In August, Edward Snowden’s email provider Lavabit abruptly shut down after issuing a cryptic statement about refusing to become “complicit in crimes against the American people.” Now, more details have emerged about the government surveillance request that prompted the dramatic closure.
According to newly unsealed court documents, it turns out that the Texas-based company was asked to hand over the private encryption keys that secured all Internet traffic to the site. The privacy-focused email provider, of which former NSA contractor Snowden was reportedly a user, was apparently targeted shortly after Snowden outed himself as being responsible for leaking documents about secret surveillance programs.
The court records show that Lavabit was first served with an order demanding metadata on an unnamed customer on June 10, just one day after Snowden went public in a video interview with the Guardian. A couple of weeks later, on June 28, Lavabit was served with a separate so-called “pen register” order requiring it to provide the government with information showing the “to” and “from” lines on every email, plus IP addresses used to access the mailbox, as Wired reported Wednesday. Putting himself at risk of being held in contempt of the order, Lavabit founder Ladar Levison refused to comply with the demand, stating that the targeted user had “enabled Lavabit’s encryption services, and thus Lavabit would not provide the requested information.”
Government prosecutors, likely highly irritated by Levison’s noncompliance, then went one step further. In July, they obtained a search warrant demanding that Lavabit turn over “all information necessary to decrypt communications sent to or from the Lavabit e-mail account [redacted] including encryption keys and SSL keys.” This additional order appears to have been the final straw for Levison, who was already uneasy about the earlier requests. By handing over the encryption keys, his attorney told the court, all of Lavabit’s more than 400,000 users would be compromised, and their use of the service would “necessarily become less secure.”
In an apparent bid to buy himself some time, Levison handed the government a copy of the encryption keys—but in an illegible 11-page printout in 4-point type. He was told that if he did not hand over an electronic copy of the keys he would face $5,000-a-day fines beginning Aug. 6. Instead of complying, Levison took the extraordinary step of shutting down Lavabit for all users on Aug. 8, later commenting in an interview with CNET that the closure “wasn't about protecting a single user, but protecting the privacy of all my users.”
While Snowden is not named in any of the documents, it is now almost certain the targeting of Lavabit is linked to the Justice Department’s criminal investigation into his leaks. The charges listed in the documents are alleged violations of the Espionage Act and theft of government property, the same charges filed against Snowden. Levison is currently trying to raise funds as part of an effort to fight the surveillance attempt in the 4th Circuit Court of Appeals, with opening briefs in the case expected later this month.