Get Your Own Private Key – If You Can
Last summer, the government demanded that Lavabit, an encrypted email provider, turn over private decryption keys so the government could conduct real-time e-mail monitoring of a specific Lavabit user. All concerned assume that the user in issue was Edward Snowden. Instead of turning over the private SSL keys demanded by the government, Lavabit owner Ladar Levison chose to shut down the company. He did so because the keys would have allowed the government to monitor all of Lavabit’s users, not just Snowden. The district court held Levison in contempt of court for refusing to turn over the keys.
Last week, a federal appeals court upheld the contempt order. The appeals decision was based purely on procedural grounds: Lavabit didn’t properly “preserve” its challenge to the order during the district court proceedings. Because of Lavabit’s procedural mistake, the court unfortunately did not reach the substantive issue whether the federal government overreached its statutory authority when it demanded the private keys for Lavabit customers’ encrypted email.
The substantive debate relates to whether the “technical assistance” required by the United States “pen register” and “trap and trace” statute can be used to require a service provider to hand over encryption keys to US authorities. The information and technical assistance required by the statute is to “install” the device, “unobtrusively” and “without interference.” We believe that nothing in the statute says the provider can be compelled to also turn over private keys that will allow law enforcement to decrypt so it can actually interpret the information.
Both the “pen register” and “trap and trace” laws were written to allow the government to obtain “metadata” for a single, identified user. In Lavabit’s case, however, the private keys exposed the communications for its entire user base – not a single user. Further – even though the order in Lavabit’s case and the statute both expressly limited the information the government was allowed to capture to only “non-content” “metadata” and only for Snowden – if Lavabit had handed over the keys in issue the government would have had free access to all email content, along with usernames, passwords, and other sensitive information for every Lavabit user.
This is an increasingly recurrent theme: the government claims it is not capturing content, and its demands for metadata are specific to discreet individuals, but when the truth comes out it becomes clear they are getting (or want to get) the actual content of private communications sent to and from many innocent and law-abiding citizens who have no involvement whatsoever in anything related to national security. The government then claims they discard all the “unauthorized” information they gather, but it is more likely that they actually “discard” it by sending it to their “recycle bin” in Utah, which they conveniently forget to ever “empty.”
This issue will inevitably arise again in the future, in a case where the substantive dispute is preserved. Meanwhile, we strongly suggest whenever possible you use a service provider that supplies you with your own personally held unique private key that the provider does not itself maintain. That way the service provider cannot be compelled to secretly help to the government unencrypt your personal and private information. If the government wants your property, they will have to come to you and you will be able to challenge the demand.