STE WILLIAMS

Lavabit, a now-defunct private email service, appeared in court on Tuesday to appeal against a contempt of court ruling centred around the company not handing over unencrypted data of one of its users – widely believed to be ex-NSA whistleblower Edward Snowden.

Last summer Lavabit was ordered to provide real-time email monitoring of the anonymous user. It responded by telling the federal authorities that it could only do so by following an internal process that would take a period of 60 days from when the request was made.

The federal government obviously weren’t prepared to wait that long and returned with a search warrant which allowed them to grab all of the company’s SSL keys, giving them the ability to potentially decrypt the traffic of all 410,000 Lavabit users, not just the one individual it had professed an interest in.

Lavabit’s CEO, Ladar Levison, compelled to hand over the five SSL private keys, did so in printed form, using a 4-point font spread across 11 pages. Law enforcement were not chuffed.

After handing the keys over, Levison promptly shut his 10-year-old business down in August in order to protect customers’ data. Commenting at the time, he said:

This experience has taught me one very important lesson – without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.

During yesterday’s hearing, Lavabit and federal prosecutors each presented oral arguments to a panel of three judges at the 4th US Circuit Court of Appeals in Richmond, Virginia.

Judges Agee, Gregory and Niemeyer heard, and questioned, arguments from both sides though they seemed keen to focus on the specifics of why Lavabit failed to comply with a court order to hand over data on a specific user, rather than the broader question posed by Lavabit as to what else the government may do with the keys.

Judge Paul Niemeyer commented that the issue surrounding the use of those keys had been “blown out of proportion with all these contentions” of what the FBI may do with them.

Curiously, PC World reports that he also said, “There’s such a willingness to believe” that the keys will be misused and that “the government will spy on everyone”, which I find to be somewhat ironic considering that the powers-that-be actually seem to be rather keen on doing exactly that lately.

Judge Gregory, however, pointed out that “the encryption issue was a red herring” and that the case should actually be focused upon Lavabit’s non-compliance to a court order.

PC World also reports that US attorney Andrew Peterson, on behalf of the government, contended that “any trust between Lavabit and the government had broken down” and that the company appeared to view court orders not so much as a legal requirement but more like contract negotiations.

Now that all of the appeal arguments have been heard, the court could read its verdict at any time, though no date has been set yet. If Lavabit triumph, Levison said that the service will be resurrected.

In the meantime, the BBC speculate that the verdict could have far-reaching consequences upon secure communications in the future, quoting Brian Hauss, Legal Fellow for the American Civil Liberties Union (ACLU). Hauss said:

This case is about protecting the encryption architecture that underwrites the security of the internet.

That architecture depends on SSL [Secure Sockets Layer] encryption and SSL encryption depends on the continued privacy of the private keys of the companies that use that encryption.

If the court does not find in Lavabit’s favour, technology companies will look for new ways to protect user data.

Follow @Security_FAQs
Follow @NakedSecurity

Image of encrypted key courtesy of Shutterstock.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/qQoSJhfXAx0/