San Francisco - Federal law enforcement officers compromised the backbone of the Internet and violated the Fourth Amendment when they demanded private encryption keys from the email provider Lavabit, the Electronic Frontier Foundation (EFF) argues in a brief submitted Thursday afternoon to the US Court of Appeals for the Fourth Circuit. In the amicus brief, EFF asks the panel to overturn a contempt-of-court finding against Lavabit and its owner Ladar Levison for resisting a government subpoena and search warrant that would have put the private communications and data of Lavabit's 400,000 customers at risk of exposure to the government.
For nearly two decades, secure Internet communication has relied on HTTPS, a encryption system in which there are two keys: A public key that anyone can use to encrypt communications to a service provider, and a private key that only the service provide can use to decrypt the messages.
In July, the Department of Justice demanded Lavabit's private key—first with a subpoena, then with a search warrant. Although the government was investigating a single user, having access to the private key means the government would have the power to read all of Lavabit's customers' communications. The target of the investigation has not been named, but journalists have noted that the requests came shortly after reports that NSA whistleblower Edward Snowden used a Lavabit email account to communicate.
"Obtaining a warrant for a service's private key is no different than obtaining a warrant to search all the houses in a city to find the papers of one suspect," EFF Senior Staff Attorney Jennifer Lynch said. "This case represents an unprecedented use of subpoena power, with the government claiming it can compel a disclosure that would, in one fell swoop, expose the communications of every single one of Lavabit's users to government scrutiny."
EFF's concerns reach beyond this individual case, since the integrity of HTTPS is employed almost universally over the Internet, including in commercial, medical and financial transactions.
"When a private key has been discovered or disclosed to another party, all users' past and future communications are compromised," EFF Staff Technologist Dan Auerbach said. "If this was Facebook's private key, having it would mean unfettered access to the personal information of 20 percent of the earth's population. A private key not only protects communications on a given service; it also protects passwords, credit card information and a user's search engine query terms."
Initially, Levison resisted the government request. In response, a district court found Lavabit in contempt of court and levied a $5,000-per-day fine until the company complied. After Levison was forced to turn over Lavabit's key, the certificate authority GoDaddy revoked the key per standard protocol, rendering the secure site effectively unavailable to users.
Since Lavabit's business model is founded in protecting privacy, Levison shut down the service when it no longer could guarantee security to its customers.
"The government's request to Lavabit not only disrupts the security model on which the Internet depends, but also violates our Constitutional protections against unreasonable searches and seizures," EFF Staff Attorney Hanni Fakhoury said. "By effectively destroying Lavabit's legitimate business model when it complied with the subpoena, the action was unreasonably burdensome and violated the Fourth Amendment."
The deadline for the government's response brief is Nov. 12, 2013.
For EFF's full amicus brief:
Electronic Frontier Foundation
Electronic Frontier Foundation