Risk

10/4/2013
12:28 PM
50%
50%

Lavabit Owner Fined For Resisting FBI Demands

Unsealed court documents reveal new details in encrypted email service provider's role in protecting identity of whistleblower Edward Snowden.

The owner of shuttered encrypted email service provider Lavabit was being fined $5,000 per day after he refused to give the FBI unfettered access to the systems being used to handle every Lavabit user's communications.

That fact was revealed this week after a federal judge unsealed more than 160 pages of partially redacted documents relating to a June 28 authorization of a pen registration trap on the email account of a Lavabit account holder and to subsequent legal wrangling between Lavabit founder Ladar Levison and federal prosecutors.

While the account holder's name was redacted throughout the court documents, all evidence points to it being NSA whistleblower Edward Snowden. In fact, his name was mentioned extant in one document -- filed by Levison's attorney -- but only in relationship to recent concerns by the public over U.S. government spying.

[ 13 men have been charged with attacking sites of RIAA and other organizations thought to be hostile to piracy sites and WikiLeaks. Read more at Operation Payback: Feds Charge 13 On Anonymous Attacks. ]

Levison's service was built to provide anonymity -- not just for the content of their messages, but also the date and time they were sent, the IP addresses for which they were intended, and other metadata. Ultimately, rather than comply with a court order requiring him to disclose all encryption keys and SSL keys pertaining to Snowden's account, as well as all information necessary to decrypt data stored in or otherwise associated with that account, Levison pulled the plug on Lavabit.

His move drew plaudits from many privacy advocates.

But the full story is a little more complicated, as the unsealed court documents now reveal. For starters, Levison -- who was previously subject to a gag order -- was in a bind. "I have always agreed to the installation of the pen register device," he said in a related court hearing on July 16, according to the unsealed documents. "I have only ever objected to turning over the SSL keys because that would compromise all of the secure communications in and out of my network, including my own administrative traffic."

But under U.S. law, with a court order, the FBI has a legal right to install a pen trap device and retrieve email metadata during a criminal investigation. Levison, however, had built a system where the keys encrypting the content of emails were the same keys used to encrypt metadata, and he couldn't easily separate one from the other without extensive coding changes to Lavabit's infrastructure. While he offered to undertake such changes -- in return for "reasonable expenses" of at least $2,000 to cover 60 days' worth of development work -- the FBI argued, and a judge agreed, that given the ongoing criminal investigation, it had a right to the information in a much more timely manner.

So Levison offered to retrieve required messages on a daily basis and upload them to an FBI server. Again, however, the bureau said that wouldn’t meet its requirements; it apparently wanted to follow Snowden's email-related metadata in real time. Levison, meanwhile, argued that the FBI's request for real-time pen trap information didn't appear to be required in the wording of the subpoena he'd received.

On August 2, facing the prospect of a $1,000 daily fine for noncompliance, Levison did furnish the FBI with a printout of the information that would be required to operate the pen register. But according to a court document filed by U.S. Attorney Neil H. MacBridge, which read, "this printout, in what appears to be 4-point type, consists of 11 pages of largely illegible characters," it would prove worthless to the bureau if, after the information had been entered manually, any single character was typed incorrectly. Levison subsequently failed to provide the requested information electronically in an industry standard format, despite repeated requests from the Department of Justice.

As a result, a federal judge slapped Levison with a $5,000 daily fine on August 5. Three days later Levison pulled the plug on Lavabit, which he said had more than 400,000 subscribers and generated annual income of between $50,000 and $100,000. Because he was subject to a gag order, Levison released a statement at that time saying only, "I've shut down Lavabit because I refuse to be complicit in the crimes against the American people and the U.S. Constitution. I wish I could say more about our situation."

He also launched an appeal for funds to help pay for related legal costs. The fundraising campaign, which lists a goal of $96,000, by Friday morning had raised more than $70,000, courtesy of more than 1,800 donors.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
10/8/2013 | 4:06:07 PM
re: Lavabit Owner Fined For Resisting FBI Demands
If you trust the government of Venezuela or Iceland to not issue a secret court order giving them direct, surreptitious access to local versions of Lavabit, or the NSA then hacking into their access mechanism.
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
10/7/2013 | 10:05:38 PM
re: Lavabit Owner Fined For Resisting FBI Demands
So clearly this just means we're setting up a server in Venezuela now or Iceland and firing Lavabit back online? Subpoena's will then be useless.
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Get Serious about IoT Security
Derek Manky, Global Security Strategist, Fortinet,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.