the government said it didn't trust him and that even if he did this it wouldn't provide them with data in real time as the keys would.

“Anything done by Mr. Levison in terms of writing code or whatever, we have to trust Mr. Levison that we have gotten the information that we were entitled to get since June 28th,” prosecutor James Trump told US District Judge Claude M. Hilton, in a closed-door hearing in Virginia on August 1. “He’s had every opportunity to propose solutions to come up with ways to address his concerns and he simply hasn’t.”

But Levison figured out that the government was misrepresenting to the court what it wanted. It wasn't really metadata it was seeking but Snowden's password. If the government could get Lavabit's SSL keys---which it was trying so desperately to get---it would be able to intercept and see Snowden's password and communications in real-time and also use that password to decrypt and read his protected communications stored on Lavabit servers. Unlike the Apple case, where the government appears to be confident that it can bruteforce crack the password on the San Bernardino iPhone, Levison suspects the government knew Snowden had likely chosen a complex password for his Lavabit account that would have been impervious to bruteforce attacks, so they wanted the SSL keys in order to intercept the password and get his stored communication as well, which Lavabit didn't have the ability to decrypt. Using those keys to get Snowden's password, however, meant they would have been able to get the passwords and communication of every other Lavabit customer as well, since the datastreams they would intercept to get his password would also include the password and communication of other customers. Lavabit had 410,000 user accounts at the time. Like the Apple case, the government insisted it was only interested in one account, but Levison knew that handing over the keys put all of his customers at risk.

Going It Alone

Levison was at an extreme disadvantage, however. Unlike Apple, his case was sealed, so he couldn't gather support from the public to take on the government. He also still didn't have an attorney. He had to find one that could represent him in Virginia, where the case had moved once it advanced from the magistrate level. "It's hard to [find an attorney] when the case is sealed, because you can't do anything publicly. I couldn't send anything to a list [to ask for referrals]," he says.

He interviewed more than a dozen lawyers in the week before his July 16 hearing, but most of them worked in criminal defense and didn't understand the privacy issues that were at stake. "Most would say my options were to give the FBI what it wants or go to jail. I don't need an attorney for either of those options. I need an attorney capable of giving me a third option," Levison says of that search now. He finally found Jesse Binnall, a criminal defense attorney who seemed to understand the larger issues at stake and wanted to help. But Binnall wasn't able to make it to court the day of Levison's hearing, so Levison had to represent himself. Binnall had a week to prepare for the next hearing, but the court barred him from consulting outside experts who could help explain the complex technical issues to him and also wouldn't give him timely access to transcripts from the previous hearing so he could know what had been said. He had to rely on Levison's memory and knowledge of the legal issues that were discussed.

During the next hearing, Binnall tried to argue that all of Lavabit's customers were at risk if the government got its SSL keys, but the judge believed the government was only after a single account and ordered Levison to hand over the keys. With no other option, he did so the next day. In an act of defiance, however, he gave the government the keys in a printout of 11 pages all in minuscule, 4-point type.

“To make use of these keys, the FBI would have to manually input all 2,560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data,” prosecutors complained to the court.

No Other Choice

The judge found him to be in contempt and ordered Levison to hand over the keys in electronic form or be fined $5,000 for every day he didn't comply. He racked up $10,000 in fines before he did what the court ordered. But he also did something else: he immediately shuttered Lavabit, preventing the government from now getting the data it wanted and signaling to customers and the rest of the world, in the only way he could, that something was amiss.

“I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly 10 years of hard work by shutting down Lavabit,” he wrote in a cryptic note posted to his web site on August 8. “After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on---the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests."

And in a final warning to customers, which reverberated far beyond his client base, he wrote, "This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States."

Of this warning, Levison says that he was foreshadowing exactly what is happening to Apple now. "I did everything I could to tell people. When I said ... that you should not trust your private data to a product or service with physical ties to the US, this is what I meant."

With the issue finally public after the closure, though not the details, Levison appealed the contempt charge and fine to the 4th Circuit Court of Appeals. During his appeal, he and his attorney raised some of the important Fourth Amendment privacy issues that Apple is raising now.

But the appellate judges, as noted, avoided addressing them. Because he had failed to raise an objection at an earlier stage of the case about the government's unlawful use of the pen register statute to obtain SSL keys, an issue his attorney was now raising in the appeal, the judges said he had waived his right to appeal. It didn't matter to the court that Levison had been forced to represent himself during those rapid early stages of his case and had been denied an extension of time to prepare a proper defense.

The ignoble end to both his secure messaging platform and the landmark privacy case meant the court never resolved the crucial precedent-setting question of whether the government could compel a company to give up the master encryption keys for its entire operations to help them spy on the communication of a single user. In hindsight, that may have been a lucky oversight for encryption advocates.

Avoiding a Precedent

"The court focused its decision on procedural aspects of the case unrelated to the merits of Lavabit’s claims,” ACLU attorney Brian Hauss, said at the time. “On the merits, we believe it’s clear that there are limits on the government’s power to coerce innocent service providers into its surveillance activities.”

Levison has said that if he'd had more time and resources, he might have been able to preserve his business and his customer's privacy.

"It's possible that if I had more resources and better attorneys and attorneys at the first ... hearing, they might have realized that [the judge] had basically allowed [the government] to collect SSL keys under the pen register, trap-and-trace order [and object to it at that early stage]," he says.

But he doesn't think that Judge Hilton would have favored them. Hilton is a former FISA Court judge---the secret court responsible for granting the FBI and NSA permission to conduct one of their most controversial surveillance programs, the bulk phone records collection program exposed by Snowden.

"It was pretty clear, based on everything that happened and how it happened, that he had an inherent bias [in favor of the government]," Levison says.

He also thinks that if he had lawyers sooner in the process and more time "that technicality that they tried to throw at me at the appeal level would certainly never have happened. We would have been able to force the appellate court to make a decision" on the substantive issues.

But it's probably better that the appellate judges didn't ultimately rule on those issues. Three years ago, the mood in the country was very different. Many of Snowden's biggest revelations were still to come, and as a result, the public awareness of government surveillance wasn't anywhere near where it is today. As a result, few judges were pushing back against that surveillance in the way some of them are today. If the appellate judges had ruled that the government could indeed legally seize Lavabit's encryption keys in the way that they did, it would have set a bad precedent for other companies to fight.

Levison tried to address that precedent in his appeals. "We... brought it up in our appellate brief, that based on the government's theory [of its powers], there is no limit to what they could demand [next] ... and Apple has basically said the same thing," he says. It is likely that Apple, one of the most successful companies in the world---and which has immensely more money and resources than Lavabit had---will have better luck getting that message heard.