Mon October 7, 2013
Why Did Lavabit Founder Shut Down His Company?
Originally published on Mon October 7, 2013 5:50 pm
ROBERT SIEGEL, HOST:
This is ALL THINGS CONSIDERED from NPR News. I'm Robert Siegel.
MELISSA BLOCK, HOST:
I'm Melissa Block and it's time for All Tech Considered.
(SOUNDBITE OF THEME MUSIC)
BLOCK: Our focus today is on two services designed to keep Internet communications private and the National Security Agency's efforts to crack them. In a few minutes we'll hear about Tor, software that keeps people anonymous online. First, we're going to talk with the founder of an encrypted email service, called Lavabit, a system much more secure than regular email such as Gmail or Yahoo.
Lavabit was used by NSA leaker Edward Snowden. And in August, as the FBI pursued those leaks, Lavabit founder Ladar Levison shut down his company. He did so in the face of a government demand that he turn over the encryption keys and computer code that would unlock the data of his 400,000 customers. Levison said in a statement at the time that he would not become complicit in crimes against the American people.
Ladar Levison joins me from New York. Welcome to the program.
LADAR LEVISON: Hi, Melissa. Thank you for having me.
BLOCK: And we should explain that before this, you were subject to a gag order. But now, some federal court documents have been unsealed and you're free to talk. Is that right?
LEVISON: Yes, and I think the most important piece has finally come out - just exactly what the government was asking for. And that was my private SSL encryption key.
BLOCK: SSL encryption key, which would have done what?
LEVISON: SSL is - the easiest way to describe it, it's lock in your browser that secures e-commerce transactions. But it does more than that. It secures email as it traverses the Internet. It also authenticates a person's identity, so that they know they're talking to their bank or they know they're talking to my particular service. And what they wanted to do was effectively unpeel the encryption that was protecting that information, intercept and examine it. And presumably, only record the information for the one suspect.
But they were also completely unwilling to provide any transparency back to me or any type of assurance that would be the only information they were collecting.
BLOCK: Well, prosecutors argued before the judge that the metadata stream would be filtered, right? So only the one client that they were looking at would be targeted. They said no one has access to the other information. And the judge said, well, I think that's reasonable. Why is he wrong?
LEVISON: Because they didn't know which incoming connections were going to belong to the particular user. They were going to have to decrypt everyone's incoming connections and monitor them until they came across the username and password associated with the account. And then make a decision whether or not to continue recording or drop.
And if they had been willing to prove that that's what they were doing, I could've lived with them putting a device on my network and giving them the keys. But they absolutely refused. And I was completely uncomfortable with them having that level of access and losing control of my keys in that way, if they weren't going to provide transparency back to me.
BLOCK: Do you recognize, though, that the government might have legitimate legal grounds for requesting encryption keys in cases - in systems like yours that are encrypted?
LEVISON: Yeah, certainly. I mean, the government has a need to conduct surveillance on criminals. But it should be targeted. What I'm opposed to is the broad based surveillance, the type of surveillance that violates the privacy rights of the many. And that's what was at stake here.
Here was a system that was effectively secure and they wanted to crack it open with a sledgehammer, just so that they could conduct surveillance on one person.
BLOCK: Why did you decide to shut down Lavabit without giving any notice to your clients?
LEVISON: I had decided from the very beginning, as soon as I heard the request for the SSL keys, that if I was forced to surrender them and remain silent, I felt the only ethical choice would be to shut down the service. I had heard that other services like mine had threatened to shut down and were ordered via the courts to remain open, to remain in business. So I feared that if I gave any kind of warning that I might shut down the service as a result of this, I would receive a similar order. And if I had, and I'd still shut down the service, I would probably be sitting in jail right now.
BLOCK: I've seen emails from a number of your customers who were quite angered by the fact that you shut down butt they were not given any notice and the rug was pulled out from under them.
LEVISON: I'm in the same boat as them. I've used my Lavabit email account for 10 years. It was my only email account. I'm now without email access. So I feel their pain. And I'm still holding out hope that one day I'll get my inbox back.
BLOCK: Ladar Levison is founder of the now-shuttered encrypted email service, Lavabit. Mr. Levison, thanks.
LEVISON: Thank you for having me. Transcript provided by NPR, Copyright NPR.