The New Frontier of Privacy: Lavabit’s Encrypted Email No More
For most Americans, large chunks of our lives play out online. We have numerous social media sites, we check our bank accounts through “secured” websites, and we use email for almost all we do—work, social plans, and everything in between. It’s sad, but I can say without a doubt that there have been days where I have interacted with people over email more than in person. And every day, we’re reminded that our Internet lives are lulled into a false sense of security. Yet we still make our email password the name of our dog combined with the year we were born, and assume digital theft will never happen to us.
In 2004, Texas-based Ladar Levison created Lavabit, a highly encrypted email host that aimed to fix these Internet security problems for anyone who wanted it. Characterizing Lavabit as highly encrypted is actually a gross understatement—Lavabit encryption was viewed as uncrackable for even government intelligence agencies. There were free and paid versions of Lavabit’s email services. As of August 2013, Lavabit counted about 410,000 users.
One of these users was the now infamous Edward Snowden; his Lavabit email address was discovered this July. The Federal Government almost immediately obtained a search warrant commanding that Lavabit allow the government access to its system.
Because of the way this request was phrased—the government wanted access to the entire Lavabit system, not just Snowden’s account—Levison refused to cooperate. Levison was first instructed to hand over the “SSL” keys to his site (essentially a way to allow the government to view all the information contained in Lavabit accounts). Levison first responded to this order by handing over the SSL keys on paper in tiny font, rendering them almost unusable. Finally he handed over the SSL keys digitally—he will pay a $10,000 fine for that delay—but shut down the site.
No one is completely sure exactly why Levison suspended the site, given that he is now under gag order. He has said that he is banned from sharing some information even with his lawyer. He has also said that he could be arrested for closing down Lavabit instead of just releasing the SSL keys. He is currently filing an appeal with the United State Court of Appeals for the Fourth Circuit. His appeal is based on the Fourth Amendment, which prevents unreasonable search and seizure. He has also claimed that the government cannot ask a company to do something that will go directly against the purpose of their business. His lawyers likened it to “commanding the City of Richmond to give the police a key to every house within the city limits. To comply with the government’s subpoena would have either required Lavabit to perpetrate a fraud on its customer base or shut it own entirely.”
Lavabit did actually go back online very briefly for 72 hours starting the evening of October 14th so that users could download any emails they needed that remained on the site. As of yet, there are no plans for Lavabit to reopen.
This shutdown offers ramifications for any other sites that offer completely encrypted email services. Silent Circle, one of Lavabit’s competitors, shut down its silent email software right after Lavabit went dark.
Levison’s appeal will be interesting to watch. In a modern world that is inundated with fast, online, communication, privacy is always at issue. Online identity should be a concern for everyone. Can companies create services that allow us to hide those online communications from Big Brother? The results of Levison’s appeal will answer that question, for better or for worse.
Featured image courtesy of [IGregma via Flickr]