Snowden's email provider gave crypto keys to FBI – on paper printouts

[Jeffrey Walton <noloader () gmail com>]

It appears the FBI wanted every key to every customer in the company.
(Thanks to IG on another list).

http://www.theregister.co.uk/2013/10/03/lavabit_snowden_investigation_details/

The former operator of a secure email service once used by NSA leaker
Edward Snowden has been fined $10,000 for failing to give federal
agents access to his customers' accounts, newly released court
documents show.

In August, Ladar Levinson shut down Lavabit, his security-minded email
business, rather than comply with government demands that he claimed
would have made him "complicit in crimes against the American people."

At the time, a gag order prevented him from discussing the details of
his situation. But court documents unsealed on Wednesday reveal that
the FBI wanted Levinson to hand over encryption keys that would have
given federal agents "real time" access to not just Snowden's account,
but the accounts of all 40,000 of Lavabit's customers.

To Levinson, that was going too far. "You don't need to bug an entire
city to bug one guy's phone calls," he told The New York Times. "In my
case, they wanted to break open the entire box just to get to one
connection."

Levinson claims he had complied with legal surveillance requests in
the past, and that he proposed logging and decrypting just Snowden's
communications and uploading them to a government server once per day.

But the FBI said that wasn't enough. It wanted access to the private
SSL certificates used to encrypt all traffic on Lavabit, which
Levinson says would have given agents up-to-the-minute access to the
emails of every Lavabit user. In July it produced a federal warrant
ordering Levinson to turn them over.

Prosecutors claim that monitoring Snowden was the only goal and that
spying on Lavabit's other users was never part of the plan. "There's
no agents looking through the 400,000 other bits of information,
customers, whatever," one said during a hearing in August. But
Levinson still balked.

He certainly deserves credit for his pluck. Levinson complied with the
letter of the order, but he delivered the encryption keys as strings
of numbers printed out on paper, rather than as electronic files.
What's more, he intentionally printed them in a font designed to be
hard to scan, one prosecutors described as "largely illegible."

Federal Judge Claude Hilton was not amused. He found Levinson in
contempt of court and levied a fine of $5,000 per day until the keys
were provided in electronic form.

Levinson held out for two days but finally relented, only to shut down
Lavabit at the same time he gave up the certificates – a move a
prosecutor later described as "just short of a criminal act."

Levinson now says he hopes to one day revive his business, which he
founded in 2004 and had been operating as a full-time job since 2010.
But he also wants to make the public aware of what happened to him and
the potential pitfalls for other businesses in the face of unchecked
government surveillance.

"How as a small business do you hire the lawyers to appeal this and
change public opinion to get the laws changed," Levinson told the NYT,
"when Congress doesn't even know what is going on?"

At least one Congressman has sided with Levinson, however.
Libertarian-leaning Rand Paul, the Republican junior senator for
Kentucky, has urged voters to sign a petition against NSA spying and
to donate to Campaign for Liberty, a conservative pressure group that
has agreed to help fund Levinson's legal defense.

"Even though he's lost his main source of income, Ladar Levison is
fighting back," Paul wrote in a statement. "I believe his legal battle
is a key part in our shared fight to restore our Fourth Amendment
freedoms."
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.