This week I had the privilege of being present at a discussion with Ladar Levison at a meeting of the North American Network Operators’ Group (NANOG), his first public appearance since the court documents related to his fight with the FBI were made public.
For those not familiar with the case, Levison is the owner of Lavabit, a web-based email service designed to be secure against eavesdropping, even by the site’s operator. On August 8th this year he suddenly closed the service, posting an oblique message on the front page of the Lavabit website. The message explained only that he had closed the service because he had been left with a choice to “become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit.”
There has been much speculation over the last couple of months that he had closed the service over a subpoena related to Edward Snowden’s use of the service, and that an attached gag order similar to a National Security Letter (which were found to be unconstitutional in 2004) prevented him from speaking out about it.
Much of that speculation was confirmed last week when the courts unsealed the documents relating to Levison’s appeal of a July 16th court order, which required him to turn over cryptographic keys that would allow the FBI to spy on all of the service’s traffic, not just the information specific to Snowden’s use of the service, which was specified in the original warrant. Wired Magazine published an article last week with most of the known details of the case, so I won’t go into much more detail about that.
What I’d like to highlight is the danger to information security, consumer confidence, and the technological economy as a whole, should Levison lose his fight with the FBI. The keys being requested by the FBI would allow them access not only to all of the information related to the individual targeted by their warrant, but also every other customer’s data, and the data of the business itself. This is highly reminiscent of recent revelations regarding the NSA and the scope of their data collection. If that sort of wide net is supported by the courts, the fight for any kind of personal privacy will be lost, and consumers will never be able to trust any company with ties to the United States with any data at all.
This isn’t just a problem in the United States. Many of our online services eventually have dependencies on US companies. In Canada, a huge percentage of our network traffic crosses into the US in order to cross the continent rather than remaining in Canada when moving between cities. In other countries consumers rely on some of the more obvious US-based services (Facebook, Twitter, Google) but also many other services have less obvious dependencies, such as with services hosted by US-based data centres or on so-called “cloud” services with ties to the US.
As Andrew Sullivan comments during the Q&A, overreaching orders such as these are an attack on the network, as surely as any criminal trying to break a network’s security. Our personal privacy and the security technologies that guarantee it face attacks by those who want easy access to everyone’s information, under the pretence of protecting the very people whose privacy is being violated. It is vitally important that other business owners, like Levison, step up and fight orders such as these, so that a real public debate can happen over whether we still feel personal privacy and personal freedoms still trump the government’s desire to have it easy.
At this point it is impossible to know whether any similar services have been compromised in the way the FBI has attempted with Lavabit. I applaud the principled stance Levison is taking against this intrusion, and hope that, should I ever be in a similar position, I would have the strength to endure the long fight necessary to see it through.