How the Owner of the Company That Handled Edward Snowden's Encrypted Emails Courageously Stood Up to the Feds' Massive Investigation
The whirlwind that turned Ladar Levison’s life upside down, gave him a possibly pivotal role in the Edward Snowden affair, and has since made him a hero to civil libertarians, began innocently enough in early June.
On June 6, U.K. Guardian reporter Glenn Greenwald unmasked the U.S. government’s secret spying on Internet users by first reporting that the National Security Agency was collecting phone records of millions of Verizon’s customers, despite NSA denials in Congress. On June 7, the Guardian and the Washington Post reported the NSA had an unknown program that tapped Internet giants including Google and Facebook, allowing it to collect data streams including emails, live chats and search histories.
The next day, President Obama defended the surveillance, but then the world met the whistleblower behind the largest expose of American spying in decades. On June 9, speaking from Hong Kong, Edward Snowden, 29, went public and said the NSA had gone too far. The U.S. government, meanwhile, went after Snowden, who disappeared the very next day, June 10—the same day Ladar Levison appeared in the FBI’s bulls eye.
For the next two months, Levison, a 32-year-old Texan who built a small, ultra-encrypted e-mail business called Lavabit, fought an isolated one-man battle with the government to protect his clients’ online privacy, including Snowden's. On June 10, a federal court secretly ordered Lavabit to give the FBI access to everything about Snowden’s email accounts—except, they said, the content of messages—to track and go after Snowden and his team. Levison kept the FBI at bay until early August, just released secret court documents reveal, long after Snowden landed in Moscow and got asylum.
The documents reveal a David and Goliath fight. The underdog—Levison—loses in the end, but not after illustrating the very point that Snowden’s whistleblowing warned about: that the U.S. government could spy on almost anyone via a digital dragnet. “You don’t need to bug an entire city to bug one guy’s phone calls,” Levison told theTimes. “They wanted to break open the entire box just to get to one connection.”
Tracking Snowden’s Email
Lavabit was a small email company known inside the technology world for asymmetric encryption, which it claimed could not be cracked by spy agencies. People logging onto accounts had to use a series of public and private keys—alpha-numeric sequences only known to each party. Wired.com reported that Snowden used a Lavabit email account to communicate with electronic privacy activists and journalists.
On June 10, Snowden went underground in Hong Kong after the FBI was rumored to have opened an investigation on him, the media reported at the time. It wasn’t a rumor. That day, in a sealed decision, the U.S. District Court for Eastern District of Virginia, ordered Lavabit to give the FBI all relevant information for an ongoing investigation. It sealed the court order because not doing so would give “targets an opportunity to flee or continue flight from prosecution, destroy or tamper with evidence, change patterns of behavior or notify confederates.”
The FBI apparently knew Snowden had a heavily encrypted email account at Lavabit, although the court documents don’t say how they knew that. The information the first of court orders sought, listed everything they could think of: names, addresses (electronic, residential, business), all phone records, session times and durations, Internet protocol (IP) addresses, phone and computer identifiers, and means of payment. In addition, the FBI wanted user activity records and identifying data for everyone he contacted.
At first, Levison ignored the court order. On June 23, Snowden surfaced in Moscow’s Sheremetyevo airport. Secretary of State John Kerry called him a fugitive and demanded his return. At the FBI, the agents tracking Snowden still wanted access to his emails.
They went before a federal court on June 28 and at 4pm that Friday, U.S. Magistrate Judge Teresa Buchanan ordered “a pen/trap device may be installed and used by Lavabit and the Federal Bureau of Investigation to capture all non-content dialing, routing, addressing, and signaling information” to record the times, date, duration, log-ins and IP data of the caller and recipient for 60 days. Lavabit was also ordered not to disclose the placement of the “pen/trap device.”
Lavabit had complied with search warrants in the past, such as in child abuse cases. But this time, when Levison was contacted by the FBI by email, he refused, the documents said. He claimed that the pen-trap device wouldn’t work on his secured email system. Then the legal memos and court orders started flying. U.S. Attorney Neil McBride filed a motion to compel Lavabit to comply with Buchanan’s order, under an obscure law called the Pen Register and Trap and Trace Act, saying it required companies to provide any technical assistance sought by the FBI to install the data trap. Levison replied that his system was designed in such a way that it would “not collect the relevant information.”
Several hours later, Judge Buchanan ordered Lavabit to give the FBI the unencrypted data and provide the agency whatever technical assistance was required. After signing the typed court order, which said failure to comply would “shall subject Lavabit to any penalty within the power of the court,” she scribbled at the bottom, “including the possibility of criminal contempt.”
Buchanan’s ruling gave the FBI license to lean hard on Levison. On July 9, the Justice Department’s prosecutors filed a motion to charge him with contempt of court. That motion describes what happened later that Friday night.
On June 28, 2013, FBI Special Agents met Mr. Levison at his residence in Dallas, Texas, and discussed the prior grand jury subpoena served on Lavabit LLC and the pen register order entered that day. Mr. Levison did not have a copy of the order when he spoke to the agents, but he received a copy from the FBI within a few minutes of their conversation. Mr. Levison told the agents that he would not comply with the pen register order and wanted to speak to an attorney. It was unclear whether Mr. Levison would not comply with the order because it was technically not feasible or it was not consistent with his business practice of providing secure, encrypted email service for his customers.
The motion said Levison should go before a federal grand jury to show why he should not be held in contempt. U.S. District Judge Claude Hilton signed an order on July 9 ordering Levison to appear on July 16 for that hearing in Alexandria, Virginia.
That next day, July 10, according to a memo filed by the prosecutors, Levison went to the FBI’s office in Dallas for a conference call, where his lawyer, on the phone from San Francisco, and the FBI’s technical specialists, discussed what the pen-trap would do and how it would work. Essentially, the FBI said it wanted so-called metadata—the who, when and where of Snowden's communications—but not the email contents.
The next day, July 11, Levison’s San Francisco attorney told the FBI she was no longer on the case. Levison then told the FBI he would not come to the July 16 court hearing unless the government paid his travel costs. On July 11, Levison, in Texas, was served with a subpoena to appear in the Virginia courtroom. Under federal law, the government reimburses travel costs for grand jury witnesses.
On July 12, Snowden emerged after three weeks of limbo at the Moscow airport and told reporters that he was seeking political asylum in Russia. That surprise announcement came after the U.S. effectively blocked his travel to Latin America where several countries had offered him refuge.
The next day, July 13, Levison emailed the FBI with a counter offer, the prosecutors said. Levison said that he would be able to “collect the data required by the pen register and provide that data to the government after 60 days (the period of the pen register order). For this service, Mr. Levison indicated that the government would have to pay him $2,000 for “developmental time and equipment” plus an additional $1500 “if the government wanted the data “more frequently” than after 60 days.” The FBI quickly replied no, saying that waiting 60 days was unacceptable, the DOJ memo seeking a contempt of court ruling said. The memo also called Lavabit’s fees “unreasonable.”
The next week, Levison showed up in federal court without an attorney.
When the grand jury hearing began on July 16, government lawyers immediately threw their weight around. The DOJ’s Jim Trump told the grand jury that earlier that day the FBI obtained a search warrant for Levison’s and Lavabit’s computers. It allowed the FBI to seize “all information” from Lavabit’s computers of the “encryption keys and SSL keys” of Snowden’s account, and “all necessary information,” and said the search warrant also were under seal—to be kept secret. The government said it would seek “no sanctions” against Levison if he complied.
Levison responded by first requesting that everything in the case that was “non-sensitive” be unsealed and made public. “It is important for the industry and people to understand what the government is requesting by demanding that I turn over these encryption keys to the entire service,” the hearing transcript said. The government objected, saying that would turn the case into a forum on federal surveillance including the WikiLeaks case. The judge agreed. Levison countered that the FBI wanted everything that he had.
“I have always agreed to installation of the pen register device,” he told the court. “I have only objected to turning over the SSL keys because that would compromise all of the secure communications in and out of my network.”
The judge was confused, the Grand Jury transcript showed, saying the only order before the court was the pen register device. The DOJ’s Trump said that without the encryption keys, that device could not read Snowden’s emails. “To facilitate the actual monitoring required by the pen register, the FBI also requires the encryption keys,” Trump said.
Levison told the court he would comply but was worried that the FBI would misuse the information they might obtain. The court told him he should hire a lawyer to discuss that issue—and to do it on another day. They scheduled a follow-up hearing on July 26to see if he would install the pen register. Meanwhile, the FBI had its search warrant.
A day before the scheduled hearing, Levison’s new lawyer, Jesse Binnall, filed a motion to quash the government’s subpeona and search warrant, saying it gave the FBI too much power to “rummage” through all his clients’ accounts, which violated the Constitution’s Fourth Amendment against undue search and seizures. Binnall also requested the court unseal the record, saying Levison’s free speech rights had been usurped.
Meanwhile, as the next grand jury hearing date approached, Snowden—as the American government had feared—was making plans for asylum in Russia and to leave the airport. Apparently, during all this time, according to the DOJ’s memos, the FBI still did not have access to Snowden’s Lavabit account.
The DOJ’s memo filed before that hearing again said that Levison had not complied with all of its wishes. But buried in it was a striking detail. Levison had met with the FBI and suggested they install the pen register on his Internet service provider’s servers. The FBI did that, but it still didn’t allow the government to track Snowden.
“It is clear that due to Lavabit’s encryption services, the pen-trap device is failing to capture data related to all of the emails sent to and from the account,” the DOJ’s legal memo said. “In this case, due to Lavabit’s use of SSL encryption and Lavabit’s lack of a software solution to implement the pen trap on behalf of the government, neither the government nor Mr. Levison have been able to identify such a solution.”
Translation: the government wanted the SSL key to Snowden’s account and couldn’t get it without Levison directly handing it over. The next grand jury hearing was delayed and held before U.S. District Judge Claude Hilton on August 1—the very day Snowden left Moscow’s airport after being granted asylum.
Snowden’s Complaint Echoed By Lavabit
At the August 1 hearing, Jesse Binnall, Levison’s lawyer, opened by telling the court that “the privacy” of Lavabit’s 400,000 users was at stake—essentially making the same claim that Snowden did about federal surveillance overreach. “There is a lack of any sort of check or balance to ensure that the encrypted data of other Lavabit users remain secure,” the lawyer said, according to the court transcript.
Binnall and Judge Hilton then went back and forth discussing how the FBI could get inside Snowden’s emails. Binnall said Levison could create software that would only allow the FBI to monitor Snowden’s account, but it would take a week or more and he had to be paid for that. Hilton asked if there was a precedent for that approach. When the DOJ’s turn came, Hilton asked Trump, “Is there some way we can work this out,” to which Trump replied no. “We have to trust Mr. Levison that we have gotten the information that we were entitled to get since June 28… There’s no agents looking through the 400,000 bits of information, customers, whatever.”
The federal judge then ordered Levison to turn over the encryption keys. He did so the next day, August 2, but in a way that more than angered the FBI.
Levison “gave the FBI a printout of what he represented to be the encryption keys,” a later DOJ memo seeking contempt sanctions said. “This printout, in what appears to be four-point type, consists of 11 pages of largely illegible characters.” Two days later, the FBI demanded an electronic copy of the encryption key be delivered on a CD by 5pm on August 6or he would face a $5,000 a day fine.
Judge Hilton signed the order on August 5. Two days later, Levison caved. He delivered the CD, shut down his business and sent an email apologizing to his customers. “I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly 10 years of hard work by shutting down Lavabit,” he wrote. “After significant soul searching, I have decided to suspend operations.”
Was it really soul-searching? The court records make it look more complicated. Ladar Levison waged a one-man battle against the federal government, and ultimately lost. He could see that coming. His defiance seemed to echo why Snowden said he became an NSA whistleblower. It also may have thwarted the FBI’s efforts at crucial moments when Levison's most famous customer was still using his encryption service.