Late last night, the ACLU and ACLU of Virginia filed an amicus brief urging a federal appeals court to overturn a contempt-of-court finding against Lavabit, the now-defunct secure email service provider. The company had been resisting a court order to hand over the private encryption keys relied on by the company’s 400,000 users to keep their information secure. (You can read our brief here, filed with the Fourth Circuit Court of Appeals in Richmond, Va.).
In the case, law enforcement agents conducting a criminal investigation of one of Lavabit’s customers (widely believed to be Edward Snowden) demanded that the company turn over its private encryption keys so that the government could monitor information associated with the suspect’s communications. Lavabit balked at the demand, pointing out that the keys protected all of the company’s customers, not just the target of the government’s investigation. But when the district court held Lavabit in contempt for refusing to give up its encryption keys and imposed a $5,000-a-day fine until the company complied, Lavabit had no choice but to turn the keys over to the government. The company’s founder, Ladar Levison, closed the company shortly thereafter, believing that Lavabit could not hold itself out as operating a secure email service after its private keys had been divulged. The company is now appealing the contempt finding. (You can read Lavabit’s brief here).
As we wrote in our brief, quoting a Supreme Court ruling:
The district court’s contempt holding should be reversed because the underlying orders requiring Lavabit to disclose its private keys imposed an unreasonable burden on the company. Although innocent third parties have a duty to assist law enforcement agents in their investigations, they also have a right not to be compelled “to render assistance without limitation regardless of the burden involved.” Balancing these interests, the Supreme Court has held that the courts may not impose unreasonable burdens in ordering third parties to assist in government investigations.
The Secure Sockets Layer (SSL) encryption technology Lavabit used to protect its communications wasn’t anything exotic. In fact, it’s built into every web browser and used by a large number of popular websites, from Google to American Express, to protect users’ sensitive information from cyber security threats. The technology is very effective, which is why it’s become the industry-standard — but it depends on companies’ ability to keep their private encryption keys secret.
As a society, we have a strong interest in encouraging the companies that handle our private information to prioritize cybersecurity, as Lavabit did over its ten years in business. The government destroyed that business when it ordered Lavabit to betray the trust of its 400,000 users by divulging the encryption keys used to protect their information. Although Lavabit offered to help the government obtain the information it needed about the one suspect without divulging the private encryption keys for everyone, the government refused the company’s proposed accommodation.
When the court ordered Lavabit to turn over its private encryption keys, it undermined the businesses and technologies we rely on to keep our information safe. Although the government undoubtedly has a legitimate interest in obtaining necessary assistance for its criminal investigations, there are limits on its power to dragoon innocent parties into its surveillance activities. In this case, the government exceeded those limits.
We hope the appeals court recognizes that the government overreached in its demand for Lavabit’s encryption keys and clears the company of its contempt — making it easier for other companies to fight such demands in the future.