DPI16_Banner_300x250 WITH COPY
IAPP-GDPR Web Banners-300x250-FINAL

By Angelique Carson, CIPP/US

Ladar Levison remembers June 28 pretty well. Temperatures reached 108 degrees in Dallas, TX, and Sandra Bullock’s The Heat was released nationwide. But Levison was feeling a different kind of heat that day when the FBI showed up unannounced at his Dallas apartment and told him they wanted access to his company’s computer system—a system he’d designed specifically to protect his customers from the threat of surveillance.

Levison is the founder of Lavabit, a now-defunct e-mail provider that allowed its users—including Edward Snowden, it’s been highly rumored—to send fully encrypted messages.

“When I set about to create Lavabit on day one, it was not to be a service focused on privacy,” Levison said. “That really developed in the first few months, when all the revelations were hitting the media about the NSA, and I started thinking about the tenuous position they were putting service providers in, and I decided I didn’t want to be put in that position.”

But on that day in June, agents came armed with a “pen register/trap-and-trace” device order, historically used to trace numbers dialed on a telephone. In 1979, the Supreme Court ruled that because a user knowingly exposes a phone number to a phone company when dialing and the phone company may monitor the call for billing, numbers do not enjoy privacy protections under the Fourth Amendment—though the content of the conversation does. Congress later passed the Pen Register Statute to regulate the use of such surveillance devices, requiring police to get a warrant to conduct a trap.

Ladar Levison

Why does that matter? Because it doesn’t just apply to phone communications anymore. Under the USA PATRIOT Act, the government can use pen/trap orders to intercept Internet communications via an Internet service or e-mail provider.

And that’s exactly what the FBI wanted to do, Levison said.

“Of course, (the agents) didn’t have the order with them. It arrived on their Blackberry a few minutes after they arrived at my door, and they forwarded it to me via e-mail,” Levison recalled. “But during the next two-plus-hour conversation, I had to rely upon them to tell me what it said.”

What it said, the agents told him, was that the order gave them the right to collect Lavabit’s metadata, including user logins, passwords and message content.

“I didn’t realize until I got a lawyer involved almost two weeks later that a pen register/trap and trace order only gives them the ability to collect meta-information and not content,” Levison said. “That’s a really important distinction, because that’s not the way they presented it.”

The FBI abstained from responding to this allegation when contacted by The Privacy Advisor.

The information the FBI said it wanted would, in a typical system, be kept in log files. But because Levison’s model was based on trust and privacy, he didn’t even keep those records. They would need Levison’s SSL keys—the keys that would unlock all of the information Levison’s business promised to protect. While the FBI said it only wanted login and logout dates and time and the originating IP address, with SSL keys agents could also unlock user identity and passwords to decrypt the content of their messages.

At that point in his impromptu meeting with the agents, Levison, a political science major with an info-security background and a self-described “stubborn SOB,” said he would need to consult an attorney first.

“They almost seemed surprised and offended when I refused,” he said. “Because all I could imagine is that most small companies in my condition would bend over backwards to cooperate with the FBI because they don’t want to get arrested. But it’s just the way I’m wired. I’ve worked in that space a lot protecting financial documents and financial information, so the prospect of turning over SSL keys just did not sit well with me. And because of my background in political science, I understood what my rights were and how to fight this kind of demand.”

That’s when the FBI agents left his apartment and immediately asked a judge to issue an order to compel, meaning he had to provide “all the technical assistance necessary to install the trap and trace” device.

“I was willing, but I was telling them they weren’t going to get login information and they weren’t going to get that much content,” Levison said. “Up until that point, they had been really hesitant to put a request for SSL keys in writing. It would be like saying ‘technical assistance’ meant giving them the administrative passwords to all my systems—because that’s essentially what they were asking for.”

Next, Levison was issued a summons to appear in a DC court and fined $10,000 for being in contempt of court. He searched frantically for a lawyer, but even having lunch with one to describe the case would cost more than he could afford. So he showed up in a DC court and represented himself—forced to give up the SSL keys.

“As soon as that gavel fell, I was served a search warrant,” he said.

And then he made headlines.

“I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly 10 years of hard work by shutting down Lavabit,” Levison wrote on the company’s homepage. Adding that he was legally forbidden from sharing the reasons behind his decision, he shared a lesson he’d learned during his ordeal: that without “Congressional action or a strong judicial precedent, I would_strongly_recommend against anyone trusting their private data to a company with physical ties to the United States.”

There’s a reason surveillance was supposed to be difficult, and that was to protect the privacy of the society. I believe that, and I designed my business along those principles.

- Ladar Levison

The media picked up quickly on the story, perhaps because it was such an abrupt and radical move, or perhaps because Levison seemed to be in a league of his own, fighting the U.S. government in a way even tech giants seemingly hadn’t when approached for data on users. But in the end, Levison said, shutting down wasn’t really a choice.

“I had advertised my system as being secure and private because that was the focus of my service. If it came out that I had turned over the SSL keys, I would have gone out of business anyways,” he said. “Not to mention I was having serious stress-related issues with the ethical implications of what was going on. I had asked them to prove to me that meta-information was the only information they were collecting, and I would go along with that. And they couldn’t do that, in fact they were unwilling to. And I’m left with the only possible conclusion being that they wanted to collect more than they were authorized to.”

Today, Levison is fighting the court’s contempt charge against him, claiming the initial search warrant and subpoena were illegal and unconstitutional. He’s hoping his case will set a precedent that the government can’t demand a tool so essential to a company’s privacy and security as its SSL keys.

The U.S. Attorney General’s office did not return calls requesting comment.

Levison again made headlines recently when he announced a partnership with the founder of now-defunct Silent Circle, another e-mail encryption service. The two met by chance at an event last month and decided there was enough media hype around the self-imposed shutdown of each of their services that they could together create a new business venture that “wouldn’t allow service providers to be put in a position of compromising their users’ privacy anymore.”

Dark Mail, as it’s called, will focus on security from end-to-end and prevent third parties from being able to conduct surveillance—at the service-provider level—in secret. It will encrypt the contents of a message on a user’s device in a way that it couldn’t be decrypted until it reached the receiver’s device.

“What I am trying to accomplish with my new venture is what I was trying to accomplish with Lavabit to begin with, and that is to move surveillance back to the individual instead of the service provider,” Levison said. “That’s the way our Constitution intended it to be. There’s a reason surveillance was supposed to be difficult, and that was to protect the privacy of the society. I believe that, and I designed my business along those principles.”

As it stands now, those principles cost Levison the company he spent 10 years developing and a $10,000 fine. He’s hoping the court decides, at the end of his pending case, that the same thing can’t happen to the next guy.

Read More by Angelique Carson:
Breach Roundup
Fordham Law Develops Privacy Curriculum for Middle Schoolers
LIBE Adopts Compromise Amendments; Sends Draft to Council
Baker: The Grandfather of Privacy Was A Fogey


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»