Contributor Samuel Mantravadi believes that the FBI has overreached in its latest attempt at using technology to track down a potential criminal.
Ladar Levison is somewhat of a hero these days in software and technology news circles. If you’re not not up on the latest gossip, Mr. Levison is the founder, developer and CEO of a company called Lavabit that
provides provided secure e-mail services via encryption 1) to and from its servers and 2) while on its servers (two separate methods of encryption).
In the wake of a series of secret subpoenas and search warrants given by the FBI, Mr. Levison has chosen to shutter his services rather than fully comply with the order. In the wake of the e-mail shuttering, another award-winning blog, Groklaw, also chose to stop reporting due to the possible massive invasion of privacy (previous articles still available).
The subject of investigation is a redacted (but presumably easily guessed) e-mail client who was using Lavabit’s (paid) services. (*cough* Edward Snowden *cough*) The problem is, the FBI not only wants access to information stored on Lavabit’s servers: it wants access to everyone’s traffic going into and out from Lavabit’s servers in real time (unencrypted).
On top of this, the FBI sealed the initial and subsequent subpoenas and search warrants so that the CEO could not talk to anyone about the order, not even legal counsel. (Subsequent orders specified that Mr. Levison had this right.) These records were sealed until Ladar’s successful appeal to the 4th circuit court one week ago.
I’m trying to picture the first conversation with his lawyer:
Mr. Lawyer: How may we assist you?
Mr. Levison: Um, yes, I’ve just been served and I need legal council.
Mr. Lawyer: What is the subpoena for?
Mr. Levison: I’m sorry, I can’t tell you about it. Suffice it to say that it’s a matter of national security and this conversation is probably being recorded.
Mr. Lawyer: *Click*
Mr. Levison: Hello? Hello?
To be clear, Mr. Levison was willing to comply with the initial order of installation of a real-time tracing device or system. He has complied with similar orders in the past. But rather than give the FBI access to all users entering and leaving his servers, he suggested alternatives that would give the FBI daily tracking by developing a custom code (for the princely sum of $3,500 for one man-week of his software development time) and include on-going monitoring of the system over a period of 60 days.
The FBI said this would cost too much, they do not trust him to turn over all the metadata they are requesting, and that since it is not real-time, it is not good enough. The FBI has stated in court documents that it needs Mr. Levison’s permission and assistance to install the device, but it insists that it must have access to all user data (in the form of Lavabit’s private SSL keys) in real-time in order to track the single person they are investigating. Mr. Levison also asked if there could be outside monitors for this process to ensure that his 400,000+ other users were not affected, but this request was denied by the courts.
Thus, rather than compromising his promises to his customers, Levison decided to shut down a small business that he had invested ten years of his life to build. The judge in the case blames Lavabit for only using one decryption key (despite the fact that this is the industry standard for most small businesses), and he seems to think that Mr. Levison is untrustworthy (when the FBI clearly says it needs his help installing the tracking device). At this point, with as much as I have read of the court transcripts, it is easy to see why this might be mildly construed as a government overreach.
For the moment, let’s leave aside the fact that the NSA has used a court decision of a purse-snatcher to justify its domestic spying program, it has experimented with monitoring locations based on cell tower data, it misled a FISA court judge, or that NSA officers used the program to keep tabs on their love interests. Let’s leave aside that the FBI has been secretive about passing out malware in order to shut down the largest online illicit drug marketplace. (To be clear, I am very glad they caught the guy, but I am just wondering how many privacy standards were violated.)
I took the time to read through the insomnia curing court documents (all 163 pages!), and the transcripts do make me sympathetize for Mr. Levison, who for all intents and purposes appears to be complying with the court orders. At the end of the day, I applaud Mr. Levison for standing up for American liberties. I am gravely concerned that the FBI and NSA have not simply overreached in this case, but also that we in an open democracy are tipping their hands to secrets that were better left unsaid. (According to Mr. Levison: “I didn’t realize that real-time decryption of SSL streams was even possible.”)
If the FBI had quietly taken what they would have been given and worked with Mr. Levison (for a mere $3,500 and a bit of time), I think none of this would be front page news around the world. Maybe he could have given them source code and real-time tracking and worked out pricing at $5,000. How much has the court battle already cost the taxpayers? It is easily more than double what it would have cost them to get what they wanted had they accepted Mr. Levison’s suggestion.
I am saddened that by pursuing their narrow technical agenda, the FBI has tipped off America’s enemies to our capabilities, which are better reserved for tracking terrorists than American citizens. I am certain the target in the investigation will no longer be using Lavabit’s services, whatever the outcome of the appeal on Friday. I think that shutting down Lavabit (and by extension Groklaw) was a smart move (differing respectfully with others who would rather have them open) because they are bringing these discussions to light, especially in the wake of the unsealed court documents that were received last week.
Author’s Note: This article is written as a guest post to reflect my personal views and does not represent nor constitute endorsement on the part of my employer or Church & State.
Editor’s Note: Samuel Mantravadi has a PhD in Electrical Engineering from the Air Force Institute of Technology. He also gives very good back rubs.