Crackdown on Lavabit violated Constitution, ACLU and EFF claim

Opponents of the United States government’s use of subpoenas to compromise an encrypted email service call the court’s actions unreasonable and unnecessary, and say the result of the catastrophic security event is a chilling effect felt around the world.

Those are the words written by attorneys for three groups who have filed friend-of-the-court briefs in support of Lavabit, the recently shuttered email provider used by National Security Agency leaker Edward Snowden and roughly 400,000 other customers around the globe.

Pursuant to a federal investigation, Lavabit was compelled by a court order earlier this year to provide authorities with the details pertaining to a single user of the site. The highly secure structure of Lavabit made performing such a narrowly-tailored wiretap highly burdensome, though, and in lieu of less intrusive alternatives, the government forced the company to disclose the SSL keys used to encrypt all Internet traffic traveling in and out of its servers.

Although the subject of the investigation remains under seal, it is believed by many closely following the case that the identity is all-too-likely Edward Snowden, the 30-year-old former NSA contractor who began leaking secrets about the US and international intelligence community to the media earlier this year. Rather than opening up just a single target for surveillance, though, the surrendering of the SSL keys caused all communications made by hundreds of thousands of Lavabit users to become prone to government eavesdropping.

“This is like trying to hit a nail with a wrecking ball,” attorneys for the Electronic Frontier Foundation, an international non-profit digital rights group, argue in the amicus they filed in the case.

Lavabit shut down immediately after eventually heeding the court’s request and is now appealing the decision in federal court. This week, amici curiae penned by counsel for the EFF, the American Civil Libertues Union and a new Internet start-up named Empeopled were filed in court supporting Lavabit’s fight.

Attorneys for the ACLU argue in their brief that “Congress has explicitly refrained from requiring electronic communication service providers like Lavabit to design their services in a way that enables the government to easily access their users’ data,” and that forcing the site to surrender its SSL keys was unreasonable and undermined the company’s lawful business model.

Elsewhere, it’s argued that the model of the Internet itself is put in jeopardy over the court’s actions. “It would require little effort for even an unsophisticated hacker to intercept an  individual’s unencrypted emails, financial information or medical records as they passed over the Internet,” the ACLU writes. The attorneys note that the Google’s decision to make SSL encryption the default way in which messages travel over its Gmail system was hailed by the Federal Bureau of Investigation’s general counsel, and law and industry regulations often mandates that its utilized.

“[R]requiring back doors in all communications systems by law runs counter to how the Internet works and may make it impossible for some companies to offer their services,” the ACLU quotes from Rep. John Conyers (D-Michigan).

Attorneys for the EFF argue in their brief that “Encrypted online communications form the backbone of the modern Internet” and call the private key pried away from Lavabit “the service provider’s crown jewel, opening the door to every user’s online interactions with the website.”

“The security depends on the secrecy of the key,” the EFF says, “—once it is compromised, the security model is shattered.”

“By forcing Lavabit to turn over its private keys, the government not only disrupted the security model on which the Internet depends, it also violated the Fourth Amendment,” they say.

The “wrecking ball” approach, the EFF adds, would have monstrous implications if applied to a site not as niche as Lavabit. And because Lavabit was compelled to comply with handing over its keys, it is no longer unreasonable to assume a request could be made by the government to any other Internet company.

“In the case of Facebook, having the private key used by the company would give unfettered access to the personal information of almost 20 percent of all of the human beings on the planet obtained through the Facebook site for three years,” the attorneys write.

“[T]he breach of a private key compromises the security of the HTTPS protocol as a whole and should be considered a catastrophic security event, one that has the potential to have a profound effect on not only the security of HTTPS, but on the United States economy as well,” adds the EFF, referring to “Hypertext Transfer Protocol Secure,” or the infrastructure that allows for encrypted Web communications to occur.

“This case presents an unprecedented use of the subpoena power. The government here claims that, with a mere subpoena, it can compel a disclosure that would in one fell swoop destroy Lavabit’s business and expose the communications of every single one of its users to government scrutiny,” the EFF argues. “Were this true, there would be no limiting principle preventing the government from undermining the security of any website that relies on public key encryption — from Facebook to Google to Bank of America to Amazon — all with a single subpoena.”

But while the ACLU and EFF argue that the subpoena was unconstitutional on account of its eroding of Fourth Amendment protections, attorneys for Empeopled, self-described as “an early-stage startup company dedicated to advancing democratic self-governance through social media,” say the government’s action goes against an American ethos that predates the Constitution. Empeopled says the right of a citizen to political privacy, as protected by the Fourteenth Amendment unlocks the door to the First Amendment-protected right to free speech, “helping to ensure that everyone gets to participate in deciding our nation’s future — minorities and dissidents included.”

With the re-writing of privacy rules with regards to the Internet, Empeopled argues the US is interfering with a machine that enables political speech, association and discourse, and all of that could now be compromised on an international level. Meanwhile, at leasttwo fellow security vendors have already thrown in the towel and voluntarily shut down in order to avoid being faced with the same types of requests and forced to violate the trust of their users — early reverberations indicating that a chilling effect is already occurring as Lavabit fights their appeal.

Ladar Levison, the 32-year-old owner and founder of Lavabit, has said he is prepared to take his case to the Supreme Court.