How Lavabit Will Win on Appeal

There’s something missing from the arguments being set forth in the Lavabit appeal, and I think it opens a gaping hole in the government’s case. This case actually isn’t about encryption keys at all, and I think refocusing the argument will give the appeals court the “out” they’re looking for to decide in Lavabit’s favor without actually deciding the issue of whether the government can compel production of SSL keys.

Did you know that Levison actually offered to deploy the targeted intercept functionality that the government requested, rapidly, and at a very reasonable cost, in such a way that would not require turning over encryption keys?

First, let’s go back to the timeline. The original pen register order came in on June 28, 2013. There were several conference calls and meetings that followed between Lavabit and the FBI, including agents showing up at Ladar Levinson’s house. The government got an Order to Show Cause issued on July 9 which required him to appear before the court July 16 to discuss the matter of complying with the original pen register order.

On July 13, Levison made an offer to develop and deploy data collection software, and provide the data to the government after 60 days, which was the duration of the original pen register order. He offered to complete the work for $2000, plus additional $1500 if the government wanted the data in daily scp dumps:

In light of the conference call on July 10th and after subsequently reviewing the requirements of the June 28th order I now believe it would be possible to capture the required data ourselves and provide it to the FBI. Specifically the information we’d collect is the login and subsequent logout date and time, the IP address used to connect to the subject email account and the following non-content headers (if present) from any future emails sent or received using the subject account. The headers I currently plan to collect are: To, Ce, From, Date, Reply-To, Sender, Received, Return-Path, Apparently-To and Alternate-Recipient. Note that additional header fields could be captured if provided in advance of my implementation effort.

$2,000 in compensation would be required to cover the cost of the development time and equipment necessary to implement my solution. The data would then be collected manually and provided at the conclusion of the 60 day period required by the Order. I may be able to provide the collected data intermittently during the collection period but only as my schedule allows. If the FBI would like to receive the collected information more frequently I would require an additional $1,500 in compensation. The additional money would be needed to cover the costs associated with automating the log collection from different servers and uploading it to an an FBI server via “scp” on a daily basis. The money would also cover the cost of adding the process to our automated monitoring system so that I would notified automatically if any problems appeared.

Ladar Levison, July 13th, Email to the FBI

What did the government say in response? Apparently, they couldn’t afford it.

But as far as I can tell…. that right there, was Lavabit complying with pen register order. The appeals court can neatly avoid the entire decryption key argument by simply pointing out the FBI declined Levison’s offer to deploy a fully functional pen register, and order them to pay the $3500.

That the FBI would decide they should waste 3-4 orders of magnitude more money fighting to install their black box hardware and obtain encryption keys, in light of the good faith offer from Levison to drop everything and code up the functionality for a measly $3500…. is to me evidence enough of their true purpose and intent – to vacuum up the entirety of Lavabit’s customers data, and ship it back to Langley in real-time.

When Lavabit went back to court on August 1, it was made perfectly clear they offered to add the additional logging required, even while the government attorney apparently claimed otherwise.

The exchange between The Court and Lavabit’s attorney Mr. Binnall is beyond shocking…

MR BINNALL: I think that the least restrictive means possible here is that the government essentially pay the reasonable expenses, meaning in this case my client’s extensive labor costs to be capped at a reasonable amount.
THE COURT: Has the government ever done that in one of these pen register cases?
MR BINNALL: Not that I’ve found, Your Honor.
The COURT: I don’t think so. I’ve never known of one.
MR BINNAL: And Your Honor’s certainly seen more of these than I have.
THE COURT: So would it be reasonable to start now with your client?
MR BINNALL: I think everyone would agree that this is an unusual case. And that this case, in order to protect the privacy of 400,000-plus other users, some sort of relatively small manner in which to create a log system for this one user to give the government the metadata that they’re looking for is the least restrictive mean here, and we can do that in a way that doesn’t compromise the security keys. This is actually a way that my client —
THE COURT: You want to do it in a way that the government has to trust you —
MR BINNALL: Yes, Your Honor.
THE COURT: — to come up with the right data.
MR BINNALL: That’s correct, Your Honor
THE COURT: And you won’t trust the government. So why would the government trust you?
MR BINNALL: Your Honor, because that’s what the basis of Fourth Amendment law says is more acceptable, is that the government is the entity that you really need the checks and balances on.

United States District Court, Judge Hilton Presiding, August 1

It goes on for several more pages, you can see the full transcript.

After Judge Hilton mistakenly conflates Lavabit and its 400,000 lawful users with the person being investigated Mr. Binnall corrects him, and then concludes by saying it would take 20 to 40 hours for Lavabit to implement the logging and have it up and running in a week and a half, and faster if possible. It might have been nice for Mr. Binnall to point out that the same offer was made 19 days prior and the system could have already been up and running, but it becomes obvious Judge Hilton isn’t really listening.

When they get around to hearing the government’s response, Judge Hilton licks it up without a second thought:

THE COURT: Let me hear from Mr. Trump. Is there some way we can work this out or something that I can do with an order that will help this or what?

MR TRUMP: I don’t believe so, Your Honor, because you’ve already articulated the reason why is that anything done by Mr. Levison in terms of writing code or whatever, we have to trust Mr. Levison that we have gotten the information that we were entitled to get since June 28th. He’s had every opportunity to propose solutions to come up with ways to address his concerns and he simply hasn’t.

We can assure the Court that the way that this would operate, while the metadata stream would be captured by a device, the device does not download, does not store, no one looks at it. It filters everything, and at the back end of the filter, we get what we’re required to get under the order. So there’s no agents looking through the 400,000 other bits of information, customers, whatever. No one looks at that, no one stores it, no one has access to it. All we’re going to look at and all we’re going to keep is what is called for under the pen register order, and that’s all we’re asking this Court to do.

THE COURT: All right. Well, I think that’s reasonable.

And there it goes. So much for three branches of government, checks and balances, and that sort of thing. It seems beyond strange that a service provider wouldn’t be trusted to provide meta-data in response to pen register, lawful intercept, or “CALEA” type requests. Google, Facebook, and the like obviously are able to implement these front-end systems to deliver meta-data, why would Lavabit not be afforded the same opportunity and instead be forced to open their whole network?

It’s hard to know exactly where the Government’s priorities lie in this case. If it’s about getting the wiretap, then they sure as hell could have done a better job working Levison. If their goal was to obtain actionable data on Snowden, well they screwed that up badly. I think you have to assume that this is a battle the Government went looking for, and that it’s a battle they think they can win. I don’t like to provoke the idea of a Government with this capability.

One somewhat baffling thing to me is why didn’t Levison code up the functionality and start issuing data dumps unilaterally? As soon as the search warrant and subpoena arrive, as a business owner with 400,000 customers, you’re probably doing everything you can to stay out of jail and financial ruin at that point. Would it not have been prudent for Levison to walk into court being able to claim Lavabit is in full compliance with the pen register, and then let the Government try to argue otherwise? Perhaps by that point Levison had gone so far in setting the stage for a constitutional battle, part of him was ready to go all in.

If all the Government wants is the lawful intercept, and they didn’t really want the keys, was demanding them just putting on the squeeze? Then where are all the other companies the Government tried this on in the past? The only thing that makes this case “unusual” is that Lavabit wasn’t already collecting the logs the Government was asking for. It’s completely customary for the company with the logs to be responsible for actually delivering those logs. Obviously that means the Government regularly trusts those same companies to effectively collect those logs, and deliver them in their entirety.

This makes the entire August 1 court transcript extremely frustrating to read and decipher what’s actually going on, other than demonstrating gross incompetence on the Government and Judiciary’s behalves. The law specifically provides for reasonable expenses to be paid, the customary solution is sitting right there for all to see, and the Judge is arguing the finer points of 4th Amendment law? Judge Judy would have told the Government to stop wasting everyone’s time and work amicably with Lavabit to get the logs.

Given that the FBI works with scores of companies on deploying targeted lawful intercept (e.g. Snapchat) why is Lavabit being treated differently? Typically when the CEO says, “let me stop everything and write and deploy that code for you” you would say “thank you” and stop beating them with your club. The only reasonable conclusion is that Lavabit shipping the logs isn’t acceptable to the Government because what the Government actually wants is the keys.

It would be really great to know if this is the first time they asked for SSL keys. That should be public knowledge if any of those cases have closed. A full accounting of when they request these keys, and how often they obtain them would be nice. It would also go a long way towards bringing some much needed transparency to the issue. This isn’t a secret NSA “capability” this is a civilian process on US soil. Lets hope that still means something.

So, TL;DR my prediction is that the appeals court avoids entirely the issue of decryption keys in light of the fact that Lavabit offered to provide the pen register with more than reasonable haste and economy, and if we’re lucky they will have some choice words for Judge Hilton in their ruling as well.