- Ladar Levisonfounder, owner and operator of Lavabit.
Ladar Levison, founder of the encrypted email provider Lavabit, details why he was forced to shut down his company last summer after the U.S. government attempted to seize Edward Snowden’s email information and much more. The FBI was targeting Snowden after he exposed the National Security Agency’s surveillance to the world, but in doing so effectively wanted access to the accounts of 400,000 other Lavabit customers. Levison was barred from discussing the case in detail at the time, saying only that he had refused “to become complicit in crimes against the American people.” Earlier this week, a federal judge unsealed key parts of the record detailing the government’s requests from Lavabit, freeing Levison to talk more openly about what happened. “The government was telling bold-faced lies,” Levison says. “It was impossible to trust them with the access they wanted. The only option was to shut down or to become complicit in what they were seeking — the mass surveillance of my customers.”
JUAN GONZÁLEZ: We turn now to the latest on Lavabit, the encrypted email service once used by National Security Agency leaker Edward Snowden. The company abruptly shut down last August. In a message to his customers, the company’s founder, Ladar Levison, wrote at the time, “I have been forced to make a difficult decision: to become complicit in crimes against the American people, or walk away from nearly 10 years of hard work by shutting down Lavabit.” Lavabit founder Levison appeared on Democracy Now! last August in his first television interview to discuss what happened.
LADAR LEVISON: It was a very difficult decision. But I felt that in the end I had to pick between the lesser of two evils and that shutting down the service, if it was no longer secure, was the better option. It was, in effect, the lesser of the two evils.
AMY GOODMAN: What are you facing? When you say “the lesser of two evils,” what was the other choice?
LADAR LEVISON: Unfortunately, I can’t talk about that. I would like to, believe me. I think if the American public knew what our government was doing, they wouldn’t be allowed to do it anymore.
AMY GOODMAN: Lavabit founder Ladar Levison on Democracy Now!, speaking last August.
Well, earlier this week, a federal judge unsealed key parts of the record detailing the government’s request from Lavabit, freeing Levison to talk more openly about what happened. So Ladar joins us now from Dallas, Texas. He just wrote a column for The Guardian headlined “Secrets, Lies and Snowden’s Email: Why I Was Forced to Shut Down Lavabit.”
Ladar, welcome back to Democracy Now! Why were you forced to shut down Lavabit?
LADAR LEVISON: I was forced because I went through what I can only really describe as a show trial, in secret, and at the end of which I was forced to turn over the keys without even being given the opportunity to defend myself or change the circumstances that led to that disclosure. I just felt like, after going through that process and learning everything that I had learned and listening to the prosecutors tell what I can only characterize as bold-faced lies, to use the strongest language possible, it was impossible to trust them with the kind of access that they were demanding. And the only thing that—the only option I had left was to shut down. Either that or, exactly like my letter said, become complicit in what they were planning, which was the mass surveillance of all of my customers.
JUAN GONZÁLEZ: Well, Ladar, why don’t you walk us through this? How did it start? When did they first contact you? And what were they seeking from your company?
LADAR LEVISON: Certainly. They first contacted me in May, although it was unclear at that point who they were targeting or what the investigation was about. Even the agents who contacted me didn’t know at that point. And it’s quite possible that that initial contact was related to another investigation. The key meeting really occurred June 28th of last year, when they knocked on my door and said that they were expecting a warrant to come through any minute now. It arrived on their BlackBerry, and they forwarded it to my email, and we proceeded to have a two- to three-hour conversation. And that was the pen register trap and trace order. And it was in that meeting that they first demanded my SSL keys.
AMY GOODMAN: And explain exactly when this was and how this relates to Edward Snowden.
LADAR LEVISON: Well, this was the end of June. It was a Friday evening, about 5:00 here in Dallas. And, you know, they had just earlier that month issued a subpoena for some account information, some registration information on a particular account. And from what I understand, going back over the official record, roughly June 28th was when the mailroom delivered it to the prosecutor, and they immediately went to the judge and got the pen register trap and trace order. And based on that previous contact in May, they realized that if they wanted to get access to the historical contents, they would need to capture the password in order to decrypt the data that was stored on disk. And they realized that the only way to do that was to conduct a man-in-the-middle attack on all of the encrypted connections coming into and out of my network.
AMY GOODMAN: Just to be clear, June 2013, so this is right after Edward Snowden’s first revelations that came out in The Guardian.
LADAR LEVISON: That’s correct.
JUAN GONZÁLEZ: And when you say the pen register [trap] and trace order and SSL, could you explain what those are?
LADAR LEVISON: Certainly. Well, it goes back to the '70s. And basically, the Supreme Court held that the federal government could capture any information going over the wire that you routinely shared with your service provider. So these pen register trap and trace devices were built, constructed to record the telephone numbers that you dialed and trace the telephone numbers of incoming calls. And when it came—when the Supreme Court ruled that you didn't need a search warrant in order to install one of these devices, the U.S. Congress reacted by passing the pen register trap and trace statutes that effectively set up the legal statutory basis for the installation of these devices. And they’re not required to get—to establish probable cause, to undergo strict scrutiny, in order to install one of these devices.
I think what’s important to understand is that when these laws were passed, we were talking about devices that were installed on an individual’s line and that were physically constructed in a way in which they could only collect incoming and outgoing telephone numbers and the length of telephone calls. And over time, based on various court rulings—some secret, some not—the court has effectively expanded the authority of these statutes so that now they can install them on Internet service providers at the service provider and use them to scan and record metadata coming into and out of the entire provider’s network, presumably filtering out and only recording and transmitting back the information that is related to the targeted accounts.
Now, in that statute is a technical assistance provision, which traditionally means identifying the line, providing physical access, helping the agents install the device. Well, in my particular case, the agents believed that that included the authority to demand my SSL encryption key. When I first appeared in court, the judge agreed with me that something as proprietary and secret as a private encryption key did not qualify as technical assistance. And what’s important is that when—he said in that same hearing that “that was why I signed a SCA search warrant for that information.”
Well, after that hearing, which I was forced to appear at without a lawyer, because I wasn’t given adequate time to find one who could legally represent me in that courtroom, I was able to hire a lawyer. I was able to file a motion to quash that search warrant. Well, we had a hearing on that search warrant August 1st, which was a Thursday, and the judge ruled against us and the next day issued an opinion in which he stated, “And for the reason stated in the government’s brief.” Well, the government’s brief included that original pen register trap and trace authority argument.
Well, the following Monday, the judge issued a contempt order ex parte, even though my lawyer indicated to both the prosecutor and the court that he wanted to at least appear and object to that contempt order. Well, because the order was affirmed so quickly and ex parte, we were never able to file an objection to that authority. And it was on that ground that the appellate court ruled that I had waived my right to appeal that particular legal basis for the contempt charge.
AMY GOODMAN: Ladar Levison, can you talk about the documents that were released this week, the search warrant, and what surprised you most in what came out?
LADAR LEVISON: Certainly. Well, I don’t believe these documents were available to the appellate court, but they only go to support my assertion that they really intended to capture more than just metadata. It wasn’t until the appellate hearing that the prosecutor even admitted that the only information they couldn’t collect without the SSL keys was when the user was logging in and when the user was logging out. And that’s because all of the other information that they were authorized to collect is sent from service provider to service provider in the clear.
Now, what these documents show is that they went after the encrypted data, the user-level encryption keys and the source code that was necessary to process that information if you had the password. Now either they have the ability to break some of the most fundamentally trusted and relied upon encryption standards in the world, and we don’t know about it, or they were really planning to exceed their own authority and capture passwords off of the wire.
I think it’s probably also worth pointing out that any compromise solution that I offered, which would have provided a technical guarantee that they stayed within the bounds of what the court had authorized, was flat-out rejected. They demanded the SSL keys from day one and continued to pursue that demand until I shut down. It’s also probably worth pointing out that after I shut down and it was clear that they could no longer capture passwords, they dropped the request for the source code.
JUAN GONZÁLEZ: Now, what are your next steps? Are you considering moving your company abroad to be able to be able to provide your customers the kind of privacy that they want?
LADAR LEVISON: Well, in the short term, I’m focusing on the Dark Mail development project, which is really an effort that I’m carrying out in conjunction with Silent Circle to really reinvent the mail protocols that we use and bake in end-to-end encryption in such a way that the client can do the encryption without the user having any knowledge of how it works or how to make it work. The idea is that’s the only way we can bring encryption to the masses. And I’ve really put off the problem of restarting Lavabit as a service provider until I finish that work. I just think it’s too important.
AMY GOODMAN: Ladar, we only have a minute, and I wanted to ask—the target was Snowden. His name is redacted in the documents you got, but part of the unsealed record dealt with so-called accomplices of the target, of Snowden. Is that right?
LADAR LEVISON: Yeah. I think it’s—and that was actually the portion of the document that I had to go to court to get unsealed. They didn’t want people to realize that they were trying to find out who was emailing back and forth with the suspect, presumably journalists. And they were going to use the evidence that they had collected to demand the private data of those individuals, presumably to figure out what had been given to those individuals.
AMY GOODMAN: Ladar Levison, we want to thank you very much for being with us. We will continue to follow your case, as well, founder, owner and operator of Lavabit. When we come back, we’re going to Kansas City to speak with the attorney for the death row prisoner whose execution was stayed last night by the U.S. Supreme Court. Stay with us.