New York Times
POSTED: 01:30 a.m. HST, Oct 03, 2013
DALLAS >> One day last May, Ladar Levison returned home to find an FBI agent's business card on his Dallas doorstep. So began a four-month tangle with law enforcement officials that would end with Levison's shutting the business he had spent a decade building and becoming an unlikely hero of privacy advocates in their escalating battle with the government over Internet security.
Prosecutors, it turned out, were pursuing a notable user of Lavabit, Levison's secure email service: Edward J. Snowden, the former National Security Agency contractor who leaked classified documents that have put the intelligence agency under sharp scrutiny. Levison was willing to allow investigators with a court order to tap Snowden's email account; he had complied with similar narrowly targeted requests involving other customers some two dozen times.
But they wanted more, he said: the passwords, encryption keys and computer code that would essentially allow the government untrammeled access to the protected messages of all his customers. That, he said, was too much.
"You don't need to bug an entire city to bug one guy's phone calls," Levison, 32, said in a recent interview. "In my case, they wanted to break open the entire box just to get to one connection."
On Aug. 8, Levison closed Lavabit rather than, in his view, betray his promise of secure email to his customers. The move, which he explained in a letter on his website, drew fervent support from civil libertarians but was seen by prosecutors as an act of defiance that fell just short of a crime.
The full story of what happened to Levison since May has not previously been told, in part because he was subject to a court's gag order. But on Wednesday, a federal judge unsealed documents in the case, allowing the tech entrepreneur to speak candidly for the first time about his experiences. He had been summoned to testify to a grand jury in Virginia; forbidden to discuss his case; held in contempt of court and fined $10,000 for handing over his private encryption keys on paper and not in digital form; and, finally, threatened with arrest for saying too much when he shuttered his business.
Spokesmen for the Justice Department and the FBI said they had no comment beyond what was in the documents.
Levison's battle to preserve his customers' privacy comes at a time when Snowden's disclosures have ignited a national debate about the proper limits of surveillance and government intrusion into American Internet companies that promise users that their digital communications are secure.
Much of the attention has been focused on Internet giants like Microsoft and Google. Lavabit, with just two employees and perhaps 40,000 regular users, was a midget by comparison, but its size and Levison's personal pledge of security made it attractive to tech-savvy users like Snowden.
While Levison's struggles have been with the FBI, hovering in the background is the NSA, which has worked secretly for years to undermine or bypass encrypted services like Lavabit so that their electronic message scrambling cannot obstruct the agency's spying. Earlier in September, The New York Times, ProPublica and The Guardian wrote about the NSA's campaign to weaken encryption. Levison's case shows how law enforcement officials can use legal tools to pry open messages, no matter how well protected.
Levison said he set up Lavabit to make it impossible for outsiders, whether governments or hackers, to spy on users' communications. He followed the government's own secure coding guidelines, based on the NSA's technical guidance, and engineered his systems so as not to log user communications. That way, even if he received a subpoena for a user's communications, he would not be able to gain access to them. For added measure, he gave customers the option to pay extra to encrypt their email and passwords.
Levison, who studied politics and computer science at Southern Methodist University, started Lavabit in April 2004, the same month Google rolled out Gmail. To pay his bills, he worked as a Web consultant, helping develop websites for major brands like Dr Pepper, Nokia and Adidas. But by 2010, the email service had attracted enough paying customers to allow Levison to turn to Lavabit full time.
On occasion, he was asked to comply with government requests for specific email accounts, including that of a child pornography suspect in Maryland this year. Levison said he had no qualms about cooperating with such demands, but the latest request was far broader, apparently to allow investigators to track Snowden's whereabouts and associates. When Levison called the FBI agent who had left the business card, the agent seemed interested in learning how Lavabit worked and what tools would be necessary to eavesdrop on an encrypted email account.
The agent did not mention at first who the government was pursuing, and Levison will not name the targets of the government's investigation. The name was redacted from the court order unsealed Wednesday, but the offenses listed are violations of the Espionage Act, and the timing of the government's case coincides with its leak investigation into Snowden, which began last May when he fled Hawaii for Hong Kong carrying laptops containing thousands of classified documents.
By then, Snowden's Lavabit email address was already public. He had listed his personal Lavabit email address in January 2010, and was still using a Lavabit address this July, when he summoned reporters to a news conference at the Moscow airport.
That email invitation proved to be an unintended endorsement for Lavabit's security. Before that, Levison said that, on average, Lavabit was signing up 200 new users daily. In the days after Snowden's email, more than 4,000 new customers joined each day.
But a month before the news conference, court documents show, Levison had already received a subpoena for Snowden's encrypted email account. The government was particularly interested in his email metadata - with whom Snowden was communicating, when, and from where. The order, from the U.S. District Court in Alexandria, Va., required Levison to log Snowden's account information and provide the FBI with "technical assistance," which agents told him meant handing over the private encryption keys, technically called SSL certificates, that unlock communications for all users, he said.
"It was the equivalent of asking Coca-Cola to hand over its secret formula," Levison said.
By July, he said, he had 410,000 registered users. Similar services like Hushmail, a Canadian encrypted email service, had lost users in 2007 after court documents revealed that the company had handed 12 CD's worth of decoded emails from three Hushmail accounts to American law enforcement officials through a mutual assistance treaty.
"The whole concept of the Internet was built on the idea that companies can keep their own keys," Levison said.
He told the agents that he would need their request for his encryption keys in writing.
A redacted version of that request, which was among the 23 documents that were unsealed, shows that the court issued an order July 16 for Lavabit's encryption keys. Prosecutors said they had no intention of collecting any information on Lavabit's 400,000 other customers. "There's no agents looking through the 400,000 other bits of information, customers, whatever," Jim Trump, one of the prosecutors, said at a closed Aug. 1 hearing.
But Levison said he spent much of the following day thinking of a compromise. He would log the target's communications, unscramble them with the encryption keys, and upload them to a government server once a day. The FBI told him that was not enough. It needed his target's communications "in real time," he said.
"How as a small business do you hire the lawyers to appeal this and change public opinion to get the laws changed when Congress doesn't even know what is going on?" Levison said.
When it was clear Levison had no choice but to comply, he devised a way to obey the order but make the government's intrusion more arduous. On Aug 2., he infuriated agents by printing the encryption keys - long strings of seemingly random numbers - on paper in a font he believed would be hard to scan and turn into a usable digital format. Indeed, prosecutors described the file as "largely illegible."
On Aug. 5, Judge Claude M. Hilton ordered a $5,000-a-day fine until Levison produced the keys in electronic form. Levison's lawyer, Jesse R. Binnall, appealed both the order to turn over the keys and the fine.
After two days, Levison gave in, turning over the digital keys - and simultaneously closing his email service, apologizing to customers on his site. That double maneuver, a prosecutor later told his lawyer, fell just short of a criminal act.
Meanwhile, he hopes to resurrect the business he spent a decade building. "This wasn't about one person," Levison said. "This was about the lengths our government was willing to go to conduct Internet surveillance on one person."